Date: Sat, 10 May 2003 17:59:15 +0300 From: Peter Pentchev <roam@ringlet.net> To: Chris BeHanna <behanna@zbzoom.net> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: Down the MPD road Message-ID: <20030510145915.GB79233@straylight.oblivion.bg> In-Reply-To: <200305101022.40307.behanna@zbzoom.net> References: <200305100617.44245.metrol@metrol.net> <200305101022.40307.behanna@zbzoom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--kORqDWCi7qDJ0mEj Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, May 10, 2003 at 10:22:40AM -0400, Chris BeHanna wrote: > On Saturday 10 May 2003 09:17, Michael Collette wrote: > > Well, after working through the various options it looked like MPD woul= d be > > my best bet here. I've got it sort of working, but there's obviously s= ome > > tweaky I'm missing here. > > > > Recap of the scenario: > > Full class C of static IPs segmented into 3 networks. Outside, DMZ, > > Inside. Trying to get remote Windows users through securely to the Insi= de. > > Remote users have dynamic IPs. > > > > What's working: > > MPD is running, and authenticating my test XP box via PPTP. No > > certificates or any IPSec involved here. > > I can hit boxes on the Inside really solid now. > > > > The probs: > > Apparently PPTP actually puts the remote machine IN the target networ= k. > > Sorry, I'm still pretty green on this PPTP stuff. Works a good bit > > different than IPSec. Anyhow, once the remote box is connected all the > > connections to the rest of the Internet are now coming from behind the > > firewall. That'd be cool if it worked reliably. > > While connected, when I attempt to browse around the public Internet = some > > pages just don't load, where others do. No rhyme or reason, and nothing > > showing up in my logging of all denied packets via ipfw. For example, I > > can hit CNN without a problem, then when I try news.google it never loa= ds a > > page. I can hit the main Yahoo page, but any of their other sites won't= go. > > Really odd. >=20 > Here is where we descend into Windows-bashing. For some STUPID > reason, when a Windows box connects to a VPN via PPTP, the Windows > box's default route is adjusted to go through the VPN connection. > This is fortunately fixable (Windows has a ROUTE command), but it > requires your users to have half a clue: >=20 > route delete 0.0.0.0 > route add 0.0.0.0 mask 0.0.0.0 gateway <ISP gateway> metric 1 > route add [InsideNetwork] mask [InsideMask] gateway [far end of VPN= =20 > tunnel] metric 1 I cannot test this right now, so it is quite probable that you are right, but couldn't this be controlled by the Properties >> Networking >> Internet Protocol (TCP/IP) >> Properties >> Advanced >> General >> >> Use default gateway on remote network? Granted, that's a hell of a place to bury a little checkbox, but could this possibly help? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. --kORqDWCi7qDJ0mEj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+vRPC7Ri2jRYZRVMRArGfAJ9Od7XrJQjDjPWzI1VVUyiNx+9YTQCdGRIy r3RfY45WC2gUdLT1Ka0RVfA= =w5tO -----END PGP SIGNATURE----- --kORqDWCi7qDJ0mEj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030510145915.GB79233>