Hi Tom,
I nearly completed the test and installation related to
http://www.shorewall.net/PPTP.htm.
However, there is no serious problem when it is operated as it is in the
general companies, but there is Client Program for MS-Window that is
operated only by Public IP. So I am very concerned about it.
I would like to use Internet through Gateway in (B) as local
computers in (A) receive Public IP in (B) through VPN Tunnel.
My configuration goals are as follows
(A)
subnet 61.35.xxx.118/29
|
| [whatever]
|
inside interface
left gateway machine and
router------------ppp0-----------------|
interface 211.59.xxx.108 (dynamic) cable modem
|
|
|
|
|
|
|
|
|
|
|
INTERNET
|
|
tunnel(pptp)
|
|
|
|
|
|
|
|
(B) interface 61.35.xxx.111 (static)
|
right gateway machine and
router-----------ppp0------------------|
inside interface
|
| [whatever]
|
subnet 61.35.xxx.0/25
gateway : 61.35.xxx.1
(B)
Shorewall 1.3.14
/etc/shorewall/interfaces
net eth0 detect
loc eth1 detect routestopped
loc ppp0
/etc/shorewall/policy
loc loc ACCEPT
loc net ACCEPT
net all DROP ULOG
all all REJECT ULOG
/etc/shorewall/rules
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT loc fw udp 53
/etc/shorewall/masq
/etc/routestopped
eth1 -
/etc/shorewall/tunnels
pptpserver net 0.0.0.0/0
(A)
Shorewall 1.3.14
/etc/shorewall/interfaces
net eth0 detect dhcp,routefilter,norfc1918
loc eth1 detect routestopped
loc ppp0
/etc/shorewall/policy
loc loc ACCEPT
loc net ACCEPT
net all DROP ULOG
all all REJECT ULOG
/etc/shorewall/rules
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT loc fw udp 53
/etc/shorewall/masq
eth0 eth1
/etc/routestopped
eth1 -
/etc/shorewall/tunnels
pptpclient net 0.0.0.0/0
#ip route ls
61.35.xxx.120 dev ppp0 proto kernel scope link src 61.35.xxx.113
61.35.xxx.112/29 dev eth1 proto kernel scope link src 61.35.xxx.118
211.59.xxx.0/24 dev eth0 proto kernel scope link src 211.59.xxx.108
default via 211.59.xxx.1 dev eth0
I wish your reply in details.
Thank you for your attention.
-Byounghae Kim
On Thu, 17 Apr 2003, Byounghae Kim wrote:> > > I wish your reply in details. >I''ll be happy to -- what is the question? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> > > > I wish your reply in details. > > > > I''ll be happy to -- what is the question? > > -TomThank you for rapid response. I created the subnet of the group (A) at my option. I want that the local computers in the group (A) runs like the local computers in the group (B). For example, when the computer with IP 61.35.xxx.115 in the group (A) uses the Internet, the packets are transferred via default gateway 61.35.xxx.1 through the tunnel like the local computers in the group (B). That is to say, I want that the computer with IP 61.35.xxx.115 in the group (A) is authorized as the computer having Public IP through the tunnel. #ip route ls 61.35.xxx.120 dev ppp0 proto kernel scope link src 61.35.xxx.113 61.35.xxx.112/29 dev eth1 proto kernel scope link src 61.35.xxx.118 211.59.xxx.0/24 dev eth0 proto kernel scope link src 211.59.xxx.108 default via 211.59.xxx.1 dev eth0 PPTP Tunnel is connected by ppp0. localip : 61.35.xxx.113 remoteip : 61.35.xxx.120 For setting mentioned above, do I run TCRules or add the routing table? Or, do I need to change the subnet in the group (B) that I made? If there is any other method, please let me know. Thank you for any experiences. (A) subnet 61.35.xxx.0/29 =leftsubnet | | [whatever] | inside interface left gateway machine and router (pptp client) interface xx.xx.xx.xx (dynamic) cable modem =left | | INTERNET (Tunnel) | | (B) interface 61.35.xxx.111 (static) =right right gateway machine and router (pptp server) inside interface | | [whatever] | subnet 61.35.xxx.0/25 =rightsubnet ***(Public IP Address)*** default gateway : 61.35.xxx.1 I wish you are happy and healthy all the time! -Byounghae Kim
