From owner-freebsd-isp@FreeBSD.ORG  Fri Apr 30 15:30:46 2004
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 796A316A4CE; Fri, 30 Apr 2004 15:30:46 -0700 (PDT)
Received: from bigass1.bitblock.com (ns1.bitblock.com [66.199.170.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 44EB043D1D; Fri, 30 Apr 2004 15:30:46 -0700 (PDT)
	(envelope-from mitch@bitblock.com)
Received: from a1200 ([24.83.187.201])
  (AUTH: LOGIN mitch@bitblock.com)
  by bigass1.bitblock.com with esmtp; Fri, 30 Apr 2004 22:30:43 +0000
X-Abuse-Reports: Visit http://www.bitblock.com/abuse.php
X-Abuse-Reports: and submit a copy of the message headers
X-Abuse-Reports: or review our policies and procedures
X-Abuse-Reports: ID= 4092D393.00011760.bigass1.bitblock.com,dns;
	a1200 ([24.83.187.201]),AUTH: LOGIN mitch@bitblock.com
From: "Mitch (bitblock)" <mitch@bitblock.com>
To: freebsd-net@freebsd.org, freebsd-isp@freebsd.org
Date: Fri, 30 Apr 2004 15:30:42 -0700
Message-ID: <GMEEINAOJAINFLGLEJNFOEMLCHAA.mitch@bitblock.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Subject: Routing and VPN troubles...
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Apr 2004 22:30:46 -0000

There are about a 1000 different lists - hope this is the right two - if
not, any suggestions welcome!

The crux of my problem, is that I need to configure a VPN network in a
star - one central node, many outside nodes... easy right?

The problem is that I need the individual "rays" or "spokes" to be able to
communicate with each other SELECTIVELY.

I've tried to get this config working with BSD boxes - I have about 50
spokes to deal with right now and that number will hopefully grow....

I've been looking at the two problems separately, but I'll describe the
whole mess, and then hope you are more inspired than I am.

PC1 (192.168.1.10)<--\
PC2 (192.168.1.11)<-->(192.168.1.1)FBSD 1(10.1.1.2)<-->ADSL<------\
                                                                  |
PC3 (192.168.2.10)<--\                                            |
PC4 (192.168.2.11)<-->(192.168.2.1)FBSD 2(10.1.1.3)<-->ADSL<----\ |
                                                                | |
PC5 (192.168.3.10)<--\                                          | |
PC6 (192.168.3.11)<-->(192.168.3.1)FBSD 3(10.1.1.4)<-->ADSL<--\ | |
                                                              | | |
                                                           <--/ / /
         INTERNET <---> (SOME PUBLIC IP) FBSD 4 (10.1.1.1) <---/ /
                                                           <----/

In actual fact, the 10.1.1.X addresses are all public addresses on a subnet.
PC1 and PC2 need full access to PC3 - 6.
PC3 needs access to certain ports on PC 5.

That is the essence of the firewalling / port filtering of the VPN - like
can I trest the virtual VPN interfaces as normal interfaces for purposes of
writing firewall rules?

Second problem. To do this, 10.1.1.2 and 10.1.1.3 need to communciate with
10.1.1.4 to set up these vpn's. The problem is that we have ADSL over ATM.
ATM manages data flow by configured path. Consider FBSD 4 to be on dedicated
vlans with each of FBSD 1 - 3.
All remote nodes have a "path" to the router, not each other... so FBSD 4
needs to be able to establish VPN's with FBSD 1 - 3 and route between the
VPN's.

If I can use FBSD 4 for this, and if I can treat the virtual interfaces as
normal ones in ipfw, then I can do what I want - right?

I can probably alter my layout and use of IP addresses and so on somewhat,
but the key is that routing has to be performed on a single interface in
order to redirect traffic from the hosts that can't see each other.

Does that make the problem clear?

For starters, there are really FBSD 1 - 50 (not just 1 - 3) ;-)

At present, I've got a variety of hardware and software (Linksys SX41 /
Netgear / etc.) deployed in place of FBSD 1 - 3 and FreeBSD in place of FBSD
4... I have a couple of test machines to work with though and figure if I
can get 3 working I can get the rest working too.

I've heard something about /32 subnetting, not sure how that works, or what
has to be done to enable it...

I've been looking for any information on that I can find on that subject -
might solve the problem another way if I can make my endpoint routers (1 -
3) communicate through regular IP by forcing them to bounce through the
router - but I've been told the router has to support this function as a
router woudl normally ignore traffic bound for the same subnet as it comes
from - right?

If you know it's impossible, that's ok... I tried ;-) Any alternatives?
PPPOE instead of VPN between the gateway's?

Thanks in advance.

Hope I'm not asking to much, or that the challenge is worthy ;-)

m/