NAT, VPN and other SOHO router advice

Chuck Swiger cswiger at
Thu Apr 6 21:52:28 UTC 2006

Nick Stenning wrote:
[ ... ]
> The second part of the question is perhaps slightly more complex. The
> Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms
> for you?) to an office elsewhere. As it stands currently, machines on
> the LAN can access (ping/SMB shares) a class C subnet,
> via this VPN connecion on the Vigor router. Also, machines at the
> other end of the VPN, in the office, can access machines at this end
> of the VPN, on the LAN (the other class C:
> The question is, what IPFW divert rules and other whizbangery do I
> need to set up so that I can disconnect that cable marked ** and have
> all the VPN stuff keep working. If at all possible, I'd rather not
> move the management of the VPN onto the FBSD box.

Given what you've said, you should set up the FreeBSD machine as a bridge 
rather than a router.

It's possible to do other things, such as changing the NAT address range 
used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine, 
including GRE passthrough and PPTP in /etc/natd.conf, but that would be 
evil, hard to debug, and otherwise tempting the fates.  :-)

# NATD configuration options
dynamic yes
interface rl1
#log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes
#punch_fw 10000:100
redirect_proto gre
redirect_port udp 500
redirect_port udp 4500
redirect_port udp 62515
redirect_port tcp 10000
redirect_port tcp pptp

# The above rules allow passthrough for the Cisco VPN software, and should 
also work with SonicWall's VPN client.  OpenVPN uses just a single UDP port, 
and would be very easy to set up on FreeBSD if you liked.


More information about the freebsd-questions mailing list