[pptp-server] NIC
Alan Chung
alan at silveregg.co.jp
Wed Oct 11 02:17:19 CDT 2000
Thanks for your message.
it sounds like you have a same environment setup like me. I have my VPN
setup like below,
|(VPN Client R)|-INTERNET-| Linux Firewall |-internal network (internal
machines A,B,C...)
|
| PopTop Server |
When I connected from client to pptp server, connection was built (since I
can see a ppp0 connection by ifconfig command on PopTop server). From
PopTop server, I can see VPN client R's IP and ping it. But the problem is
I can't ping from client R to any of the internal machine A ,B...even to
PopTop server. So I have no way to see any internal machine and browse
them after pptp connection is built. Maybe I need to add route on either
VPN client side but I am not sure how to do that. Here is my ipchains rules,
$REMOTENET = 0/0
$OUTERIP = IP address of external interface on firewall
$OUTERNET = $OUTERIP/netmask
$OUTERIF = external interface of firewall
$pptp_interip = internal IP address of pptp server
#--------------------------
# port forwarding for 1723
#--------------------------
ipmasqadm portfw -a -P tcp -L $OUTERIP 1723 -R $pptp_interip 1723
#----------------------
# redirect protocol 47
#----------------------
/usr/local/sbin/ipfwd --masq --syslog $pptp_interip 47 &
#-----------------------
# ipchains part for VPN
#-----------------------
ipchains -A input -p tcp -s $REMOTENET -d $OUTERNET 1723 -i $OUTERIF -j ACCEPT
ipchains -A input -p 47 -s $REMOTENET -d $OUTERNET -i $OUTERIF -j
ACCEPT
ipchains -A output -p tcp -s $OUTERNET -d $REMOTENET 1723 -i $OUTERIF -j ACCEPT
ipchains -A output -p 47 -s $OUTERNET -d $REMOTENET -i $OUTERIF -j
ACCEPT
Do you have any idea what could be wrong?
Thanks in advance.
>My poptop server is behind my linux based firewall so it only has one NIC.
>If I was to move poptop to my firewall, then obviously it would have two
>NIC's. Based on where poptop is (physically) running on your network, your
>firewall rules would also need to be modifed to accomodate. In my case, I
>have to use ipmasqadm and ipfwd (in addition to ipchain rules) to "forward"
>the inbound VPN connections (proto 47/port 1723) to my PPTP server. Plus my
>firewall kernel had to be patched to handle the masqing of PPTP/IPSEC
>connections. If I was to move poptop to my firewall (which violates most
>well written security policies) then I would NOT have to 1) patch the kernel
>for VPN masquerading 2) use ipmasqadm and ipfwd to forward PPTP proto/ports
>internally.
>
>FWIW: My linux firewall is using Seattle Firewall (seawall) developed by Tom
>Eastep to properly establish the firewall rules. By simply editing a well
>documented configuration file, Seattle Firewall will execute the appropiate
>ipchain, ipmasqadm, ipfwd commands based on your network design. Tom has
>gone to great extremes to insure that Seawall properly configures your
>firewall to work with PPTP servers which are either masq'd (like mine) or
>running on the firewall itself.
>
>Checkout: http://seawall.sourceforge.net
>
>Steve Cowles
>
> > -----Original Message-----
> > From: Alan Chung [mailto:alan at silveregg.co.jp]
> > Sent: Friday, October 06, 2000 6:00 AM
> > To: pptp-server at lists.schulte.org
> > Subject: [pptp-server] NIC
> >
> >
> > Do I need to have two network interfaces even on an internal VPN
> > server? If the server is staying internally, one interface
> > sounds good for me.
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> >
>_______________________________________________
>pptp-server maillist - pptp-server at lists.schulte.org
>http://lists.schulte.org/mailman/listinfo/pptp-server
>List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list