Quoting James Gray <[EMAIL PROTECTED]>: > On Fri, 2 Apr 2004 05:15 pm, Amanda wrote: > > I'm setting up an SME server as server & gateway. It has 2 ethernet > > cards, eth0 (192.168.0.210)to the local network, eth1 (10.0.0.3)to the > > adsl modem (10.0.0.1). > > > > >From a machine on the Lan, I can access the internet just fine. > > > > On the SME server, I'm running pptp client to establish a tunnel into the > > company's Windows 2000 VPN server. This also works fine. (I'm running > > rsync & mysql replication over it). > > > > How do I add a route so local users on the lan can see machines on the > > lan at head office. I can see them just fine from the SME server. > > > > route add -net 10.0.0.150 netmask 255.255.255.255 dev ppp0 > > > > 10.0.0.150 being an intranet web server on the company's lan. This is the > > machine I'm rsyncing & replicating against. > > > > I can ping 10.0.0.150 from the SME server, but not from my machine on the > > Lan. > > > > Amanda > > > > Please avoid sending me Word or PowerPoint attachments. > > See http://www.fsf.org/philosophy/no-word-attachments.html > > Hi Amanda, > > In /etc/ppp/ip-up.d create a script like this: (mine's called "00routes") > > #!/bin/bash > > # Define the routers > DMZ=1.2.3.4 # DMZ Gateway > #LAN=192.168.0.1 # Local LAN (internal) router - not used ATM > VPN=`ifconfig -a|grep P-t-P|awk '{print $3}'|awk -F: '{print $2}'` > > # Define the hosts/nets we need specific routes for: > AARNET=`host mirror.aarnet.edu.au| \ > awk '{print $NF}'| \ > awk -F. '{print $1 "." $2 "." $3 ".0/24"}'` > > VPNSEVER=`host vpnserver.example.com|awk '{print $NF}'` > #OTHER=`host other.example.com|awk '{print $NF}'` > NTP1=137.92.140.80 > NTP2=203.21.37.18 > > # Add the routes > route add -net $AARNET gw $DMZ > route add -host $VPNSERVER gw $DMZ # Needed for the pptp control chan. > #route add -host $OTHER gw $DMZ > route add -host $NTP1 gw $DMZ > route add -host $NTP2 gw $DMZ > > # Modify the default route > route del default > route add default gw $VPN # <- this is the ppp0 interface > > Some important notes! > > 1. You NEED to include a specific route to the VPN server you are connecting > > to BEFORE you change the default route!! Otherwise, when you change the > default route it will cause all the VPN traffic to try and tunnel back > through itself. This will send the VPN tunnel traffic to max and time-out > after about 3 minutes - took me a while to figure out what was happening > itinially. > > 2. The $AARNET host is an example of how to add an entire network to a route > > etc. You wouldn't ordinarily add a host like that (ie, look up it's IP, > and add the entire C-class network it's in!). > > 3. We use NTP to synchronise the clock opn the VPN server (it logs back to a > > syslog server, so we need to keep everything pretty tightly "in-sync"). So > > I added two routes so the NTP stuff doesn't get routed over the VPN tunnel. > > 4. You'll need to change the default route again when the tunnel comes down > > in /etc/ppp/ip-down.d/ too. But the script is nearly identical to this, > except the default route goes back to the $DMZ router IP. > > HTH, > > James > -- > Fortune cookies says: > The eternal feminine draws us upward. > -- Goethe > > > James,
I actually have the tunnel up & working fine, from the SME server which initiates the link. The problem lies in machines on the local Lan attached to the SME server being able to get through the tunnel to machines at the remote end. I'm beginning to think it's more of a firewalling problem than a routing problem, per se. Looking at the output from iptables -L, the third input rule points to PPPconn, which has no rules defined. There are also no rules which output to ppp0, so all nat'ed traffic is going out the default gateway. And I don't want it setup so ALL traffic goes down the pptp tunnel. This is pulled from routing.phtml on the sourceforge pptpclient website. # route add -net 192.168.0.0 netmask 255.255.0.0 dev ppp0 # iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 \ --destination 192.168.0.0/16 --jump ACCEPT --out-interface ppp0 # iptables --insert INPUT 1 --source 192.168.0.0/16 \ --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0 # iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 \ --destination 192.168.0.0/16 --jump ACCEPT --out-interface ppp0 # iptables --insert FORWARD 1 --source 192.168.0.0/16 \ --destination 0.0.0.0/0.0.0.0 --jump ACCEPT # iptables --table nat --append POSTROUTING --out-interface ppp0 \ --jump MASQUERADE # iptables --append FORWARD --protocol tcp \ --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu If I rewrite the above to this, I think it will do what I want. # route add -host 10.0.0.150 dev ppp0 # iptables --insert PPPconn 1 --source 0.0.0.0/0.0.0.0 \ --destination 10.0.0.150/32 --jump ACCEPT --out-interface ppp0 # iptables --insert INPUT 1 --source 10.0.0.150/32 \ --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface ppp0 # iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 \ --destination 10.0.0.150/32 --jump ACCEPT --out-interface ppp0 # iptables --insert FORWARD 1 --source 10.0.0.150/32 \ --destination 0.0.0.0/0.0.0.0 --jump ACCEPT # iptables --table nat --append POSTROUTING --out-interface ppp0 \ --jump MASQUERADE # iptables --append FORWARD --protocol tcp \ --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu Of course, I have to repeat that for the other remote IP address, 10.0.0.2. I've never had to mess with firewall rules before, so this is a new experience for me. Thoughts anybody? Amanda Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
