[ previous ] [ next ] [ threads ]
 
 From:  Goetz Goerisch <ggoerisch at gmx dot net>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP Pass-Through broken [1.2b2/3]
 Date:  Sun, 16 Jan 2005 00:07:29 +0100
Hi Manuel,

On Jan 15, 2005, at 10:12 PM, Manuel Kasper wrote:

> On 15.01.2005 09:31 +0100, Goetz Goerisch wrote:
>
>> I have found today, that the PPTP Pass-Through in the default
>> configuration is partly broken with 1.2b1 and completely broken
>> with  1.2b2/3.
>
> If it's completely broken, how come it works for me then? (1.2b3)

It worked (w/ PPTP server inactive) today with 1.2b3 for me too! :-)


>> Was there something changed, that one has to add some NAT/FW rules
>> to  allow PPTP Pass-Through explicit?
>
> Can't remember making any changes that would produce this issue.
> However, when using PPTP pass-through, always remember this: ipnat
> does not treat PPTP's GRE tunnels specially, which means that you can
> only have one concurrent connection to any given PPTP server on WAN
> (and before anyone suggests it, no, last time I checked pf didn't do
> this either; ipfilter 4 does, though, but it doesn't look mature
> yet). I.e. it's not possible for two different clients on your LAN to
> connect to the same PPTP server on WAN at the same time. This also
> means that after disconnecting from a PPTP server, it takes a few
> minutes for the NAT table entry to expire until you can connect to
> the same PPTP server with a different client.

It's only one client trying to access a PPTP server and I flushed the 
NAT tables between the tries.

>> I'm pleased to help to nail-down this issue. m0n0wall is such a
>> wonderful  product.
>
> Check the filter logs for signs of blocked packets that should have
> been passed. Use a packet sniffer on both the LAN and WAN sides of
> your m0n0wall and watch for GRE and TCP port 1723 traffic to find out
> what's going wrong.
>

I couldn't find any packets to port 1723 blocked.
Below a log snippet:
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.217705 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 44 -AS K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.217798 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 44 -AS K-S OUT
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.218134 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.218259 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.218399 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 196 -AP K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.218467 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 196 -AP K-S 
OUT
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.345095 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.345172 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.361780 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 196 -AP K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.361845 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 196 -AP K-S OUT
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.362230 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 208 -AP K-S IN
Jan 16 00:02:05 m0n0wall ipmon[77]: 00:02:05.362311 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 208 -AP K-S 
OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.461745 sis0 @0:16 b 
10.1.1.19,49595 -> 17.250.248.64,993 PR tcp len 20 113 -AFP IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.485245 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.485323 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.493570 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.493635 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.512553 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 72 -AP K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.512619 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 72 -AP K-S OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.540681 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 64 -AP K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.540765 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 64 -AP K-S 
OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.652556 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.652635 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.660634 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:06 m0n0wall ipmon[77]: 00:02:05.660701 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:09 m0n0wall ipmon[77]: 00:02:08.462473 sis0 @0:16 b 
10.1.1.19,49615 -> 17.250.248.64,993 PR tcp len 20 112 -AFP IN
Jan 16 00:02:13 m0n0wall ipmon[77]: 00:02:12.963559 sis0 @0:16 b 
10.1.1.19,49612 -> 17.250.248.64,993 PR tcp len 20 113 -AFP IN
Jan 16 00:02:21 m0n0wall ipmon[77]: 00:02:20.465027 sis0 @0:16 b 
10.1.1.19,49585 -> 217.11.48.105,143 PR tcp len 20 68 -AFP IN
Jan 16 00:02:21 m0n0wall ipmon[77]: 00:02:21.154113 ng0 @0:16 b 
217.11.48.105,143 -> 172.179.123.253,5905 PR tcp len 20 77 -AFP IN
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.446603 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 56 -AP K-S IN
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.446683 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 56 -AP K-S OUT
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.447110 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 60 -AP K-S IN
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.447190 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 60 -AP K-S 
OUT
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.563328 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.563427 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.571434 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:23 m0n0wall ipmon[77]: 00:02:22.571499 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:27 m0n0wall ipmon[77]: 00:02:27.164762 ng0 @0:16 b 
217.11.48.105,143 -> 172.179.123.253,5916 PR tcp len 20 77 -AFP IN
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.799117 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 40 -AF K-S IN
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.799191 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 40 -AF K-S 
OUT
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.909430 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.909507 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.917994 ng0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -AF K-S IN
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.918060 sis0 @100:3 p 
213.54.183.228,1723 -> 10.1.1.19,49748 PR tcp len 20 40 -AF K-S OUT
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.918447 sis0 @100:3 p 
10.1.1.19,49748 -> 213.54.183.228,1723 PR tcp len 20 40 -A K-S IN
Jan 16 00:02:36 m0n0wall ipmon[77]: 00:02:35.918527 ng0 @100:3 p 
172.179.123.253,5916 -> 213.54.183.228,1723 PR tcp len 20 40 -A K-S OUT
Jan 16 00:02:57 m0n0wall ipmon[77]: 00:02:57.473760 sis0 @0:16 b 
10.1.1.19,49601 -> 217.11.48.105,143 PR tcp len 20 69 -AFP IN
Jan 16 00:03:01 m0n0wall ipmon[77]: 00:03:01.474791 sis0 @0:16 b 
10.1.1.19,49598 -> 217.11.48.105,143 PR tcp len 20 69 -AFP IN
Jan 16 00:03:06 m0n0wall ipmon[77]: 00:03:05.975634 sis0 @0:16 b 
10.1.1.19,49604 -> 17.250.248.64,993 PR tcp len 20 112 -AFP IN
Jan 16 00:03:06 m0n0wall ipmon[77]: 00:03:05.975674 sis0 @0:16 b 
10.1.1.19,49588 -> 217.11.48.105,143 PR tcp len 20 69 -AFP IN


I will try to investigate further.
Thanks for your input so far.

Regards,
Goetz