OS X server VPN question. Restricting LAN access.

Discussion in 'Mac OS X Server, Xserve, and Networking' started by paulpet, Nov 8, 2009.

  1. paulpet macrumors member

    Joined:
    Sep 7, 2006
    #1
    Hello,

    I'm playing around with OS X server VPN and was wondering if there is any way to restrict access to only certain IP address (even better to specific ports)?

    Clients connect to say 192.168.1.0/24 and I only want them to be able to access an internal web server at 192.168.1.100 and nothing else on the subnet.

    Any ideas on the best way to achieve this? Could I use the built in firewall with OS X server?

    ..or should I have the client VPN network be on a different subnet (eg. 192.168.2.0/24) and then have an intermediate router/firewall take care of restricting access?

    Any suggestions/examples would be greatly appreciated!

    Thanks!
    -Paul
     
  2. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #2
  3. paulpet thread starter macrumors member

    Joined:
    Sep 7, 2006
    #3
    Thanks for the response, I'd already read that, but it's not what I'm after. That article seems to be showing how to restrict certain users from establishing a connection to the VPN service.

    I'm trying to restrict access to only certain network addresses once a user connects to the OS X server VPN.


    Thanks.
    -Paul
     
  4. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #4
    Well here's another stab:

    http://www.maclive.net/sid/132

    Scroll down to Network Routing Definitions. Define a host (an IP with a 255.255.255.255 mask) and define as private. Also, whatever you do, avoid PPTP.
     
  5. paulpet thread starter macrumors member

    Joined:
    Sep 7, 2006
    #5
    :)

    Thanks, I'd already tried/read that as well. For the record I'm using OS X server 10.5.

    A network routing definition does seem like the way to go, but for the life of me I cannot get it to restrict to a single IP address, even when I use a /32 network mask.

    192.168.1.100/255.255.255.255 Private providse no access at all to anything.

    192.168.1.100/255.255.255.255 Public provided access, but to all machines on the /24 subnet.

    I'm using an iPhone to test the connectivity from outside the network, and I'm starting to wonder if maybe it's a quirk with the VPN client.
     
  6. belvdr macrumors 603

    Joined:
    Aug 15, 2005
    #6
    Could be, but you may also need to add in the external and internal IPs of the VPN server.
     
  7. extrachrispy macrumors regular

    extrachrispy

    Joined:
    Jul 29, 2009
    Location:
    Austin, Texas
    #7
    You could try allocating your VPN client addrs from a different CIDR pool, and then firewall them out of everything but the one host to which you want them to be able to connect.
     
  8. paulpet thread starter macrumors member

    Joined:
    Sep 7, 2006
    #8
    Success!

    So I just wanted to follow up with this to say that I have things working in an acceptable way.

    I basically did what extrachripsy suggested and created a separate subnet for the VPN pool of addresses, and also on that same (VPN) server I enabled the firewall with rules to prevent access to the main LAN except for the intranet server.

    Thanks for the responses and suggestions!

    -Paul
     

Share This Page