VPN: poptop
Pablo Bendersky
I'd like to give access to a remote machine running Windows ME.
I have a Firewall/NAT running FreeBSD and Windows 2000 DNS/DHCP/DOMAIN
servers.
Can it be done through VPN ? Does anyone knows how to do it ?
Maybe poptop is the solution ?
How do I install it ?
Thanks a lot !
Pablo Bendersky
pbend...@itineri.com
To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Lucas Bergman
> have a Firewall/NAT running FreeBSD and Windows 2000 DNS/DHCP/DOMAIN
> servers.
>
> Can it be done through VPN?
Yes.
> Does anyone knows how to do it?
Yes.
> Maybe poptop is the solution ?
Since you mentioned PoPToP, I assume you want to use PPTP for your
VPN, not something like IPsec. I use mpd to give PPTP access to
several Windows 2000 clients, and it works fine. (I chose mpd over
PoPToP, since mpd uses FreeBSD kernel facilities specifically made for
this kind of thing, whereas PoPToP is userland software ported from
Linux.) I've never used (or even seen, for that matter) Windows ME,
so I suppose YMMV applies.
> How do I install it ?
1) Either get the source yourself and compile it, according to the
instructions (it's
/pub/FreeBSD/ports/local-distfiles/archie/mpd-3.2.tar.gz
on ftp.freebsd.org), or do
# cd /usr/ports/net/mpd && make install
2) Read the documentation (it's HTML format) and the sample
configuration files.
Lucas
Pablo Bendersky
I've just setted it up, and it works fine (The windows client can connect
and get assigned an IP address.)
The problem is that he cannot browse our internal web servers.
Maybe is a problem with firewall rules ?
My rules are as follows:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00500 deny ip from any to 10.0.0.0/8 via xl1
00600 deny ip from any to 172.16.0.0/12 via xl1
00700 deny ip from any to 192.168.0.0/16 via xl1
00800 deny ip from any to 0.0.0.0/8 via xl1
00900 deny ip from any to 169.254.0.0/16 via xl1
01000 deny ip from any to 192.0.2.0/24 via xl1
01100 deny ip from any to 224.0.0.0/4 via xl1
01200 deny ip from any to 240.0.0.0/4 via xl1
01300 divert 8668 ip from any to any
01400 deny ip from 10.0.0.0/8 to any via xl1
01500 deny ip from 172.16.0.0/12 to any via xl1
01600 deny ip from 192.168.0.0/16 to any via xl1
01700 deny ip from 0.0.0.0/8 to any via xl1
01800 deny ip from 169.254.0.0/16 to any via xl1
01900 deny ip from 192.0.2.0/24 to any via xl1
02000 deny ip from 224.0.0.0/4 to any via xl1
02100 deny ip from 240.0.0.0/4 to any via xl1
02200 allow ip from any to any frag
02300 allow ip from any to any
65535 deny ip from any to any
-----Mensaje original-----
De: Lucas Bergman [mailto:lu...@slb.to]
Enviado el: Miercoles, 04 de Abril de 2001 03:43 p.m.
Para: Pablo Bendersky
Asunto: Re: VPN: poptop
> Thanks, I've just installed it and I'm reading the manual.
Excellent. Good luck.
Chuck Sumner
Pablo Bendersky
-----Mensaje original-----
De: owner-freeb...@FreeBSD.ORG
[mailto:owner-freeb...@FreeBSD.ORG]En nombre de Chuck Sumner
Enviado el: Jueves, 05 de Abril de 2001 01:06 p.m.
Para: 'Pablo Bendersky'; lu...@slb.to; freebsd-...@freebsd.org
Asunto: RE: VPN: poptop
Chuck Sumner
but it looks to me like rule 01600 is the problem.
denying all traffic from 192.168/16
if this box acts a firewall/router, this may be useful. but, if this box
sits on an internal sunbnet, like 192.168/16, then this rule defeats you.
hope that helps. id try commenting out that line and seeing what happens.
chuck
Pablo Bendersky
I'll try to explain it better.
I have a computer acting as a firewall/gateway to the internet.
Our lan is on the 192.168.0.0/192.168.0.255 subnet.
I want to give access with VPN to a computer through the internet, so I've
setted up mpd in the firewall (Which by the way is our only computer
connected to the internet)
The firewall has two interfaces... xl1 to the internet, and xl0 to the local
network.
The firewall rules are as follows:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00500 deny ip from any to 10.0.0.0/8 via xl1
00600 deny ip from any to 172.16.0.0/12 via xl1
00700 deny ip from any to 192.168.0.0/16 via xl1
00800 deny ip from any to 0.0.0.0/8 via xl1
00900 deny ip from any to 169.254.0.0/16 via xl1
01000 deny ip from any to 192.0.2.0/24 via xl1
01100 deny ip from any to 224.0.0.0/4 via xl1
01200 deny ip from any to 240.0.0.0/4 via xl1
01300 divert 8668 ip from any to any
01400 deny ip from 10.0.0.0/8 to any via xl1
01500 deny ip from 172.16.0.0/12 to any via xl1
01600 deny ip from 192.168.0.0/16 to any via xl1
01700 deny ip from 0.0.0.0/8 to any via xl1
01800 deny ip from 169.254.0.0/16 to any via xl1
01900 deny ip from 192.0.2.0/24 to any via xl1
02000 deny ip from 224.0.0.0/4 to any via xl1
02100 deny ip from 240.0.0.0/4 to any via xl1
02200 allow ip from any to any frag
02300 allow ip from any to any
65535 deny ip from any to any
I'm using for the VPN link the addresses 192.168.0.160 and 192.168.0.161
I'm able to log to the network via VPN, with a remote computer. I can use
local DNS, I can use telnet, and everything seems to work for me.
The problem is when I try to access a virtual web server in the internal
network (Located at 192.168.0.5, and called, to say virtual.domain)
So, I enter in the internet explorer (In the computer connected with nat)
http://virtual.domain
The address get solved, and the page starts to download, but then the
firewall loses performance, and nobody on our local network is able to use
internet. I don't understand why this happnes. Does anyone have a clue ? I
thought, maybe, some packets are entering some kind of loop on the firewall
??? Anyway I don't think so, because the page does start to download (I can
see it's title, for example)
Thanks a lot for your help !
-----Mensaje original-----
De: owner-freeb...@FreeBSD.ORG
[mailto:owner-freeb...@FreeBSD.ORG]En nombre de Chuck Sumner
Enviado el: Jueves, 05 de Abril de 2001 02:45 p.m.