[ previous ] [ next ] [ threads ]
 
 From:  Jim McBeath <jimmc at macrovision dot com>
 To:  Magne Andreassen <magne dot andreassen at bluezone dot no>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] wireless+IPsec+RedHat9?
 Date:  Wed, 3 Dec 2003 19:02:13 -0800
On Wed, Dec 03, 2003 at 10:45:24AM +0100, Magne Andreassen wrote:
> Just to be clear, DHCP and PPTP have no dependensies...

> Your right, this is not trivial and self-explained.

> Yes, they are for PPTP connection. Only the WAN interface is
> "designed" in m0n0wall to deafult accept PPTP requests and
> traffic, so we have to manually add these to the wireless interface.
> You will still have to add rules for your PPTP interface,
> and these apply to all PPTP connections, so no, they don't have
> default access to everything once connected.

Ah, I get it!

1. My client machine makes a connection to the wireless port on the
   m0n0wall, and for that it uses regular DHCP and assigns my machine an
   IP address like normal, all unencrypted (except for WEP).  This IP
   address gets attached to the physical ethernet device on my machine
   (in my case, eth1).
2. I initiate a PPTP connection from my client and tell it to connect to
   the wireless IP address on the m0n0wall.  This setup happens on
   the DHCP-assigned connection, thus I have to add the pass-GRE and
   pass-TCP-1723 rules to the firewall.  The PPTP server on m0n0wall then
   assigns my machine a second IP address (from the range of 16 addresses
   I specified on the PPTP page of m0n0wall), which gets associated
   with a pseudo-device (in my case, ppp0).
3. As part of the setup, because I told pptp-linux to route "all to tunnel",
   it sets the default route to use ppp0.  So now, other than a request
   to the IP address of the m0n0wall wireless port, every IP request goes
   through the PPTP tunnel via ppp0 to the PPTP server address I specified
   in the PPTP page of m0n0wall.
4. A request from my client goes through the PPTP tunnel into the m0n0wall
   box, gets decrypted there, and appears as an incoming packet on the PPTP
   port for another pass through the firewall.  I can then set up firewall
   rules with interface=PPTP to control what can get through.

I have made some progress, and it seems like I am almost there, but not
quite.  I added rules to the firewall to pass ICMP from PPTP to anywhere,
but my PINGs are not making it all the way back.  I turned on logging of
those packets in m0n0wall, and it looks like the packets are making it
through m0n0wall both ways.  Here's a sample from the firewall log:

  18:21:49.409596 ng1 @0:27 p 10.100.103.224 -> 10.100.101.250 PR icmp len 20 84 icmp echo/0 K-S IN
  18:21:49.409884 sis1 @0:27 p 10.100.103.224 -> 10.100.101.250 PR icmp len 20 84 icmp echo/0 K-S
OUT
  18:21:49.411200 sis1 @0:27 p 10.100.101.250 -> 10.100.103.224 PR icmp len 20 84 icmp echoreply/0
K-S IN
  18:21:49.411393 ng1 @0:27 p 10.100.101.250 -> 10.100.103.224 PR icmp len 20 84 icmp echoreply/0
K-S OUT

10.100.103.224 is the IP address assigned to my wireless client by the
m0n0wall PPTP server, 10.100.101.250 is the machine I pinged from my client.
It looks like the response is getting lost somewhere at the end of its
return trip.

It seems that it doesn't really matter what subnet and IP address values I
choose for the PPTP server and its clients, as long as those addresses
don't conflict with anything else on my network.  I tried using addresses
from my LAN subnet, and I tried using addresses in a different subnet,
and it works the same either way.

Any suggestions as to what might be wrong here, or how to debug?

--
Jim