[pptp-server] Poptop through NAT redux

Christopher Kalos ckalos at gothambroadband.com
Mon Oct 15 11:06:46 CDT 2001

	This weekend, we were forced to add a fourth interface to our firewall.  As
a result, we now have the following setup:
	Outside link->Firewall--|
					|-- DMZ
					|-- NAT 1
					|-- NAT 2

	The logic behind this is that the second NAT network needs to be completely
isolated from our DMZ and primary NAT network for security reasons.  It's
only there to allow visitors (or in this case, I suppose "tenants" is a
better word) to share our bandwidth.
	The firewall is running FreeBSD 4.3, using ipfw and out of box natd.  The
VPN server has been on the primary NAT network, with proper redirects in
place for the GRE protocol and pptp port in place since it was built.
However, once we added the new interface (fxp3), the VPN immediately broke.
I'm not getting logs on the VPN server at all, and the firewall isn't
reporting any rejected packets.
	Has anyone had any experience with this sort of situation?  Telling me to
move the VPN server outside isn't an option, and the same applies to getting
rid of this secondary NAT network, or switching off of PoPToP.  There are
multiple internal reasons for this design, and none of them can be changed.

Thanks in advance,

Christopher Kalos
Systems Administrator
Gotham Broadband
212.206.9620 x340

More information about the pptp-server mailing list