Multiple VPN connections behind NAT - windows-server-2003

I have the following problem:
I have Windows 2003 RAS VPN server configured with a single Nic (let's call it LAN1) behind a firewall (lets call it's public address WAN1). PPTP & L2TP ports are forwarded to the Server.
When a client (Windows or LINUX) in a remote network behind a firewall (LAN2) tries to connect to a PPTP VPN on the WAN1 everything goes fine.
When a second client in the same LAN2 tries to connect to the same VPN on the same WAN1 I get an error 629.
It's independant of which machine gets the first connection.
Apparently the problem is also independant of the router/firewall hardware of LAN2 (We have tested it from at least five different types of remote small router/firewalls - linksys, huawey, d-link, etc.)
The firewall WAN1 listens to two internet connections. The problem is independant of which external address the clients are pointing to (even if two different workstations point to different IP addresses to attempt to stablish a vpn).
Inside LAN1, there is no such limitation and multiple workstations connect just fine.
Theres also no limitation from different remote LANs.
Is this a limitation of PPTP protocol?
Thanx in advance.

From your description it sounds like the issue is at the remote end. You mention that when a second user from LAN2 attempts to reach the same VPN server at WAN1 you receive an error.
Depending on the firewall mechanism in use there can be a "limitation" that exists with regard to PPTP connection tracking and multiple VPN connections to the same server address.
Google: pptp multiple connections to same ip
Due to the way in which NAT tracks PPTP connections, specific modules need to be loaded in order to handle multiple connections to a single server.
If it's netfilter based, make sure 'nf_conntrack_pptp' and 'nf_nat_pptp' are loaded.

Related

linking virtual machine as server and client

I have multiple virtual machine(vmware)(linux) but would like to make one as the server, meaning all the client who wants to access the internet, uses the server internet so, the server is able to view all the incoming and outgoing data packets.
Also, I would like to install another virtual machine to act as an IDS to track the server packet, if anything is wrong it is able to flag out.
Thanks for your help in advance
You can setup one Linux server as the gateway for the others. All you need is to create two virtual ethernet interfaces for it, one in bridged mode and other in virtual network mode.
One will be bridged with your actual network and act as the WAN, and the other will be act as a LAN gateway for others VM's.
So other VM's should use your server virtual network IP address as main gateway, and you can use tcpdump or wireshard or everything you like to sniff traffic forwarded.
One thing you need to configure on the server is IP forwarding option in sysctl, which is disabled by default:
net.ipv4.ip_forward = 1
You may find more relevant information here too.
Hope it will help you.

Access My Windows 7 Server by External IP from Machine on Local Network

I have setup a number services on my home network (two security system DVR's and IIS on my Windows 7 machine).
All of these devices are behind two routers and have static IP's. I have configured port forwarding on both routers so that everything is accessible via my public IP address. When querying my public IP address outside from a machine outside of my local networ, everything is 100% accessible and working as expected. However, when querying my public IP from a machine or device on my local network, the requests just timeout with nothing served. The only way I can access these resources from a machine on my local network is by querying them by their local IP address.
To explain more clearly (using example IP's):
My Windows 7 machine (which has IIS setup, accessible over port 80) has a local IP of 192.168.1.100
My first security system DVR has a local IP of 192.168.1.101 and is accessible over port 5000
My second security system DVR has a local IP of 192.168.1.102 and is accessible over port 5001
My public (static) IP address is 222.222.222.222
When I am outside of my local network and I open http://222.222.222.222/ in my browser, my Windows 7 IIS website appears in my browser. When I am outside of my local network and I open http://222.222.222.222:5000/ in my browser, my first security system appears in my browser. Lastly, when I am outside of my local network and I open http://222.222.222.222:5001/ in my browser, my second security system appears in my browser.
However, when I am on my local network, I am unable to load any of these devices using my external IP address. The requests just timeout with nothing loaded. When I am on my local network the only way I can get these to load in my browser is by browsing directly to their local IP addresses in my browser.
I'm guessing that I somehow need to either A: get my request for my public IP when on my local network be first sent outside my local network and then sent back to it through my public IP or B: somehow detect if the public IP address is being queried from a local IP and if so, serve up those resources via their local IP...however I don't know if either of those are correct, and even if they are, I don't know how I'd go about doing it.
Can anybody point me in the right direction? All the machines on my local network I'd like to access these resources from are Windows 7 machines, if that makes a difference.
Ideally, you could utilize NAT loopback if your router(s) supports it. NAT Loopback Wiki
If your routers don't support NAT loopback, you may have to go with option B (better than A). Assuming you only need this functionality from one PC, you could mess with the routing tables. That would get really messy in Windows, but possible. AND you would have to track your dynamically changing external IP address somehow. I'll leave options A and B at "improbable" but I'd love for the community to prove me wrong =)

ZNC - Cheat IRC server's connections from ip limit

I want to connect more than 5 bouncers to my favourite irc network.
Unfortunately, server accepts only up to five connections from one IP.
How can i do it and is it real?
I have only one server with one IP but i have a domain with an unlimited number pf subdomains.
You could use a proxy server.
http://en.wikipedia.org/wiki/Proxy_server
Either ask the network for a connection limit exemption (which a network should be able to give you if you explain why you need it), or you'll need a second IP or a second server - there's no way around this.
With a second machine, you could set up a bouncer on that machine (such as irssi with irssi-proxy), then connect ZNC to irssi. Alternatively, you could use SSH tunnelling to route your IRC connection through another machine.
Neither method is particularly good, multiple ZNC instances on multiple machines, or an exemption is probably the best way. Talk to the network staff about it and see what they can do.

Possible to connect to FTP site on LAN using external IP?

I've setup an FTP site using IIS 8 and am able to connect to it while inside the LAN using the lcoal ip (192.168..), and connect fine from outside it using my external IP (so I know I setup port forwarding correctly). But I am unable to connect to the site, using the external IP while inside the LAN (it just times out). Is this even possible, and if so how would I go about doing this?
I'd say probably not.
Port forwarding is part of the NAT translation which should only be done for data coming in via the external connection. There would be no reason for internal traffic to be translated.

PPTP server - Clients still have original IP on the same server

I've configured Poptop (The PPTP Server for Linux) and it is working fine.
Clients are assigned different IP addresses which are visible publicly properly, e.g. on www.whatismyip.com.
But on the same server, all request from clients are recognized as coming from the original IP addresses.
How to make server, where pptdp is installed, see assigned IP addresses instead of original ones? I understand that somehow traffic should be routed out to the Internet and back, but not sure how.

Resources