From owner-freebsd-net@FreeBSD.ORG Fri Aug 11 02:43:42 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1124316A4E0 for ; Fri, 11 Aug 2006 02:43:42 +0000 (UTC) (envelope-from brett@lariat.net) Received: from lariat.net (lariat.net [65.122.236.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D2EC43D53 for ; Fri, 11 Aug 2006 02:43:38 +0000 (GMT) (envelope-from brett@lariat.net) Received: from Anne (IDENT:ppp1000.lariat.net@lariat.net [65.122.236.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id UAA00486 for ; Thu, 10 Aug 2006 20:43:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <7.0.1.0.2.20060810201735.067258b0@lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Thu, 10 Aug 2006 20:43:28 -0600 To: net@freebsd.org From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Big PPTP server X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Aug 2006 02:43:42 -0000 I've been asked to work on a PPTP server for a large company which has up to 100 users tunneling in at once. They currently have a FreeBSD machine set up to use FreeBSD's userland PPP together with the PoPToP pptp daemon. (They have a hacked version of PoPToP which allows different instances of the daemon to invoke PPP with different labels, letting them set up for different sorts of connections on different IPs.) But as the number of users has grown, PoPToP has started to act strangely. It's giving them odd errors, saying that it's out of buffer space and such. I think it's stretched to the limit. I'm looking at building a VPN server for them using FreeBSD and mpd. But I've never used mpd before, primarily because it seems to work in mysterious ways. Its configuration is a bit odd, and it lacks some of the features of userland PPP. For example, you must put a separate entry for each incoming connection (or "link") in the configuration file. But since you don't know which incoming user is going to get which connection, you have to create dozens and dozens of identical links -- a tremendous waste of space! (Userland PPP lets you specify a single label to which all PPTP connections must go and creates "tun" devices on the fly as needed for the link.) What's more, you have to allocate Netgraph nodes for all of them in advance. You also do not have the ability to change the configuration for different users, because you don't know which user will get which of the links -- and the mpd.secret file, unlike the ppp.secret file, doesn't let you jump to a label once you find out the user's identity. The company wants to throttle bandwidth by user, so I need to be able to distinguish between users to do this. This company wants some users to have unroutable addresses that can't escape their network without NAT, and others to have routable addresses. I'm experimenting with what happens if you create two sets of links which "listen" on different IP addresses, but this will make the configuration file yet larger. Are there any mpd gurus out there who can give me a quick opinion as to whether it's feasible to use mpd for this application -- and spend some consulting time telling me how so that I don't have to flail around experimenting? If I can't use mpd and PoPToP isn't working, what other options are there for a good PPTP server? --Brett Glass