On Fri, 18 Apr 2003, Byounghae Kim wrote:> > Thank you for rapid response. > > I created the subnet of the group (A) at my option. > I want that the local computers in the group (A) runs like the local > computers in the group (B). > For example, when the computer with IP 61.35.xxx.115 in the group (A) > uses the Internet, the packets are transferred via default gateway > 61.35.xxx.1 through the tunnel like the local computers in the group > (B). > That is to say, I want that the computer with IP 61.35.xxx.115 in the > group (A) is authorized as the computer having Public IP through the > tunnel. > > #ip route ls > > 61.35.xxx.120 dev ppp0 proto kernel scope link src 61.35.xxx.113 > 61.35.xxx.112/29 dev eth1 proto kernel scope link src 61.35.xxx.118 > 211.59.xxx.0/24 dev eth0 proto kernel scope link src 211.59.xxx.108 > default via 211.59.xxx.1 dev eth0 > > PPTP Tunnel is connected by ppp0. > localip : 61.35.xxx.113 remoteip : 61.35.xxx.120 > > For setting mentioned above, do I run TCRules or add the routing table? > Or, do I need to change the subnet in the group (B) that I made? > If there is any other method, please let me know. Thank you for any > experiences. > >The routing for this setup is explained at http://pptpclient.sourceforge.net/routing.phtml. You can set up the packet marking described there in tcrules if you like. Note that you will have to add a route through the tunnel to 61.35.xxx.0/29 when the right side of the tunnel comes up as well. You can add that route to the main routing table. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
--On Friday, April 18, 2003 7:07 AM -0700 Tom Eastep <teastep@shorewall.net> wrote:> > The routing for this setup is explained at > http://pptpclient.sourceforge.net/routing.phtml. You can set up the > packet marking described there in tcrules if you like. > > Note that you will have to add a route through the tunnel to > 61.35.xxx.0/29 when the right side of the tunnel comes up as well. You > can add that route to the main routing table.One additional consideration. I don''t know how the 61.35.xxx.0/24 subnet is handled by the router upstream from the right-side gateway. If it doesn''t route that entire subnet through the right-side gateway then you will have to set up Proxy ARP on that gateway for the remote /29. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Byounghae Kim" <kbh7002@kornet.net> Cc: <Shorewall-users@lists.shorewall.net> Sent: Saturday, April 19, 2003 12:51 AM Subject: Re: [Shorewall-users] VPN Tunnel> > > --On Friday, April 18, 2003 7:07 AM -0700 Tom Eastep > <teastep@shorewall.net> wrote: > > > > > The routing for this setup is explained at > > http://pptpclient.sourceforge.net/routing.phtml. You can set up the > > packet marking described there in tcrules if you like. > > > > Note that you will have to add a route through the tunnel to > > 61.35.xxx.0/29 when the right side of the tunnel comes up as well.You> > can add that route to the main routing table. > > One additional consideration. I don''t know how the 61.35.xxx.0/24subnet is> handled by the router upstream from the right-side gateway. If itdoesn''t> route that entire subnet through the right-side gateway then you willhave> to set up Proxy ARP on that gateway for the remote /29. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net >Thanks, Tom -Byounghae Kim
> > One additional consideration. I don''t know how the 61.35.xxx.0/24subnet is> handled by the router upstream from the right-side gateway. If itdoesn''t> route that entire subnet through the right-side gateway then you willhave> to set up Proxy ARP on that gateway for the remote /29. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net >Hi, Tom Thank you for your reply. Please let me ask one more question. As you told me, 61.35.xxx.115 in Group (A) is used by Public IP such as Ping Test in the remote site through Proxy ARP setting and Routing Table seting in Group (B). (A) (B) 61.35.xxx.15--Hub--(PPTPClient)=====Tunnel=====(PPTPServer)--Hub--61.35. xxx.0/25 <----------- ping ok (Public IP Address) However, on MS window system having 61.35.xxx.115 as IP in Group (A), Internet does not work if there is no Masquerading. My system environment of MS Window in Group (A): ip : 61.35.xxx.115 subnet mask : 255.255.255.248 gateway : 61.35.xxx.113 dns : xxx.xxx.xxx.xxx Left gateway machine and router (pptp client) environment of Group (A): #ifconfig lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 eth0 Link encap:Ethernet HWaddr 00:02:44:3C:D8:62 inet addr:211.59.xxx.136 Bcast:255.255.255.