Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RRAS: VPN Routing and Packet Filtering

Status
Not open for further replies.

Stevehewitt

IS-IT--Management
Jun 7, 2001
2,075
GB
P.S: This is a double post. Sorry, but the VPN forum looks pretty dead!

--------------------------------------------------------

Hi Guys,

Got a Windows 2003 Server with RRAS installed and working for VPN using PPTP.

Everything is working fine, with encrypted VPN traffic coming in past our firewall, hitting NIC1 on our RRAS box and connecting.

Essentially, as far as RRAS is concerned, NIC1 is VPN inbound traffic.
What I really want to do, is setup RRAS so that all NIC1 traffic is packet filtered using Windows. E.G I only want ports 3389 and 53 to be accessible for our VPN clients.

I have another NIC (NIC2). Whilst both NIC's are technically on the same subnet and plugged into the same switch, once NIC1 get the VPN inbound traffic I want it to route it all to NIC2, with packet filtering in between. (for packets out of NIC1 to NIC2. NIC2 to NIC1 doesn't need to be packet filtered)

So is there a way for me to get the NIC1 inbound VPN traffic, packet filter it and then shove it out over NIC2?

Cheers in advance,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Steve,
I started thinking about this, came up with this:

Could you use IPSec for the filtering? You got me on the "transfer" of data to NIC2 though. I started thinking of persistant routes, but really don't think that would do it. Then I started thinking of a hardware solution, but why have another piece of hardware if you have 2 NICs.

Maybe I'm making it more difficult (maybe you too?) then it needs to be....
 
Hi tfg13,

Yeah, i'm getting a bit stuck really. I was thinking of a persistant route, forcing all packet that come in on the VPN in NIC to route to the LAN NIC, and then use the Windows packet filter to block all other than DNS/RDP - but I can't seem to get it working.

I'll probably end up cheating, and put the box in our DMZ, inbound to the DMZ to allow PPTP and GRE, and outbound is only RDP/DNS I suppose - got other issues that make me not want to do it that way but I guess it's the most obvious answer right?! :)

Cheers for the reply!




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top