NAT, VPN and other SOHO router advice
Chuck Swiger
cswiger at mac.com
Thu Apr 6 21:52:28 UTC 2006
Nick Stenning wrote:
[ ... ]
> The second part of the question is perhaps slightly more complex. The
> Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms
> for you?) to an office elsewhere. As it stands currently, machines on
> the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24
> via this VPN connecion on the Vigor router. Also, machines at the
> other end of the VPN, in the office, can access machines at this end
> of the VPN, on the LAN (the other class C: 10.0.0.0/24)
>
> The question is, what IPFW divert rules and other whizbangery do I
> need to set up so that I can disconnect that cable marked ** and have
> all the VPN stuff keep working. If at all possible, I'd rather not
> move the management of the VPN onto the FBSD box.
Given what you've said, you should set up the FreeBSD machine as a bridge
rather than a router.
It's possible to do other things, such as changing the NAT address range
used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine,
including GRE passthrough and PPTP in /etc/natd.conf, but that would be
evil, hard to debug, and otherwise tempting the fates. :-)
# NATD configuration options
dynamic yes
interface rl1
#log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes
#punch_fw 10000:100
redirect_proto gre 10.1.1.2
redirect_port udp 10.1.1.2:500 500
redirect_port udp 10.1.1.2:4500 4500
redirect_port udp 10.1.1.2:62515 62515
redirect_port tcp 10.1.1.2:10000 10000
redirect_port tcp 10.1.1.2:pptp pptp
# The above rules allow passthrough for the Cisco VPN software, and should
also work with SonicWall's VPN client. OpenVPN uses just a single UDP port,
and would be very easy to set up on FreeBSD if you liked.
--
-Chuck
More information about the freebsd-questions
mailing list