From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 21:52:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5087216A401 for ; Thu, 6 Apr 2006 21:52:28 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D7AF43D67 for ; Thu, 6 Apr 2006 21:52:19 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 93D015E17; Thu, 6 Apr 2006 17:52:18 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 06523-03; Thu, 6 Apr 2006 17:52:17 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-112-80.ny325.east.verizon.net [68.161.112.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id 7BCF65C6B; Thu, 6 Apr 2006 17:52:17 -0400 (EDT) Message-ID: <44358D8F.5050605@mac.com> Date: Thu, 06 Apr 2006 17:52:15 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Nick Stenning References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: freebsd-questions@freebsd.org Subject: Re: NAT, VPN and other SOHO router advice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 21:52:28 -0000 Nick Stenning wrote: [ ... ] > The second part of the question is perhaps slightly more complex. The > Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms > for you?) to an office elsewhere. As it stands currently, machines on > the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24 > via this VPN connecion on the Vigor router. Also, machines at the > other end of the VPN, in the office, can access machines at this end > of the VPN, on the LAN (the other class C: 10.0.0.0/24) > > The question is, what IPFW divert rules and other whizbangery do I > need to set up so that I can disconnect that cable marked ** and have > all the VPN stuff keep working. If at all possible, I'd rather not > move the management of the VPN onto the FBSD box. Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. It's possible to do other things, such as changing the NAT address range used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine, including GRE passthrough and PPTP in /etc/natd.conf, but that would be evil, hard to debug, and otherwise tempting the fates. :-) # NATD configuration options dynamic yes interface rl1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes #punch_fw 10000:100 redirect_proto gre 10.1.1.2 redirect_port udp 10.1.1.2:500 500 redirect_port udp 10.1.1.2:4500 4500 redirect_port udp 10.1.1.2:62515 62515 redirect_port tcp 10.1.1.2:10000 10000 redirect_port tcp 10.1.1.2:pptp pptp # The above rules allow passthrough for the Cisco VPN software, and should also work with SonicWall's VPN client. OpenVPN uses just a single UDP port, and would be very easy to set up on FreeBSD if you liked. -- -Chuck