Passing (non-m0n0) PPTP traffic across internal interfaces?

From:	"Braden McGrath" <braden at mcmail dot homeip dot net>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Passing (non-m0n0) PPTP traffic across internal interfaces?
Date:	Fri, 4 Mar 2005 23:13:39 -0500
I don't know if this is a m0n0wall issue or just something i'm doing
stupidly with my network/VPN setup.
 
I've got two subnets and three interfaces setup on my m0n0wall.  one is
the WAN, one is LAN, and the final is a separate interface for my pair
of wireless accesspoints (they're actually routers, but i'm plugged into
switch ports and DHCP is off, so they're just wireless bridges here).
 
LAN is 192.168.1/24, wireless subnet is 192.168.2/24.
 
In the m0n0wall, I have a series of rules that denies all access from
the wireless interface to the LAN interface.  I then selectively have a
few holes punched - DNS, HTTPS and RDP (3389) to my W2k3 domain
controller.

I already have the PPTP page on the m0n0 set to redirect requests to the
server (192.168.1.2).  I checked the rules and saw that they added the
appropriate firewall rules for me.  (I just had to add NAT rules for my
WAN interface.)

Just in case, I tried manually adding rules for GRE and 1723 (PPTP), but
this didn't help.
 
I can successfully connect to the Win2k3 server for a PPTP connection.
It authenticates fine, and my machine gets an IP address from the
server.  The server's main IP is 192.168.1.2.  However, when I setup
PPTP/Routing & Remote access on Win2k3, it also gave itself another IP -
192.168.1.59.  When the PPTP client connects, it calls that the "server
address", rather than .1.2.  However, in a netstat, I see the connection
on 1723 between my laptop's wireless IP and the server's main IP.
(.2.42 -> .1.2.)
 
My understanding of PPTP is that IP packets get encrypted and tunneled
within a different stream of TCP packets.  Correct?
 
So my laptop (.2.42) should tunnel packets inside of a stream going from
.2.42 to .1.2 (the VPN server).  Those packets should be between .1.5x
(VPN-assigned address for laptop) and .1.59 (VPN server internal
address) -- but any router between the two subnets shouldn't care,
because that traffic is TUNNELED...
 
Either the Windows VPN implementation is weird, or the m0n0wall is too
smart for its own good.  I see entries like this in my log:

Act     Time            If              Source
Destination             Proto
3   22:30:36.838517     Wireless LAN    192.168.1.52, port 137
192.168.1.2, port 137   UDP
2   22:30:35.386921     Wireless LAN    192.168.1.52, port 137
192.168.1.2, port 137   UDP
2   22:30:33.886640     Wireless LAN    192.168.1.52, port 137
192.168.1.2, port 137   UDP
 
Note that somehow the m0n0wall sees data originating from .1.5x (VPN
client IP) coming from the wireless LAN interface (Opt1).  Why would
this happen?  I thought it was supposed to TUNNEL inside of packets from
that other subnet??  Also, I'm able to ping addresses in the 1.x subnet
while connected to the VPN, but I can't pass other traffic to those
hosts.  (I have direct pings from 2.x -> 1.x disabled, only echo REPLIES
are allowed across normally.)
 
Is all of this happening because both the source and destination are in
private IP ranges?
 
For what it's worth, I can connect to the VPN from outside (another
internet host) and everything behaves as expected.  I can move files,
connect to anything on the .1.x subnet, everything works as expected.
It's only across the two "internal" interfaces that I'm having issues.
 
I'm really confused here, because it's not behaving the way I thought
PPTP should behave...

I'm going to include relevent rules below.

Thanks in advance...

#-----------------------------------------------------------------------
----
# group head 300 - opt1 interface
#-----------------------------------------------------------------------
----
block in log quick on sis2 all head 300

# let out anything from the firewall host itself and decrypted IPsec
traffic
pass out quick on sis2 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.1.0/24 to 192.168.1.1 keep state group 100

# PPTP rules
pass in quick proto gre from any to 192.168.1.2 keep state group 200
pass in quick proto tcp from any to 192.168.1.2 port = 1723 keep state
group 200

# User-defined rules follow
pass in quick proto tcp from any to 192.168.1.2 port = 25 keep state
group 200 
pass in quick proto tcp from any to 192.168.1.2 port = 443 keep state
group 200 
pass in quick proto tcp/udp from any to 192.168.1.2 port = 3389 keep
state group 200 
pass in quick proto tcp from any to 192.168.1.2 port 6880 >< 7000 keep
state group 200 
pass in quick proto tcp/udp from 192.168.2.0/24 to 192.168.1.2 port = 53
keep state group 300 
pass in quick proto tcp from 192.168.2.0/24 to 192.168.1.2 port = 443
keep state group 300 
pass in quick proto tcp/udp from 192.168.2.0/24 to 192.168.1.2 port =
3389 keep state group 300 
pass in quick proto udp from 192.168.2.0/24 to 192.168.1.2 port = 69
keep state group 300 
pass in quick proto icmp from 192.168.1.0/24 to 192.168.2.0/24 icmp-type
echo keep state group 300 
pass in quick proto icmp from 192.168.2.0/24 to 192.168.1.0/24 icmp-type
echorep keep state group 300 
block return-rst in quick proto tcp from 192.168.2.0/24 to
192.168.1.0/24 flags S/SA group 300 
block return-icmp in quick proto udp from 192.168.2.0/24 to
192.168.1.0/24 group 300 
block in quick proto icmp from 192.168.2.0/24 to 192.168.1.0/24 group
300 
pass in quick from 192.168.2.0/24 to any keep state group 300 
pass in quick from 192.168.1.0/24 to any keep state group 100