[pptp-server] using PPTP as a service selection gateway
Cam Bowman
cambo11 at hotmail.com
Wed Jan 19 20:24:37 CST 2000
I'm trying to avoid using a PPPoE server for a few reasons;
1. They are expensive
2. I haven't been able to find a linux PPPoE server
3. It requires "proprietary" software on the client
I have the following setup - up and running
Linux PPTP server (Redhat 6.1, kernel 2.2.12-20)
************ ***************
* CORP LAN * * ISP LAN *
* 10.1.1.x * * 216.47.18.x *
************ ***************
\ /
***************
* PPTP Server *
***************
|
***************
* DSL CLIENTS *
* 192.168.4.x *
***************
I'm running two PPTP server processes each bound to it's own IP address;
they also use separate pptp config and ppp options files for network
specific info. The PPTP server is also running DHCP and giving leases from
the 192.168.4.x/24 network to the DSL users.
Application:
If the DSL client chooses to connect to ISP network, he would select his VPN
profile configured for 192.168.4.10 and receive an IP address from the ISP
LAN ie. 216.47.18.50. Likewise if the CORP VPN connection was chosen, the
user would get a 10.1.1.x address. With the appropriate routes setup on the
linux box, this works great. My concerns are with security & scalability,
this box acts as a router.. therefore a hop point into my private networks;
I would like to implement a routing policy where the following is true:
1. 192.168.4.x hosts can NOT talk to 10.1.1.x or 216.47.18.x hosts
2. 10.1.1.x hosts can NOT talk to 216.47.18.x or 192.168.4.x
3. 216.47.18.x hosts can NOT talk to 192.168.4.x or 10.1.1.x hosts
Basically I do NOT want routing to occur between these 3 networks. The only
reason it is there, is to facilitate routing PPTP connection traffic to the
appropriate network.
BIG QUESTION:
HOW CAN I MAKE THIS SECURE???
I have disabled all services on the Linux box, except for DHCP and PPTP.
You can't even telnet to the box.
I'm mostly looking for feedback from anyone who can comment on scalability
and security. I have the potential to have hundreds of DSL clients, so i'm
not sure what type of resources it will need. If the solution is even
practical???
Any and all suggestions welcome... thanks in advance
Cam Bowman
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
More information about the pptp-server
mailing list