From owner-freebsd-questions Fri Apr 27 18:12: 5 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id D6DCE37B422 for ; Fri, 27 Apr 2001 18:12:01 -0700 (PDT) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f3S1Bpk77066; Fri, 27 Apr 2001 18:11:51 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "James Housley" , Subject: RE: PPTP and firewalls, can I? Date: Fri, 27 Apr 2001 18:11:51 -0700 Message-ID: <00c301c0cf80$34a27740$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: <3AE82B7E.F4E68DDC@thehousleys.net> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG With the _correct_ kind of VPN client, you can have multiple simultaneous VPN sessions through a NAT. Microsoft PPTP ain't it. Your idea is a good one - they are confusing 15 pptp session limits with NAT. However, I don't know how easy it's going to be for you to find an ISP that will grant them. We would, but we have the IP numbers. Many smaller ISP's don't. One possible solution - a rather yucky one at that, is to use a Windows 2000 Terminal Server system for your NAT gateway to the outside. You load the inventory/billing client on that. Then the 15 inside systems use Terminal Server client to connect to the 2000 system. This would work - but by the time that your non-profit recovers from the cost of such a solution, they may be more inclined to go back to the billing company and tell them to "get lost or supply a better VPN solution" Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of James Housley >Sent: Thursday, April 26, 2001 7:07 AM >To: freebsd-questions@FreeBSD.ORG >Subject: PPTP and firewalls, can I? > > >I have been asked to help solve a problem with a local Non Profit >company. They have about 50 machines plus printers and such running >Win9x on their local network and a single IP with NAT to the internet. >They have about 15 machines that need PPTP to connect to an external >inventory/billing company. They have tried all sorts of other >solutions. > >I am proposing that they get a block of 64 IPs and give each machine an >IP. >Install PPTP on the 15 that need it and give them all a block of >addresses together at one end of the IP block. >Give the rest of the machines IPs starting at the other end of the >block. >Install FreeBSD as the router with a firewall. >- Lock down almost all access to the "normal" machines. >- Block the vunerable ports (NetBIOS, etc) on the PPTP machines. >- There would be no need for NAT. > >I am being told that it is hard to find a firewall that can pass 15 PPTP >sessions at the same time, but I think they are confusing firewall&NAT >with straight firewalling. > >1) Will this work? > >2) Am I missing something obvious? > >Jim >-- >/"\ ASCII Ribbon Campaign . >\ / - NO HTML/RTF in e-mail . > X - NO Word docs in e-mail . >/ \ ----------------------------------------------------------------- >jeh@FreeBSD.org http://www.FreeBSD.org The Power to Serve >jim@TheHousleys.Net http://www.TheHousleys.net >--------------------------------------------------------------------- >Progress (n) : What led from smart users in front of dumb terminals to >dumb users in front of smart terminals. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message