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:138792 errors:0 dropped:0 overruns:0 frame:0 TX packets:48911 errors:0 dropped:0 overruns:0 carrier:0 Collisions:998 Interrupt:11 Base address:0x3f00 eth1 Link encap:Ethernet HWaddr 00:A0:B0:0E:B0:49 inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:39915 errors:0 dropped:0 overruns:0 frame:0 TX packets:50472 errors:0 dropped:0 overruns:0 carrier:0 Collisions:1035 Interrupt:10 Base address:0x5e00 ppp0 Link encap:Point-to-Point Protocol inet addr:61.35.xxx.113 P-t-P:61.35.xxx.122 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1000 Metric:1 RX packets:5236 errors:0 dropped:0 overruns:0 frame:0 TX packets:3882 errors:0 dropped:0 overruns:0 carrier:0 Collisions:0 #ip route ls 61.35.xxx.122 dev ppp0 proto kernel scope link src 61.35.xxx.113 61.35.xxx.115 dev eth1 scope link 211.59.xxx.0/24 dev eth0 proto kernel scope link src 211.59.xxx.136 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.254 default via 211.59.xxx.1 dev eth0 #ip rule ls 0: from all lookup local 32765: from all fwmark 1 lookup pptp 32766: from all lookup main 32767: from all lookup default #ip route ls table pptp default via 61.35.xxx.122 dev ppp0 edit /etc/shorewall/tcrules 1:F 61.35.xxx.115 0.0.0.0/0 all When I run Masquerading, Internet is working, but is publicized as Public IP 61.35.xxx.113. How can I make MS windows system of Group (A) publicized in Internet through Public IP 61.35.xxx.115? I will appreciate all kinds of experience. -Byoung Kim
> The above doesn''t tell us much.... > > a) Where did you add the masquerading? > b) What does "does not work" mean? No route to host? time outs?computer> explodes?I try to be allocated Public IP on the PPTP server for the host or subnet on the PPTP Client using ppp0 generated through the tunnel connected to PPTP and to use Internet. This is a basic PPTP connection method in MS-windows. I know it depends on whether to assign the private IP or public IP for the setting up PPTP Sever(linux). My target is not IP Masquerading but IP forwarding. For example, I can use only Internet as masquerading the host(61.35.xxx.115) on the local of the PPTP Client to the connected Cable modem(eth0). However, I think it is required to do IP forwarding to ppo0 connected to PPTP Tunnel to acquire public IP on the PPTP Server. Through which setting can the host(61.35.xxx.115- private IP) connected to PPTP Client be used as the actual IP? If the following method is wrong, is there any other method? PPTP Client Environment: --> Is it appropriate setting? 61.35.xxx.122 dev ppp0 proto kernel scope link src 61.35.xxx.113 --> PPTP Tunnel default via 61.35.xxx.122 dev ppp0 --> default gateway add /etc/shorewall/tcrules --> tcrule add 1:F 61.35.xxx.115 0.0.0.0/0 all I know I may not inquire the matters not related to Shorewall. Nevertheless, I am asking you because I know your abundant experience, well-established knowledge and trouble shooting ability related to the network are excellent. If this disturbs you, please understand me with your generosity. Thank you for your help. -Byounghae Kim
On Mon, 28 Apr 2003 17:54:32 +0900, Byounghae Kim <kbh7002@kornet.net> wrote:> >> The above doesn''t tell us much.... >> >> a) Where did you add the masquerading? >> b) What does "does not work" mean? No route to host? time outs? > computer >> explodes? > > I try to be allocated Public IP on the PPTP server for the host or > subnet on the PPTP Client using ppp0 generated through the tunnel > connected to PPTP and to use Internet.That means that the problem is on the right gateway.> > This is a basic PPTP connection method in MS-windows. > > I know it depends on whether to assign the private IP or public IP for > the setting up PPTP Sever(linux).N0!!!! That has nothing to do with it. If masquerading on the left gateway fixes the problem it means that the routing on the right gateway is wrong. As I said before, youw want to approach the problem from the internet in - not from the client out.> If this disturbs you, please understand me with your generosity.This _is_ very off-topic. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
> N0!!!! That has nothing to do with it. If masquerading on the leftgateway> fixes the problem it means that the routing on the right gateway iswrong.> As I said before, youw want to approach the problem from the internetin -> not from the client out. >Thanks -Byounghae Kim