Hi!
I have used very basic npppd setup for some years and it works for me
alright, thanks! (From Windows 7 workstations.)
It seems now i need to set up more complicated configuration. Say that
firewall has three network interfaces
re0 - public internet
re1 - internal network one 192.168.2.0/24
re2 - internal network two 192.168.7.0/24
and one npppd user needs to access some hosts on 192.168.2.0/24 network
and the ohter npppd user needs to access some hosts on 192.168.7.0/24
network.
I tried out/thougth of several configuration options, it seems there is
couple of ways to set it up, for example these two
1. since i can use several public ip addresses i could set up isakmpd
listen on two and associate them with npppd.conf using something like
this (about this i only thought, no real trial)
authentication LOCAL_1 type local {
users-file "/etc/npppd/npppd-users-1"
}
authentication LOCAL_2 type local {
users-file "/etc/npppd/npppd-users-2"
}
tunnel L2TP_1 protocol l2tp {
listen on x.x.x.x
mppe no
}
tunnel L2TP_2 protocol l2tp {
listen on x.x.x.y
mppe no
}
ipcp IPCP_1 {
pool-address 192.168.2.140-192.168.2.148 for dynamic
}
ipcp IPCP_2 {
pool-address 192.168.7.140-192.168.7.148 for dynamic
}
interface tun0 address 192.168.2.252 ipcp IPCP_1
interface tun1 address 192.168.7.252 ipcp IPCP_2
bind tunnel from L2TP_1 authenticated by LOCAL_1 to tun0
bind tunnel from L2TP_2 authenticated by LOCAL_2 to tun1
But i am not fan of this because i uses two public addresses and i'd
rather use only one if possible.
2. using this configuration playing with pool-aadresses ja specifying
specific addresses for two users (tried it and seems to work, but but
edited my real configuration for better reading.)
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
tunnel L2TP_112 protocol l2tp {
listen on x.x.x.x
mppe no
}
ipcp IPCP {
pool-address 192.168.2.140-192.168.2.148 for dynamic
pool-address 192.168.7.140-192.168.7.148 for dynamic
}
interface pppx0 address 192.168.113.252 ipcp IPCP
bind tunnel from L2TP authenticated by LOCAL to pppx0
and /etc/npppd/npppd-users has
user-one:\
:password=password-one:\
:framed-ip-address=192.168.2.140:\
:framed-ip-network=255.255.255.0:
user-two:\
:password=password-two:\
:framed-ip-address=192.168.7.140:\
:framed-ip-network=255.255.255.0:
Which one do you suggest, should i go with the first or second
configuration? Or maybe rather something else? And also i have these
questions
1. for Windows 7 client it seems framed-ip-network parameter doesnt
matter much, if framed-ip-address i C-class address it creates routing
for /24, if it is A-class, it creates routing for /8; and there probably
isnt much to do about it from npppd?
2. the 'interface' statement address (192.168.113.252) at least seems
to accept anything (i believe it is not wise to use there openbsd's
gateway address, still :) but what is recommended choice, should it be
something from inside pool or from the same subnet as pool but outside
pool and not used on network?
3. On what to base choice between pppx0 and tun0 interfaces? (is tun
less efficent in some situations but being more mature is it less likely
have crashes while trying out stupid configurations?)
4. Is it usually wise to put npppd user into the same network as the
hosts she intends to access? (At least it seems to be good choice
because on windows 7 side it just works this way; and still i can
control which hosts she could access with pf). Also thought of putting
npppd users into separate subnet (like something virtual build around
vether0) but then it needs more work on windows 7 side to route users to
what they really need access or have same rdr-to rules in packet filter.
Best regards,
Imre
