From owner-freebsd-questions@FreeBSD.ORG Tue Apr 1 12:23:24 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C672F37B408 for ; Tue, 1 Apr 2003 12:23:24 -0800 (PST) Received: from blueyonder.co.uk (pcow035o.blueyonder.co.uk [195.188.53.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id BADA843F3F for ; Tue, 1 Apr 2003 12:23:23 -0800 (PST) (envelope-from jfm@blueyonder.co.uk) Received: from lexx ([62.31.198.203]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Tue, 1 Apr 2003 21:23:22 +0100 From: John Murphy To: questions@FreeBSD.ORG Date: Tue, 01 Apr 2003 21:23:22 +0100 Organization: poor Message-ID: X-Mailer: Forte Agent 1.9/32.560 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: VPN pass through? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jfm@blueyonder.co.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 20:23:25 -0000 "Mark-Nathaniel Weisman" wrote: >I have a W2K VPN server (RRAS using PPTP) setup behind my FreeBSD = firewall. >I also have a web server, mail server, and several others. I've setup up= my >ipfw to allow packets for port 1723 on both tcp and udp from any to any, >and setup up NATD to redirect_port 1723 to the internal address of my = VPN >box. I am unable to pass the packets through, and when I put the = redirect >statement in my natd.conf file, none of the redirection works. I've = tried >redirecting both the port and the protocol to no avail. >Can someone take a moment to explain where I'm going wrong? You need to pass proto gre. Ipfw may do this by default, I'm not sure, but I had to add: pass in quick on ed0 proto gre all pass out quick on ed0 proto gre all to get a VPN working through an ipf firewall. You may not need to redirect 1723 if the firewall is 'stateful' and you initiate the connection from 'this' end. HTH John.