Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Ehud Gavron on November 06, 2002, 10:16:18 PM
-
We have a PIX firewall connecting our internal network to the Internet.
We have an SME server which is set to "Server Only" mode
and sits on the DMZ of the PIX.
We have connected the second interface of the SME server
to the Internal network, and wish to use it as a PPTP gateway
for external users to access the internal network.
(Side note:
our version of the PIX does not support VPNs or we would have
used it for this. Side note 2: we do not want the E-smith box
doing full time routing between the two... so the PIX stays.)
So the BIG question I have is
"How do I enable PPTP and the second interface without
turning it into a Gateway box" or "Is there a harm in turning
it into a gateway box?"
Here's what I did do:
1. ifconfig eth1 ip.address.on.inside
it pings local net fine
2. I can form a VPN to it from my home PC, and I can
ping the e-smith server fine. Traceroute shows it
one hop away (ergo routing through the tunnel :)
3. I CANNOT ping, trace etc. THROUGH the box
to the local net.
My guess is the box is NOT doing proxy-arp for the
remote system at the end of the tunnel.
So I guess I would like to know if there is a way to
"enable pptp service" the right way so it works...
or what assumptions I'm making that are wrong or
unnecessary.
Any help appreciated. I am an IP internals jockey,
but not much of an e-smith jockey.
Ehud
gavron@wetwork.net
-
Ok, having experimented a little more I can add these facts.
1. LAN systems DO see the proxy arp for the VPN host
2. A traceroute from the LAN gets as far as the SME box.
3. The VPN host does see a route through the VPN to the SME box.
4. A traceroute from the host gets as far as the SME box
So... my new question is "WHat do I need to do to actually
have the SME box forward the packets? Is it a matter of the
Chains? Is it a kernel parameter? What am I missing?"
TIA :)
EEhud Gavron wrote:
>
> We have a PIX firewall connecting our internal network to the
> Internet.
>
> We have an SME server which is set to "Server Only" mode
> and sits on the DMZ of the PIX.
>
> We have connected the second interface of the SME server
> to the Internal network, and wish to use it as a PPTP gateway
> for external users to access the internal network.
>
> (Side note:
> our version of the PIX does not support VPNs or we would have
> used it for this. Side note 2: we do not want the E-smith box
> doing full time routing between the two... so the PIX stays.)
>
> So the BIG question I have is
> "How do I enable PPTP and the second interface without
> turning it into a Gateway box" or "Is there a harm in turning
> it into a gateway box?"
>
> Here's what I did do:
> 1. ifconfig eth1 ip.address.on.inside
> it pings local net fine
> 2. I can form a VPN to it from my home PC, and I can
> ping the e-smith server fine. Traceroute shows it
> one hop away (ergo routing through the tunnel :)
>
> 3. I CANNOT ping, trace etc. THROUGH the box
> to the local net.
>
> My guess is the box is NOT doing proxy-arp for the
> remote system at the end of the tunnel.
>
> So I guess I would like to know if there is a way to
> "enable pptp service" the right way so it works...
> or what assumptions I'm making that are wrong or
> unnecessary.
>
> Any help appreciated. I am an IP internals jockey,
> but not much of an e-smith jockey.
>
> Ehud
> gavron@wetwork.net
-
I think we have a similar problem. That is:
When we establish the pptp connection to a remote lan (e-smith being the pptp-server logged in to) the client -vpn-login is going ok. The problem is however that most of the time it takes 5 minutes before we can connect to a win2-server in the remote lan.
Pings to the sme/pptp-server are allways ok. However pinging to other pc's in the remote lan results in lost packets. As far as I can see there are no problems on the internal lan itself.