[ previous ] [ next ] [ threads ]
 From:  "Quark IT - Hilton Travis" <hilton at quarkit dot com dot au>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Problems Routing Redirected PPTP Traffic Out To the WAN
 Date:  Wed, 22 Dec 2004 06:45:36 +1000
Hi Michael

> -----Original Message-----
> From: Michael & Beth Pope [mailto:spotnruby at gmail dot com] 
> Sent: Saturday, 18 December 2004 08:36
> I have recently installed a generic PC m0n0wall v.1.11 in front of a
> small business network. The firewall has a single LAN interface and a
> single WAN interface. The firewall is set to forward PPTP VPN traffic
> to the IP address of a PPTP server. Client VPN connections are set to
> use the default gateway on remote network. Everything is working great
> except for one thing: PPTP clients cannot access the Internet while
> connected via VPN. I have the "Log packets blocked by the default
> rule" setting enabled and I see in the Firewall log that port 80
> traffic is being blocked on the LAN If from the PPTP client's internal
> IP to the external Web IP.

A gefault gateway is just that - a *default* gateway.  If a PPTP client
(on your network, I assume from the description above) connects to a
remote PPTP server, they have their default gateway changed from its
previous setting (I'm assuming this was the internal m0n0wall IP) to the
remote network (you didn't say whether it was pointing to the actual
default gateway on the remote network, or to the PPTP endpoint/server on
the remote network, so I'm assuming its pointing to the PPTP Server on
the remote network).

Now, you also don't say whether the "Log packets blocked by default
rule" message is in your local m0n0wall logs, or the logs of the remote
network's m0n0wall, so I'll assume the most likely - the local m0n0wall

Well, if the local client used to work fine (before the PPTP connection)
then this is good - it means that TCP/IP is configured correctly
locally.  If they then establish a PPTP connection to a remote server
and have their default gateway changed to this remote network, then
there's no way that this client can now know to send Internet traffic to
anywhere but the remote network - there's no longer a *local* default
gateway - its been changed to the remote network.

The best suggestion I have right now is to not use the "default gateway"
on the remote network for the PPTP session - it should not be needed as
the PPTP session should set up a route for traffic to the remote network
and not use a "default" gateway.  This leaves your regular default
gateway still configured on these machines, making local traffic, PPTP
traffic anf unknown network (Internet) traffic work.

> My question is how can I open this up? I understand that firewall
> rules on the PPTP If are only good if the m0n0wall is the PPTP server.
> They are inapplicable when the m0n0wall is redirecting the PPTP
> traffic. On the LAN interface, I have the following rules:

Mentioned above.  You should, however, let us know a bit more about the
actual configuration there, so we can get a better picture of your
network configuration.

> Any Proto> LAN net, any port>any destination, any port>Pass
> Any Proto> any source, any port>any destination, any port>Pass
> I know the second is kinda redundant but I was seeing if that would
> work, which it doesn't.

These will do SFA as the default gateway is redirecting traffic over the
PPTP connection, not out through your firewall's WAN connection.

> Is there any additional information I can provide to make 
> this clearer?

Yup.  :)



Hilton Travis                          Phone: +61 (0)7 3344 3889
(Brisbane, Australia)                  Phone: +61 (0)419 792 394
Manager, Quark IT                      http://www.quarkit.com.au
         Quark AudioVisual             http://www.quarkav.net

http://www.threatcode.com/ <-- its now time to shame poor coders 
into writing code that is acceptable for use on today's networks

War doesn't determine who is right.  War determines who is left.