[pptp-server] [off-topic] PPTP on a 2 layer firewall

Paul Reed paul at bsdc.ca
Mon Oct 15 02:49:49 CDT 2001 

It may not be the best solution, but this is how i would approch it:

I would use a Linux (2.4 kernel) box as a central Firewall/Router (using
iptables).

                            PopTop Server
                              (192.168.1.x/24)
                                       /\
                                        |
                                       \/
                                    (eth2)
Internet ---> (eth0) Firewall/Router (eth1)<--> LAN (192.168.0.x/24)
                                    (eth3)
                                       /\
                                        |
                                       \/
                      Other Servers (192.168.2.x/24)

(the /24 on the ips means a subnet mask of 255.255.255.0)

This way, the Firewall acts as a router between 4 separate networks.
I would suggest a separate NIC for each network, but you could get away with
1 external and 1 internal NIC with 3 IPs on different networks (by
aliasing).
With this setup we have the ability to see very strict rules set in place.
You can specify which machines/networks can see which servers, etc...

Only the workstations (192.168.0.x) would need to use NAT through the
router, but if the servers need to have internet access, you can setup
firewall/NAT rules on an IP by IP basis. VERY strict rules would need to be
setup on eth0 (External interface), you could still use another firewall in
front, but it would just overcomplicate things when forwarding and
NATing. As long as your rules are good, another box in front would just be
redundant.

Port 1723 and protocol 47 will be forwarded from the firewall to PoPToP
server. The Poptop server can be setup to provide IP's by login, so you can
then restrict 'joe' on 192.168.1.20 to see only 1 or two servers and not the
LAN network, but 'fred' who uses 192.168.1.21 can see all servers and all
networks. 'fred' can even be setup to use the pptp server as his internet
gateway, and you can NAT him back through, that way internet traffic to him
is filtered through your firewall aswell.

This could get very complicated, routing and firewalling is only limited by
your imagination.. :)

Hope this helps.. :)

Paul Reed
Systems Administrator
Black Sheep Digital Corp.
www.bsdc.ca
paul at bsdc.ca


----- Original Message -----
From: "Shanker Balan" <shanu at exocore.com>
To: "Pptp-Server" <pptp-server at lists.schulte.org>
Sent: Monday, October 15, 2001 1:09 AM
Subject: [pptp-server] [off-topic] PPTP on a 2 layer firewall


> Hello:
>
> What is "the" way to add VPN to a network? My client has a 2 layer
> firewall setup comprising of 2 Linux boxes.
>
> The network looks like this:
>
>             +-------------+          +------------+             +-------+
> Internet -> | Firewall-1  | 10.0.0.x | Firewall-2 | 192.168.x.x |  LAN  |
>             |   PopTop    |--------->|            |------------>|       |
>             +-------------+          +------------+             +-------+
>
> In the current setup, the PPTP VPN connection lands on Firewall-1 and
> gets an IP address in the 10.0.1.x segment. Firewall 2 will only accept
> packets from Firewall 1 (10.0.0.x segment). Since the VPN connection is
> on a another subnet all together (10.0.1.x), i have to masquerade the
> VPN connection so that Firewall-2 will accept it. I have to masquerade
> it once again on Firewall 2 as the LAN is again on another network
> altogether - 192.168.x.x.
>
>        VPN -> Firewall-1 (NAT) -> Firewall-2 (NAT) -> LAN
>
> Some of the short comings i see with this setup are the following:
>
> - This setup makes the firewall redundant. I can directly access any
>   machine on the LAN from Firewall-1 as Firewall-2 masquerades all
>   connections from Firewall-1
> - Cannot track VPN user access. Since the VPN connection is NAT'ed over
twice
>   (once on Firewall-1 and then again on Firewall-2), all connections made
>   to the LAN have their originating IP set to Firewall-2.
> - Cannot put access controls on VPN users
>
> Don't ask me my things were done this way but the damage has been done.
> Now, how do i replace this setup to a more "secure" one?
>
> Should i port forward PPTP ports onto Firewall-2 and then give the VPN
> connection an address in the 192.168.x.x range? Will dedicating a
> separate VPN box for exclusively handling VPN traffic increase security?
>
> It would be great if i could get some VPN implementation details from
> people running VPN on a 2 layer firewall setup. IOW, how do the pros do
> it? :)
>
> Any help greatly appreciated.
>
> -- Shanu
>
> --
> Princess Leia Organa:
> Help me, Obi-wan Kenobi. You're my only hope.
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list