[pptp-server] routing and multiple connections
George Vieira
GeorgeV at citadelcomputer.com.au
Fri Jan 19 18:24:57 CST 2001
You say all clients get random numbers but do you men DHCP numbers? If so,
they must be part of a subnet so why not just firewall those subnets from
going to other networks?
Eg.
PPTP1 Client 192.168.0.1------+
|
|
PPTP2 Client 192.168.0.17-----+
|
|
/------------+
Linux PPTPD server
\------------+
|
|
NetworkA 192.168.10.0/24--+
NetworkB 192.168.20.0/24--+
# Make PPTP1 not allowed to Network B but OK for Network A
/sbin/ichains -A INPUT -s 192.168.0.1 -d 192.168.20.0/24 -j DENY
/sbin/ichains -A OUTPUT -s 192.168.20.0/24 -d 192.168.0.1 0.0/24 -j DENY
# Make PPTP2 not allowed to Network A but OK for Network B
/sbin/ichains -A INPUT -s 192.168.0.1 -d 192.168.10.0/24 -j DENY
/sbin/ichains -A OUTPUT -s 192.168.10.0/24 -d 192.168.0.1 0.0/24 -j DENY
Something like that.... This is what I did and it works for me, routes are
added automatically and then firewall what's not allowed. When you say you
add routes manually are you talking about the client side routing to
required networks as this is insecure if you want untrusted network to go to
selected networks... Firewall is the way...
thanks,
George Vieira
-----Original Message-----
From: yan seiner [mailto:yan at cardinalengineering.com]
Sent: Friday, January 19, 2001 10:06 PM
To: George Vieira; pptp-server at lists.schulte.org
Subject: Re: [pptp-server] routing and multiple connections
I have 4 subnets on my network; the pptp clients will make a fifth. I
currenty use vtun to tie the linux clinets together. With the pptp
clients, I need a subnet to make my security work correctly - pptp
client subnet will be allowed access to some subnets and not others.
My network is laid out in a star topology, as I only have a single fixed
IP. All clients have random IPs.
So to give a pptp client access to, say, the main office and one remote
office, but not my home network, and certainly not the main router
hub/firewall, I need to add routes manually.
As someone else mentioned, I'll look at ip-up and ip-down. That's
probably the place to add and remove routes.
--Yan
George Vieira wrote:
> why should you need to route them manually?.. it's all built into the ppd
> and the system to route automatically.
>
> As long as when they connect the PPTPD server and ping them or see them,
> then all you have to do is have either default routes on the internal
> systems to point to the PPTPD server (only if the pptp client is on a
> different network IP and not on the same subnet).
>
> If it's on the same subnet you will also need to use `proxyarp` so that
the
> pptpd will respond to network information destined to the pptp clients..
>
> I think that's about it...
>
> Can you explain what's your setup and why you need to route manually?
>
>
> thanks,
> George Vieira
>
>
> -----Original Message-----
> From: yan seiner [mailto:yan at cardinalengineering.com]
> Sent: Friday, January 19, 2001 11:56 AM
> To: pptp-server at lists.schulte.org
> Subject: [pptp-server] routing and multiple connections
>
>
> I have a (currently) theoretical question:
>
> How do I set up routing with pptpd?
>
> I have one test pptp client so it always comes in on ppp0, and I can set
> up the correct routing by hand. But what happens when I get multiple
> pptp clients? How do I add the entries the routing table for ppp1, 2,
> ....? And remove them when the connection drops?
>
> Soon this will be a real issue; I need to get a handle on it before it
> hits production and paying clients.
>
> BTW, if anyone is interested in 128 bit encryption on win95 OSR1, let me
> know. I just figured it out :-)
>
> thanks,
>
> --Yan
>
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
>
More information about the pptp-server
mailing list