Date: Sat, 10 May 2003 17:59:15 +0300 From: Peter Pentchev <roam@ringlet.net> To: Chris BeHanna <behanna@zbzoom.net> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: Down the MPD road Message-ID: <20030510145915.GB79233@straylight.oblivion.bg> In-Reply-To: <200305101022.40307.behanna@zbzoom.net> References: <200305100617.44245.metrol@metrol.net> <200305101022.40307.behanna@zbzoom.net>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote: > On Saturday 10 May 2003 09:17, Michael Collette wrote: > > Well, after working through the various options it looked like MPD would be > > my best bet here. I've got it sort of working, but there's obviously some > > tweaky I'm missing here. > > > > Recap of the scenario: > > Full class C of static IPs segmented into 3 networks. Outside, DMZ, > > Inside. Trying to get remote Windows users through securely to the Inside. > > Remote users have dynamic IPs. > > > > What's working: > > MPD is running, and authenticating my test XP box via PPTP. No > > certificates or any IPSec involved here. > > I can hit boxes on the Inside really solid now. > > > > The probs: > > Apparently PPTP actually puts the remote machine IN the target network. > > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit > > different than IPSec. Anyhow, once the remote box is connected all the > > connections to the rest of the Internet are now coming from behind the > > firewall. That'd be cool if it worked reliably. > > While connected, when I attempt to browse around the public Internet some > > pages just don't load, where others do. No rhyme or reason, and nothing > > showing up in my logging of all denied packets via ipfw. For example, I > > can hit CNN without a problem, then when I try news.google it never loads a > > page. I can hit the main Yahoo page, but any of their other sites won't go. > > Really odd. > > Here is where we descend into Windows-bashing. For some STUPID > reason, when a Windows box connects to a VPN via PPTP, the Windows > box's default route is adjusted to go through the VPN connection. > This is fortunately fixable (Windows has a ROUTE command), but it > requires your users to have half a clue: > > route delete 0.0.0.0 > route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1 > route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN > tunnel] metric 1 I cannot test this right now, so it is quite probable that you are right, but couldn't this be controlled by the Properties >> Networking >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> >> Use default gateway on remote network? Granted, that's a hell of a place to bury a little checkbox, but could this possibly help? :) G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+vRPC7Ri2jRYZRVMRArGfAJ9Od7XrJQjDjPWzI1VVUyiNx+9YTQCdGRIy r3RfY45WC2gUdLT1Ka0RVfA= =w5tO -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030510145915.GB79233>