Down the MPD road
Peter Pentchev
roam at ringlet.net
Sat May 10 08:01:46 PDT 2003
On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote:
> On Saturday 10 May 2003 09:17, Michael Collette wrote:
> > Well, after working through the various options it looked like MPD would be
> > my best bet here. I've got it sort of working, but there's obviously some
> > tweaky I'm missing here.
> >
> > Recap of the scenario:
> > Full class C of static IPs segmented into 3 networks. Outside, DMZ,
> > Inside. Trying to get remote Windows users through securely to the Inside.
> > Remote users have dynamic IPs.
> >
> > What's working:
> > MPD is running, and authenticating my test XP box via PPTP. No
> > certificates or any IPSec involved here.
> > I can hit boxes on the Inside really solid now.
> >
> > The probs:
> > Apparently PPTP actually puts the remote machine IN the target network.
> > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit
> > different than IPSec. Anyhow, once the remote box is connected all the
> > connections to the rest of the Internet are now coming from behind the
> > firewall. That'd be cool if it worked reliably.
> > While connected, when I attempt to browse around the public Internet some
> > pages just don't load, where others do. No rhyme or reason, and nothing
> > showing up in my logging of all denied packets via ipfw. For example, I
> > can hit CNN without a problem, then when I try news.google it never loads a
> > page. I can hit the main Yahoo page, but any of their other sites won't go.
> > Really odd.
>
> Here is where we descend into Windows-bashing. For some STUPID
> reason, when a Windows box connects to a VPN via PPTP, the Windows
> box's default route is adjusted to go through the VPN connection.
> This is fortunately fixable (Windows has a ROUTE command), but it
> requires your users to have half a clue:
>
> route delete 0.0.0.0
> route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1
> route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN
> tunnel] metric 1
I cannot test this right now, so it is quite probable that you are
right, but couldn't this be controlled by the Properties >> Networking
>> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >>
>> Use default gateway on remote network?
Granted, that's a hell of a place to bury a little checkbox, but could
this possibly help? :)
G'luck,
Peter
--
Peter Pentchev roam at ringlet.net roam at sbnd.net roam at FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
This sentence claims to be an Epimenides paradox, but it is lying.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030510/31b188a9/attachment.bin
More information about the freebsd-security
mailing list