Hi,
Here's what you can try as well.
1) Mine mpd.conf file is almost the same as yours, except that I don't have mpd.links
2) pf.conf configuration
What I understood is that your mpd5 daemon is running on your external IP, right?
Your internal network is 10.0.0.0/24 which also includes the ip pool for mpd - 10.0.0.50 - 10.0.0.100.
Upon a new pptp connection mpd will automatically create a new ngX interface associated to that specific connection - in your PF configuration you are limited to only one pptp connection, so instead of allowing that specific ng0 interface, allow the ip pool from mpd.conf.
Here are some parts from my pf.conf that you might find useful to fit into your configuration:
Code:
# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"
# --- pptp services ---
PPTP_SERVICES = "{ 1723 47 }"
# --- hosts with internet access ---
table <allowed> { 10.0.0.0/24 }
# --- OPTIONS section ---
set skip on lo0
# --- SCRUB section ---
scrub in all
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> ($ext_if)
# --- FILTER RULES ---
# --- default policy ---
block log all
# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# --- INTERNAL interface ---
pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state
# --- EXTERNAL interface ---
# --- pass incoming pptp connections to the pptp server ---
pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
In the above configuration the hosts from the table
allowed get access to the internet and since in that network is your ip pool from mpd, all clients connecting to your pptp client will have internet access too.
My setup differs with yours with only one more thing, and that is that my pptp server runs on the internal network, so I just have an additional rdr rule to pass the traffic.
Let me know if that works for you.
Regards,