# How do I allow access to my pptp windows server 2008 R2 from the internet



## hiatek (Feb 15, 2010)

Hi,
I have setup a windows server 2008 R2 box to allow remote access to the network.
I have tested on the same network via wireless connection that i can authenticate using the VPN connection, so i'm pretty sure the vpn is set.

Problem being getting access to it from outside the local LAN.

I am using freebsd 8.0 as a router/gateway/firewall and using pf as a firewall/nat.

DSL MODEM <-> BSD 8.0 <-> Local LAN and Windows Server (single NIC).


Any help with this one would be great, I can't seem to turn much up with searches.


----------



## DutchDaemon (Feb 15, 2010)

Should we guess what the problem is and what your pf.conf looks like?


----------



## hiatek (Feb 15, 2010)

Problem is as described, I dont know how to set this up. It hasn't worked for me before and died. I just dont know how to get it to work.

/etc/pf.conf is as follows

```
# Firewall for Home or Small Office
# [url]http://www.openbsd.org/faq/pf/example1.html[/url]
# Revised by ... on 01/12/2009


# macros
ext_if="tun0"
int_if="nfe0"

tcp_services="{ 22 }"
icmp_types="echoreq"

# tables
# ssh violations
table <ssh-violations> persist file "/etc/ssh-violations.txt"

#comp3="192.168.0.3"

# options
set block-policy drop
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# - Redirections
# - FTP proxy to local machine removed because ftp downloads would not work
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# - Squid Redirection
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# Bittorent virtual server/Port Forward
rdr on $ext_if proto tcp from any to ($ext_if) port 6881 -> 192.168.0.100 port 6881


# filter rules
block in all
pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services
# Mail Filter
pass in on $ext_if proto tcp from any to any port 25 flags S/SA

# Bittorent Filter
pass in quick on $ext_if proto tcp from any to 192.168.0.100 port 6881
# Squid Filters
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
        pass out on $ext_if inet proto tcp from any to any port www keep state
#pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
#    synproxy state

# Allow ping
pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state

#Block hosts discovered as SSH violations
block drop in quick from <ssh-violations> to any
```


----------



## DutchDaemon (Feb 15, 2010)

You want to set up a VPN connection through the FreeBSD box to the Win server on the LAN? Find out which port and which protocol the VPN is using (e.g. OpenVPN uses 1194/udp or 1194/tcp by default) and set up an 'rdr' rule for it and matching pass rules. Somewhat like the bittorrent rule you already have.

Edit: noticed the 'pptp' bit, which is probably port 1723/tcp, and you'll need to allow GRE (protocol 47).

Something like this may work:


```
rdr pass on $ext_if inet proto gre from any to $ext_if -> $win_host
rdr pass on $ext_if inet proto tcp from any to $ext_if port 1723 -> $win_host
pass out quick on $int_if inet proto gre from any to $win_host keep state
pass out quick on $int_if inet proto tcp from any to $win_host port 1723 flags S/SA keep state
```

Unresearched, unrehearsed, and from mem. YMMV.


----------



## hiatek (Feb 15, 2010)

Thanks so much for your time DutchDaemon, I will give it a try and post back on my results.


----------



## J65nko (Feb 15, 2010)

```
$ grep pptp /etc/services

pptp            1723/tcp                        # Point-to-Point Tunneling Protocol
pptp            1723/udp                        # Point-to-Point Tunneling Protocol
```
 On my OpenBSD box


----------



## hiatek (Feb 15, 2010)

In regards to the "pass out ..." rules, should they be "pass in..."? 
I'm not trying to be arrogant, just checking thats all.

Thanks again for your time.


----------



## DutchDaemon (Feb 16, 2010)

The 'pass in' for the external interface is covered by 'rdr *pass*'. The 'pass out' part covers the _internal_ interface. If you don't have any block rules on your internal interface (or a 'skip') you can omit those.


----------



## hiatek (Feb 16, 2010)

DutchDaemon, you have made my day, a direct copy-paste of your configuration snippet has solved my issue.

Let me know where I can send a dollar (AU) via paypal.


----------



## DutchDaemon (Feb 16, 2010)

I'm not sure I can use AU dollars, because they're printed upside down 

Cheers mate.


----------



## hiatek (Feb 17, 2010)

I guess otherwise nominate a charity that accepts it, payment via paypal in AU dollars.


----------



## DutchDaemon (Feb 18, 2010)

http://www.freebsdfoundation.org/donate/


----------



## hiatek (Feb 18, 2010)

Done, ended up using the groundspring service so I donated $1 US. Not sure if thats better or worse given the economy at the moment.


----------

