[ previous ] [ next ] [ threads ]
 
 From:  "Lew Maggio" <lew at lsfc dot org>
 To:  "MonoWall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  crazy routing/nat problem with wireless and PPTP
 Date:  Wed, 27 Apr 2005 13:09:06 -0500 
I have monowall set up as follows:

 

Wan is a static IP DSL line 64.109.43.98 (made up the IP address, didn't
want to post the real one)

LAN subnet is 192.168.1.x

Opt1 is hooked into several wireless APs, subnet is 192.168.2.x

 

PPTP server is our primary domain controller, 192.168.1.201.  I have set
up monowall for PPTP passthrough.

 

This works perfectly when connecting from outside the network.

 

From the wireless subnet, 192.168.2.x, all traffic to the internet is
allowed, all traffic to the lan 192.168.1.254 is blocked EXCEPT PPTP
traffic.  The reason for this is so that the wireless system is set up
for public WiFi and then staff have to use VPN to connect to the
internal network.

 

Here is where the problem comes in.  When you establish a PPTP
connection to 192.168.1.201, windows decides to route all traffic to
that address through the wireless connection and not the PPTP
connection.  This wouldn't be a problem if it was a dedicated VPN server
but it has everything else on it.  DNS, authentication, file server,
exchange server, email.

 

I'll try and explain this in detail, because it took me a really long
time to figure out what was happening.

 

1.  From wireless network try to ping 192.168.1.201, obviously it will
fail, m0n0wall is blocking that traffic.

2.  Try to ping any other host (192.168.1.151 for example) on that
subnet and it will fail, as monowall is blocking that traffic.

3.  Establish a PPTP connection to 192.168.1.201

4.  Ping 192.168.1.151 and you will get a reply, this ping is being
routed through the PPTP connection

5.  Try to ping 192.168.1.201, and you will not get a reply.  Once
windows establishes a PPTP connection to 192.168.1.201 over the wireless
network and through the monowall, it tries to route all traffic to that
address over the wireless network connection and the monowall.  It does
not route any traffic to that address through the PPTP connection.  I
need to emphasize right now that this is an issue in the windows TCP/IP
stack.  No changes made to the monowall can have any effect on this.

 

Now this problem doesn't affect VPN connections coming in from the
outside.  Why?  When you connect with VPN you connect to 64.109.43.98,
so when you ping 192.168.1.201 it gets routed properly because windows
sees the IP VPN is connecting to as 64.109.43.98.  NAT is solving the
problem.

 

What I need to do is set up NAT somehow on the OPT1 interface, so that I
can use VPN to connect to 192.168.2.254 and it will NAT the VPN
connection to 192.168.1.201.  That way windows will not get confused
when I try and connect to the exchange server.

 

This wasn't a problem with our previous router because it supported
loopback.  We could use vpn to connect to 64.109.43.98 from inside the
network.  That doesn't work under monowall.

 

I know this email probably doesn't make a lot of sense, even working on
it, it took me hours to figure out what was happening, I had to use
tracert basically to figure it out.  I hope someone can help me with
this.