[ previous ] [ next ] [ threads ]
 
 From:  William Arlofski <waa dash m0n0wall at revpol dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Internal machines accessing PPTP clients
 Date:  Tue, 11 Jan 2005 13:42:04 -0500
Sorry for such a long post, but I can't find anything similar to my 
problem in the list archives, and I can not think of a quicker way to 
resolve this.

I am having an issue allowing Internal workstations access to external 
PPTP clients.  The Internal workstations I am referring to are NOT on 
M0n0wall's "LAN Network" but are on a separate, private network 
connected to M0n0wall's "LAN Network" by a Linux Iptables Firewall.

M0n0wall is blocking these Internal machines from connecting TO remote 
PPTP clients, but is allowing clients on its "LAN network" to connect to 
these very same PPTP clients.

Below is an ASCII art drawing of the network in question, followed by 
additional info.  Any help would be appreciated.



		    +-------------+
	            | PPTP Client |
		    +-------------+
			   |
		      +----+----+
      	+------------>| Internet| <-------------+
	|	      +---------+		|
	|					|
	|xx.xx.xx.xx				|xx.xx.xx.xx+1
+------------------+.1               .2 +------------------+
|IPtables firewall |------------------+>| m0n0 v1.2b3/WRAP |
+------------------+ (192.168.100/24) | +------------------+
	|			      |
	|(192.168.1.1)		      |   +-------------+
	|			      +---| Test client |
	|			     .100 +-------------+
	|(192.168.1.9)
  +------------+
  |  Internal  |
  | Workstation|
  +------------+


- All networks are /24

- There is an additional (not shown) 192.168.2.0/24 LAN routed 
separately, but not relevant to this problem.

- M0n0wall LAN IP is 192.168.100.2

- PPTP clients are 192.168.100.16-30/28

- PPTP clients have been allowed - via very restrictive rules on the 
Linux Iptables firewall server - access to specific internal servers, on 
specific ports.  This works as expected.

- Customer also wants VNC access (port 5900-5902) to connected PPTP 
clients from Internal workstation on 192.168.1.0/24 network.

- Rules to allow 192.168.1.0/24 to access PPTP clients on ports 
5900-5902 are in place on Linux IPtables firewall and on M0n0wall. 
Actually, for testing purposes there are rules to allow ALL traffic from 
192.168.1.0/24 and 192.168.2.0/24 to m0n0.

- VNC packets from internal workstation (192.168.1.9) are properly being 
passed by the IPtables firewall, and are hitting the M0n0wall box but 
are being blocked by M0n0wall's @0:16 default block rule. Here is a snip 
from remote syslog server:

  Jan 10 21:31:55 192.168.100.2 ipmon[78]: 21:31:55.083569 ng1 @0:16 b 
192.168.1.9,33161 -> 192.168.100.16,5900 PR tcp len 20 60 -S OUT

Here are the group 0 rules from status.php on the M0n0wall:
(BTW, I prefer my WAN interface to be number "0" so sis0 is WAN and sis1 
is LAN)

@1 pass out quick on lo0 from any to any
@2 pass out quick on sis1 proto udp from 192.168.100.2/32 port = 67 to 
any port = 68
@3 pass out quick on sis1 from 192.168.100.0/24 to 192.168.1.0/24
@4 pass out quick on sis1 from 192.168.1.0/24 to 192.168.100.0/24
@5 pass out quick on sis1 from 192.168.100.0/24 to 192.168.2.0/24
@6 pass out quick on sis1 from 192.168.2.0/24 to 192.168.100.0/24
@7 pass out quick on sis0 proto udp from any port = 68 to any port = 67
@8 pass out quick on sis0 proto udp from MonoWanIP/32 port = 500 to any
@9 pass out quick on sis0 proto esp from MonoWanIP/32 to any
@10 pass out quick on sis0 proto ah from MonoWanIP/32 to any
@11 pass out quick on sis1 proto udp from 192.168.100.2/32 port = 500 to any
@12 pass out quick on sis1 proto esp from 192.168.100.2/32 to any
@13 pass out quick on sis1 proto ah from 192.168.100.2/32 to any
@14 pass out quick on sis1 from any to any keep state
@15 pass out quick on sis0 from any to any keep state
@16 block out log quick from any to any

- VNC from test client on 192.168.100/24 LAN to PPTP clients works as 
expected.

If any additional information is rewquired, please ask. I'd like to 
either resolve this or tell my client that it is not possible.


Thanks in advance.


Bill Arlofski
waa dash m0n0wall at revpol dot com