10.4. Subnetting and routing

We are dealing with some virtual subnets. The “Remote Address Range” will be a /28 and PPTP clients will receive a subnet of 255.255.255.255 (ff.ff.ff.ff for all you HEX people out there.) Just ignore that and trust in the magic of the PPTP Tunnel.

You can select (as you will see later) to set the “Sever Address” and “Remote Address Range” to exist inside of the subnet that you defined for the LAN on the firewall. (e.g. IP Address and subnet bit you set for the LAN under Interfaces  LAN on the SmallWall menu.) Our example uses this setup. A major advantage to this is that the firewall will allow traffic from this Pretend Network to route to the WAN (in most cases the Internet) and it is nice and easy. It also gives external users access to internal resources, even if they do not have a default gateway set.

You can also setup these two options to have an IP range that is outside of your LAN designation. E.g. LAN = 192.168.1.1/24 (really the 192.168.1.0/24 network) and the L2TP “Server Address” and “Remote Address Range” are set to 192.168.2.254 and 192.168.2.16/28 respectively. This will basically allow those using the L2TP connection to access the LAN, but will allow you to block access to the WAN connection. Opt and WiFi networks will also be isolated depending on how you are routing to those networks and if they are in the same network segment (subnet) as the LAN.

Remember, that when you setup a L2TP connection (especially on Windows) all network traffic from that workstation is going to be sent via the L2TP tunnel.