9.4. Subnetting and VLAN routing

Ok so this isn’t quite true VLAN routing, but we will (quite possibly) be working with a virtual network that doesn’t exist until a PPTP connection is made. If you have a better term for this let me know and I will change it. We are however dealing with some virtual subnets, for instance the “Remote Address Range” will be a /28 and PPTP clients will receive a subnet of 255.255.255.255 (ff.ff.ff.ff for all you HEX people out there.) Just ignore that and trust in the magic of the PPTP Tunnel.

You can select (as you will see later) to set the “Sever Address” and “Remote Address Range” to exist inside of the subnet that you defined for the LAN on the firewall. (e.g. IP Address and subnet bit you set for the LAN under Interfaces  LAN on the m0n0wall menu.) Our example uses this setup. Pros and Cons? Well the major pro is that the firewall will allow traffic from this VLAN to route to the WAN (in most cases the Internet.) and it is nice and easy. Con’s, it allows people to rout to the WAN if you don’t want this then read the next paragraph.

You can also setup these two options to have an IP range that is outside of your LAN designation. E.g. LAN = 192.168.1.1/24 (really the 192.168.1.0/24 network) and the PPTP “Server Address” and “Remote Address Range” are set to 192.168.2.254 and 192.168.2.16/28 respectively. This will basically allow those using the PPTP connection to access the LAN, but the firewall will not route traffic for them to the WAN connection. Opt and WiFi networks will also be isolated depending on how you are routing to those networks and if they are in the same network segment (subnet) as the LAN.

Remember, that when you setup a PPTP connection (especially on Windows) all network traffic from that workstation is going to be sent via the PPTP tunnel.