PPTP clients to the LAN



  • Hello,
    We have a pfSense working as a VPN server in our network.
    Every IT team member can access our LAN from home using WinXP's PPTP client.
    But now we have a customer that needs to access one single host in our LAN.
    Something like:

    PPTP client –--> PPTP server ----> single host
      dhcp            192.168.1.249    192.168.1.89

    We have rules like:
    TCP  PPTP clients  *  LAN net  5800  ---> VNC

    But this is giving access to port 5800 for any host in the lan.
    Now since his public IP is unknown due to DHCP how can I limit his access to a single host?
    Like:
    TCP  PPTP clients  *  192.168.1.44  5800  ---> VNC
    But this will be supercedeed by the earlier rule, which means he can VNC any computer in our LAN  :(.
    Is there a way to set this up without knowing his public IP?
    Cheers



  • Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool). Then create firewallrules at the pptp tab for source this IP instead of PPTP clients. That's it.



  • @hoba:

    Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool).

    What do you mean by "don't use one out of the PPTP pool?



  • @rds_correia:

    @hoba:

    Create the PPTP user with the restricted access and assign it a special IP (don't use one out of the PPTP pool).

    What do you mean by "don't use one out of the PPTP pool?

    He is talking about the set range of ips that you define for the pptp clients. Use an ip outside of that range.



  • Oh! Ok, I'll try that and let you know how it went.
    Thank you both ;).
    Cheers



  • Ok, I had a look at it but I didn't try anything yet because I got confused.
    Below you'll find 2 pics where you can clearly see that the IP network for my PPTP clients is 192.168.1.80/28.


    Do you mean that I should create a new user and set his IP address with, say, 192.168.1.79.
    That way he'll be outside the PPTP server addresses.
    But then again, how will the PPTP server know that this user is allowed to enter  ???
    Or maybe I'm completely wrong here and I didn't catch the tip you guys wrote a couple of posts above…
    Please, be so kind to...enlighten me  ;)
    Cheers



  • @rds_correia:

    Ok, I had a look at it but I didn't try anything yet because I got confused.
    Below you'll find 2 pics where you can clearly see that the IP network for my PPTP clients is 192.168.1.80/28.


    Do you mean that I should create a new user and set his IP address with, say, 192.168.1.79.
    That way he'll be outside the PPTP server addresses.
    But then again, how will the PPTP server know that this user is allowed to enter  ???
    Or maybe I'm completely wrong here and I didn't catch the tip you guys wrote a couple of posts above…
    Please, be so kind to...enlighten me  ;)
    Cheers

    your 192.168.1.80/28 … 16 addresses like noted just below what you have filled in ... starting the xxx.xxx.1.80 ... this is just a dhcp range for pptp clients so that you can be specific in with what you want them to do ... organization is the general purpose of this would be my guess ... I could be wrong ... i don't know enough about it if were to be specific to pptp or not. You can set it to xxx.xxx.1.79 and it will work just fine.



  • Thanks for explaining psychosematic :).
    I'll try it ASAP and let you know how it went ;).



  • Ok.
    Just to let you all know that it works.
    Thank you all for your help.
    Cheers


Log in to reply