Topic: PPTP/DHCP Interop Questions

[DG]

Hi All,

I have an interesting situation, and I'm trying to figure out if an SME gateway would do the trick.

Here is the basic scenario:

Client has a block of legal addresses behind a packet filtering firewall, which acts as its main gateway.  They do a lot of VPN connections to various clients of their own, and this arrangement has proven best.  They also need the ability for their roaming Windows laptop users to access this protected range of routable addresses, from any remote location.  I am considering an SME gateway for the task.

Here are some of the issues that come to my mind:

They currently have a DHCP server that assigns the primary gateway (the packet filter) to each client along with the address lease.  If my reading of the material is correct, the SME gateway would normally accept the connection, assign an IP address (as it would normally be assumed to be the master/only DHCP server on the LAN).  It seems in this scenario, the use of the primary LAN DHCP server would not work for remote clients, as it would point to the wrong gateway -- not back to the SME box thru which the remote connection was made.  Running a separate DHCP server on the SME gateway might cause incorrect leases to be assigned local hosts, thus pointing them at the wrong (SME) gateway.

Any ideas on solving this?  Is it possible to compartmentalize the DHCP server on the SME box, such that is only assigns addresses to remote clients?  Am I on the right track thinking this is necessary?  An additional comments?

Thanks in advance,


Dan

[Charlie Brady]

DG wrote:

> Is it possible to
> compartmentalize the DHCP server on the SME box, such that is
> only assigns addresses to remote clients?

The DHCP server is not used to provide IP addresses for PPTP clients. The addresses that the PPTP server allocates (using the IPCP protocol) are chosen from the range of local network addresses configured for allocation by DHCP. Hence I think that it would be necessary to enable the DHCP daemon (to allow you to configure that range of addresses), then disable the DHCP daemon, then enable PPTP.

Regards

Charlie

[Dan G.]

Charlie,

Thanks a ton for validating what I discovered.  I set up a lab this morning and got it put together, but was not sure if I could trust what I was seeing.

Since I am not using RFC1918 addresses inside the gateway, I had to make /templates-custom/etc/pptpd.conf/remoteip, with 'remoteip 209.www.xxx.yyy-zzz'  Expanded template, did a 'signal-event remoteaccess-update', and all worked fine after that.

I have noticed that the PPTPd dyamically assigns addresses from the pool I defined in remoteip --- even with DHCPd off.  I wasn't expecting that -- I thought I would have to assign static IPs in the Windows PPTP config, but that is not the case.  That will make life easier.

BTW, I have noticed in the log files there is reference to proxy-arp events.  This seems appropriate, since address translation isn't taking place in my configuration.  Do you know if the remoteip range is all that gets proxyarped, or are there assumptions built in for the entire subnet?  I have another box (non-SME) on the perimeter where this one will need to go, and it is doing proxyarp for all machines on the subnet, except for the range defined in remoteip, and a few other "outside" systems scripted out of the proxarp list.  If proxyarp were taking place for any other addresses, that could really mess things up.  Any tips for checking this?

Thanks again,

Dan