[pptp-server] pptp tunnel is not used for internet services
HaiDang
haidang79 at yahoo.com
Thu Sep 20 05:21:11 CDT 2001
The latter case, I think, is my case.
All the IPs in the subset (32 addresses) are static (I
guess my company didn't bother paying for just one IP
and masquerade all the rest of the machines).
Therefore, I believe they are all external IPs.
To connect to the VPN server, the client first has to
dial into an ISP. Either it has a static IP (using
DSL), or will obtain a dynamic one (using dial-up).
The dial-up is more frequent, and is what I'm applying
my Linux box to.
Our purpose is that we don't trust any IPs not in our
subnet (in other words - not within the 32 IPs we
have). The IP that the Linux box has is a static IP,
so it is visible, and I will get the right IP if I do
a ping to www.mydomain.com after I already have a VPN
connection.
The client then would have a dynamic IP assigned from
their ISP, with (probably) a different netmask from
our netmask. They will connect via VPN to our Linux,
and gets assigned one of the 32 IPs. Because the
client now has an IP within the subnet, the firewall
should let it through.
By the way, after I already have a VPN connection, I
use winipcf from the client (at home) and see that I
do get a new IP from the pool, but the new subnet Mask
is not the same as that of our Lan. It is 255.0.0.0
while our Lan subnet mask is 255.255.255.224
--- "Cowles, Steve" <Steve at SteveCowles.com> wrote:
> > -----Original Message-----
> > From: HaiDang [mailto:haidang79 at yahoo.com]
> > Sent: Wednesday, September 19, 2001 3:12 PM
> > To: Michael McConnell
> > Cc: pptp-server at lists.schulte.org
> > Subject: Re: [pptp-server] pptp tunnel is not used
> for
> > internet services
> >
> >
> > Maybe I need to clarify it more.
>
> Thank You!
>
> > The firewall is on the Linux box, which also runs
> as
> > VPN server. The firewall only allows packets
> within
> > the subnet to the Linux server (let say - 0 to
> 31).
> > The IP pool consists of only 3 IPs: 29, 30, and
> 31).
> > When I establish VPN, I get assigned 29. But when
> I
> > use the mail server on the same Linux box, and
> check
> > the log files, my Wins98 uses its original IP to
> send
> > packets to the Linux, and thus is denied by the
> > firewall rules. The tunnel is just between my
> Wins98
> > and the Linux server, nothing else's involved.
>
> If I understand your post correctly, it sounds like
> your PPTP clients
> ethernet interface has an IP address that is within
> the same subnet as the
> VPN that you are trying to create. If this is the
> case, then what you are
> describing is normal. Think netmasks! Type: route
> print - at the PPTP client
> after you establish your VPN.
>
> If this is not the case, and you are establishing a
> VPN across the internet
> where your ethernet (or dialup) adapter has a
> differnent IP/netmask then the
> private LAN your are trying to access across the
> VPN, then how are you
> specifying the mail server? By IP or FQDN. ie. When
> you ping your mail
> server from the PPTP client using its FQDN... what
> IP address is being
> returned? In other words, is the IP address internal
> or external? FWIW: I
> run a DNS server which returns the internal IP
> address for mail.mydomain.com
> when queried internally (or across the VPN) and an
> external address when
> queried from the internet.
>
> >
> > And if I used firewall-config to configure the
> > firewall, how should I add those rules in ??
> >
> > Thank you,
>
> Can't help you much here. Keep in mind that your
> PPTP server is in essence -
> a router. It is routing packets of data between eth0
> and ppp0 and
> vice-versa. Your firewall rules will need to deal
> with this.
>
> Steve Cowles
> _______________________________________________
> pptp-server maillist -
> pptp-server at lists.schulte.org
>
http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this
> line. --
__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
More information about the pptp-server
mailing list