Date: Thu, 06 Apr 2006 17:52:15 -0400 From: Chuck Swiger <cswiger@mac.com> To: Nick Stenning <nickstenning@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: NAT, VPN and other SOHO router advice Message-ID: <44358D8F.5050605@mac.com> In-Reply-To: <c7eef7920604061128j2703048u1fbf229a93758c91@mail.gmail.com> References: <c7eef7920604061128j2703048u1fbf229a93758c91@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Stenning wrote: [ ... ] > The second part of the question is perhaps slightly more complex. The > Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms > for you?) to an office elsewhere. As it stands currently, machines on > the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24 > via this VPN connecion on the Vigor router. Also, machines at the > other end of the VPN, in the office, can access machines at this end > of the VPN, on the LAN (the other class C: 10.0.0.0/24) > > The question is, what IPFW divert rules and other whizbangery do I > need to set up so that I can disconnect that cable marked ** and have > all the VPN stuff keep working. If at all possible, I'd rather not > move the management of the VPN onto the FBSD box. Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. It's possible to do other things, such as changing the NAT address range used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine, including GRE passthrough and PPTP in /etc/natd.conf, but that would be evil, hard to debug, and otherwise tempting the fates. :-) # NATD configuration options dynamic yes interface rl1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes #punch_fw 10000:100 redirect_proto gre 10.1.1.2 redirect_port udp 10.1.1.2:500 500 redirect_port udp 10.1.1.2:4500 4500 redirect_port udp 10.1.1.2:62515 62515 redirect_port tcp 10.1.1.2:10000 10000 redirect_port tcp 10.1.1.2:pptp pptp # The above rules allow passthrough for the Cisco VPN software, and should also work with SonicWall's VPN client. OpenVPN uses just a single UDP port, and would be very easy to set up on FreeBSD if you liked. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44358D8F.5050605>