PPTP clients to the LAN

rds_correia · Apr 6, 2006, 2:25 PM

Hello,
We have a pfSense working as a VPN server in our network.
Every IT team member can access our LAN from home using WinXP's PPTP client.
But now we have a customer that needs to access one single host in our LAN.
Something like:

PPTP client –--> PPTP server ----> single host
dhcp 192.168.1.249 192.168.1.89

We have rules like:
TCP PPTP clients * LAN net 5800 ---> VNC

But this is giving access to port 5800 for any host in the lan.
Now since his public IP is unknown due to DHCP how can I limit his access to a single host?
Like:
TCP PPTP clients * 192.168.1.44 5800 ---> VNC
But this will be supercedeed by the earlier rule, which means he can VNC any computer in our LAN :(.
Is there a way to set this up without knowing his public IP?
Cheers

hoba · Apr 6, 2006, 3:01 PM

Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool). Then create firewallrules at the pptp tab for source this IP instead of PPTP clients. That's it.

rds_correia · Apr 7, 2006, 2:18 PM

@hoba:

Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool).

What do you mean by "don't use one out of the PPTP pool?

psychosematic · Apr 7, 2006, 4:58 PM

@rds_correia:

@hoba:

Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool).

What do you mean by "don't use one out of the PPTP pool?

He is talking about the set range of ips that you define for the pptp clients. Use an ip outside of that range.

rds_correia · Apr 7, 2006, 7:28 PM

Oh! Ok, I'll try that and let you know how it went.
Thank you both ;).
Cheers

rds_correia · Apr 11, 2006, 4:40 PM

Ok, I had a look at it but I didn't try anything yet because I got confused.
Below you'll find 2 pics where you can clearly see that the IP network for my PPTP clients is 192.168.1.80/28.

Do you mean that I should create a new user and set his IP address with, say, 192.168.1.79.
That way he'll be outside the PPTP server addresses.
But then again, how will the PPTP server know that this user is allowed to enter ???
Or maybe I'm completely wrong here and I didn't catch the tip you guys wrote a couple of posts above…
Please, be so kind to...enlighten me ;)
Cheers

psychosematic · Apr 11, 2006, 6:30 PM

@rds_correia:

Ok, I had a look at it but I didn't try anything yet because I got confused.
Below you'll find 2 pics where you can clearly see that the IP network for my PPTP clients is 192.168.1.80/28.

Do you mean that I should create a new user and set his IP address with, say, 192.168.1.79.
That way he'll be outside the PPTP server addresses.
But then again, how will the PPTP server know that this user is allowed to enter ???
Or maybe I'm completely wrong here and I didn't catch the tip you guys wrote a couple of posts above…
Please, be so kind to...enlighten me ;)
Cheers

your 192.168.1.80/28 … 16 addresses like noted just below what you have filled in ... starting the xxx.xxx.1.80 ... this is just a dhcp range for pptp clients so that you can be specific in with what you want them to do ... organization is the general purpose of this would be my guess ... I could be wrong ... i don't know enough about it if were to be specific to pptp or not. You can set it to xxx.xxx.1.79 and it will work just fine.

rds_correia · Apr 11, 2006, 8:10 PM

Thanks for explaining psychosematic :).
I'll try it ASAP and let you know how it went ;).

rds_correia · Apr 12, 2006, 1:16 PM

Ok.
Just to let you all know that it works.
Thank you all for your help.
Cheers