[pptp-server] Poptop through NAT redux

Dean Roman droman at romansys.com
Mon Oct 15 04:14:51 CDT 2001


   Just a stupid question, but did you check to make sure that after
adding the 4th card, your box didn't renumber the ethernet interfaces
starting with the new card?

    In other words, make sure the logical interface name matches the
physical card you think it should.


Christopher Kalos wrote:
>         This weekend, we were forced to add a fourth interface to our firewall.  As
> a result, we now have the following setup:
>         Outside link->Firewall--|
>                                         |-- DMZ
>                                         |-- NAT 1
>                                         |-- NAT 2
>         The logic behind this is that the second NAT network needs to be completely
> isolated from our DMZ and primary NAT network for security reasons.  It's
> only there to allow visitors (or in this case, I suppose "tenants" is a
> better word) to share our bandwidth.
>         The firewall is running FreeBSD 4.3, using ipfw and out of box natd.  The
> VPN server has been on the primary NAT network, with proper redirects in
> place for the GRE protocol and pptp port in place since it was built.
> However, once we added the new interface (fxp3), the VPN immediately broke.
> I'm not getting logs on the VPN server at all, and the firewall isn't
> reporting any rejected packets.
>         Has anyone had any experience with this sort of situation?  Telling me to
> move the VPN server outside isn't an option, and the same applies to getting
> rid of this secondary NAT network, or switching off of PoPToP.  There are
> multiple internal reasons for this design, and none of them can be changed.
> Thanks in advance,
> Christopher Kalos
> Systems Administrator
> Gotham Broadband
> 212.206.9620 x340
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list