Currently, I have our VPN server located behind our two interface firewall. I would like to move the PPTP VPN server on the firewall, which should eliminate a lot of the ''gre'' masq. issues we are having. In doing so, I am wondering how shorewall should be configured, since we use rp-pppoe for our DSL connection. Since rp-pppoe uses pppd, our "/etc/shorewall/interfaces" would be: net ppp0 detect loc eth1 detect eth0, is the device that will bind to ppp0. Since I would like all incoming PPTP connections, which would effectivly become ppp1, ppp2, ... pppx, act as they are on our local network - I am wondering how I should go about configuring shorewall for this configuration. I have tried searching the lists for something like this, but I didn''t come up with anything. There is also no reference to this type of setup in any of the docs I have read. If this information is in some doc somewhere, please excuse me, and please point it out to me. Thanks for any help. - Bruce
--On Thursday, February 06, 2003 3:23 PM -0500 "Bruce S. Garlock" <bruceg@garlockprinting.com> wrote:> Currently, I have our VPN server located behind our two interface > firewall. I would like to move the PPTP VPN server on the firewall, > which should eliminate a lot of the ''gre'' masq. issues we are having. > In doing so, I am wondering how shorewall should be configured, since we > use rp-pppoe for our DSL connection. > > Since rp-pppoe uses pppd, our "/etc/shorewall/interfaces" would be: > > net ppp0 detect > loc eth1 detect > > eth0, is the device that will bind to ppp0. > > Since I would like all incoming PPTP connections, which would effectivly > become ppp1, ppp2, ... pppx, act as they are on our local network - I > am wondering how I should go about configuring shorewall for this > configuration. I have tried searching the lists for something like > this, but I didn''t come up with anything. There is also no reference to > this type of setup in any of the docs I have read. If this information > is in some doc somewhere, please excuse me, and please point it out to > me. > > Thanks for any help. >Assume that you are going to assign remote client addresses in 10.10.10.0/24. Then: /etc/shorewall/zones (order is VERY IMPORTANT): net Internet The big bad internet rem Remotes Remote Users via PPTP /etc/shorewall/interfaces: net ppp0 - # (No point putting ''detect'' on a non-broadcast device!!!) - ppp+ - /etc/shorewall/hosts: rem ppp+:10.10.10.0/24 -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Thursday, February 06, 2003 3:23 PM -0500 "Bruce S. Garlock" <bruceg@garlockprinting.com> wrote:> Currently, I have our VPN server located behind our two interface > firewall. I would like to move the PPTP VPN server on the firewall, > which should eliminate a lot of the ''gre'' masq. issues we are having. > In doing so, I am wondering how shorewall should be configured, since we > use rp-pppoe for our DSL connection. > > Since rp-pppoe uses pppd, our "/etc/shorewall/interfaces" would be: > > net ppp0 detect > loc eth1 detect > > eth0, is the device that will bind to ppp0. > > Since I would like all incoming PPTP connections, which would effectivly > become ppp1, ppp2, ... pppx, act as they are on our local networkI just noticed this last part: You probably want this instead: /etc/shorewall/zones (order is VERY IMPORTANT): net Internet The big bad internet loc Local Local users and Remote Users via PPTP /etc/shorewall/interfaces: net ppp0 - # (No point putting ''detect'' on a non-broadcast device!!!) - ppp+ - loc eth1 detect /etc/shorewall/hosts: loc ppp+:10.10.10.0/24 /etc/shorewall/shorewall.conf MERGE_HOSTS=Yes /etc/shorewall/policy loc loc ACCEPT -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net