[pptp-server] using PPTP as a service selection gateway

Cam Bowman cambo11 at hotmail.com
Wed Jan 19 20:24:37 CST 2000 

I'm trying to avoid using a PPPoE server for a few reasons;
	1.  They are expensive
	2.  I haven't been able to find a linux PPPoE server
	3.  It requires "proprietary" software on the client

I have the following setup - up and running

Linux PPTP server (Redhat 6.1, kernel 2.2.12-20)

************	***************
* CORP LAN *	* ISP LAN     *
* 10.1.1.x *	* 216.47.18.x *
************	***************
	 \ 	/
      ***************
      * PPTP Server *
      ***************
	    |
      ***************
      * DSL CLIENTS *
      * 192.168.4.x *
      ***************

I'm running two PPTP server processes each bound to it's own IP address; 
they also use separate pptp config and ppp options files for network 
specific info.  The PPTP server is also running DHCP and giving leases from 
the 192.168.4.x/24 network to the DSL users.

Application:
If the DSL client chooses to connect to ISP network, he would select his VPN 
profile configured for 192.168.4.10 and receive an IP address from the ISP 
LAN ie. 216.47.18.50.  Likewise if the CORP VPN connection was chosen, the 
user would get a 10.1.1.x address. With the appropriate routes setup on the 
linux box, this works great.  My concerns are with security & scalability, 
this box acts as a router.. therefore a hop point into my private networks;  
I would like to implement a routing policy where the following is true:

1.  192.168.4.x hosts can NOT talk to 10.1.1.x or 216.47.18.x hosts
2.  10.1.1.x hosts can NOT talk to 216.47.18.x or 192.168.4.x
3.  216.47.18.x hosts can NOT talk to 192.168.4.x or 10.1.1.x hosts

Basically I do NOT want routing to occur between these 3 networks.  The only 
reason it is there, is to facilitate routing PPTP connection traffic to the 
appropriate network.

BIG QUESTION:
HOW CAN I MAKE THIS SECURE???

I have disabled all services on the Linux box, except for DHCP and PPTP.  
You can't even telnet to the box.

I'm mostly looking for feedback from anyone who can comment on scalability 
and security.  I have the potential to have hundreds of DSL clients, so i'm 
not sure what type of resources it will need.  If the solution is even 
practical???


Any and all suggestions welcome... thanks in advance


Cam Bowman
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

More information about the pptp-server mailing list