[pptp-server] pptp through firewall

George Vieira GeorgeV at citadelcomputer.com.au
Fri Jul 20 18:09:51 CDT 2001


To further this a little:

Just think of these options as a DHCP server for pptp tunnels only... they
provide a pool of IPs to any connection regardless of username unless the
username in the /etc/ppp/chap-secrets file contains the IP then the client
will receive that IP address instead. It is usually a good idea to make sure
these IPs are out of range from your local LANs DHCP server if there is one.

For the example below, this provide each connection a different IP for the
pptp server. This provides flexibility of writing special iptables/ipchains
rules for each pptp tunnel. MOST of the time this is not required and a
single IP is sufficient. The pptp server is allowed to have multiple
connections and yet have the same IP, this is what confuses most people
thinking that they must be different and this is not the case.

Example 1:
localip 192.168.100.240-254

To allow pptp clients to see the local LAN network it is best to select IPs
for localip and remoteip in the SAME subnet (as example below) as the local
LAN. This saves using ipforwarding and complexity of ipchains rules, all
that would be required is proxyarp in your /etc/ppp/options.pptp file so
that local LAN traffic destined to your pptp client which make the pptp
server respond and send that data back to the pptp client.

Example 2:
localip 192.168.100.1
remoteip 192.168.100.240-254

Diagram:
Workstations(2 to 239)     PPTP server                            PPTP
client
192.168.100.2-239  <--->  192.168.100.1  <--------/ / ------>
192.168.100.240


thanks,
George Vieira
Network Engineer
Citadel Computer Systems P/L


-----Original Message-----
From: Jamin Collins [mailto:JaminC at adapt-tele.com]
Sent: Friday, July 20, 2001 11:53 PM
To: 'Randy Millis'
Cc: pptp-server at lists.schulte.org
Subject: RE: [pptp-server] pptp through firewall


Randy Millis [mailto:rmillis at home.com]
> I don't understand these very well. Also, I cant seem to find 
> any detailed
> docs. Suggestions please?
> 
> > > localip 192.168.100.240-254
> Does this need to be the IP address of the host pptpd is running on?

It doesn't need to be that IP.  This is the IP address used for the server
side of the PPTP tunnel.  It is usually a good idea if this ip is in the
same subnet as your remoteip addresses.

> > > > remoteip 192.168.200.240-254
> 
> Is this the range of allowable addresses permitted to connect?

Not quite.  This is the range of ips that is used to allocate an ip address
to clients that connect for their end of the PPTP tunnel.

Hope that helps a bit.

Jamin W. Collins 
_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
--- To unsubscribe, go to the url just above this line. --



More information about the pptp-server mailing list