# MPD5 PPTP-server isolate users from eachother



## babovand (Jan 17, 2013)

Hello guys

Im currently running a working mpd5 pptp server setup, I and was wondering if there is anyway to jail/isolate some users in mpd.secret, and some not.

For example, my home network ranges between 192.168.2.0 - 192.168.2.255
My mpd5 server is on 192.168.2.10

With my current setup, any user that is connected to my mpd5 server can access my other services (like web GUI) on different computers on my home network range, including the mpd5 server/services itself.

I basically want some users to have access to the home network IP range, and the rest of the users isolated from each other *and* my home network range.

Thanks!


----------



## Anonymous (Jan 18, 2013)

babovand said:
			
		

> Im currently running a working mpd5 pptp server setup, I and was wondering if there is anyway to jail/isolate some users in mpd.secret, and some not.
> 
> For example, my home network ranges between 192.168.2.0 - 192.168.2.255
> My mpd5 server is on 192.168.2.10
> ...



You can force different local IP addresses or IP ranges for different users in /usr/local/etc/mpd5/mpd.secret. Have a look at /usr/local/etc/mpd5/mpd.secret.sample.


```
user1       "pw1"       192.168.2.0/28
user2       "pw2"       192.168.2.0/28
user3       "pw3"       192.168.2.16/28
user4       "pw4"       192.168.2.16/28
user5       "pw5"       192.168.2.32/28
user6       "pw6"       192.168.2.32/28
```

Then, with the firewall you would restrict the one or the other local IP-range coming in via ng*.


----------



## babovand (Jan 18, 2013)

rolfheinrich said:
			
		

> Then, with the firewall you would restrict the one or the other local IP-range coming in via ng*.


I forgot to say that I knew about forcing IP on on specific user in mpd.secret

However, Im totally noob at this, and Im actually using a different FreeBSD Distro, Nas4free. Firewall is available and I also have ssh console access.

If it not much to ask, could you guide me through it?

Here is a pic of the firewall interface, http://i45.tinypic.com/2d2gfo7.png

Options are:
Action: Allow, Deny, Reject
Interface: Lan
Protocol: UDP, TCP, ICMP, ALL
Direction: In, Out, Any.


----------



## Crest (Jan 18, 2013)

As of FreeBSD 9.1 IPFW supports tables of interfaces. Just use tables and add the ng* interfaces in the mpd hooks to the tables.


----------



## babovand (Jan 23, 2013)

Crest said:
			
		

> As of FreeBSD 9.1 IPFW supports tables of interfaces. Just use tables and add the ng* interfaces in the mpd hooks to the tables.


Thank you, but could you give me an example IPFW rule for this? and what is mpd hook?


----------



## Anonymous (Jan 24, 2013)

ipfw(8)() rules could be as follows

```
ipfw add 10 deny ip 192.168.2.0/28 to any 80 via ng*
ipfw add 20 deny ip 192.168.2.16/28 to not me via ng*
ipfw add 30 deny ip 192.168.2.32/28 to 192.168.2.100 via ng*
ipfw add 40 allow ip from any to any via ng*
```

Take care with the sequence numbers. The above logic is, to put the deny rules first, before allowing everything else. You could also have it the other way around, i.e. allowing only specific access, and having a final rule blocking all the rest.

Note the wildcard * at the interface name ng*. net/mpd5 creates a new network interface for each connection, e.g. ng0, ng1, ng2, ..., and ng* matches all.


----------



## babovand (Jan 24, 2013)

Thank you!!!!! I will try this out and report back =)


----------

