Down the MPD road

Peter Pentchev roam at ringlet.net
Sat May 10 08:01:46 PDT 2003 

On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote:
> On Saturday 10 May 2003 09:17, Michael Collette wrote:
> > Well, after working through the various options it looked like MPD would be
> > my best bet here.  I've got it sort of working, but there's obviously some
> > tweaky I'm missing here.
> >
> > Recap of the scenario:
> >   Full class C of static IPs segmented into 3 networks.  Outside, DMZ,
> > Inside. Trying to get remote Windows users through securely to the Inside.
> > Remote users have dynamic IPs.
> >
> > What's working:
> >   MPD is running, and authenticating my test XP box via PPTP.  No
> > certificates or any IPSec involved here.
> >   I can hit boxes on the Inside really solid now.
> >
> > The probs:
> >   Apparently PPTP actually puts the remote machine IN the target network.
> > Sorry, I'm still pretty green on this PPTP stuff.  Works a good bit
> > different than IPSec.  Anyhow, once the remote box is connected all the
> > connections to the rest of the Internet are now coming from behind the
> > firewall.  That'd be cool if it worked reliably.
> >   While connected, when I attempt to browse around the public Internet some
> > pages just don't load, where others do.  No rhyme or reason, and nothing
> > showing up in my logging of all denied packets via ipfw.  For example, I
> > can hit CNN without a problem, then when I try news.google it never loads a
> > page. I can hit the main Yahoo page, but any of their other sites won't go.
> >  Really odd.
> 
>     Here is where we descend into Windows-bashing.  For some STUPID
> reason, when a Windows box connects to a VPN via PPTP, the Windows
> box's default route is adjusted to go through the VPN connection.
> This is fortunately fixable (Windows has a ROUTE command), but it
> requires your users to have half a clue:
> 
>     route delete 0.0.0.0
>     route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1
>     route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN 
> tunnel] metric 1

I cannot test this right now, so it is quite probable that you are
right, but couldn't this be controlled by the Properties >> Networking
 >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >>
 >> Use default gateway on remote network?

Granted, that's a hell of a place to bury a little checkbox, but could
this possibly help? :)

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at sbnd.net    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
This sentence claims to be an Epimenides paradox, but it is lying.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030510/31b188a9/attachment.bin

More information about the freebsd-security mailing list