[ previous ] [ next ] [ threads ]
 From:  "Lew Maggio" <lew at lsfc dot org>
 To:  "MonoWall" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  crazy routing/nat problem with wireless and PPTP
 Date:  Wed, 27 Apr 2005 13:09:06 -0500
I have monowall set up as follows:


Wan is a static IP DSL line (made up the IP address, didn't
want to post the real one)

LAN subnet is 192.168.1.x

Opt1 is hooked into several wireless APs, subnet is 192.168.2.x


PPTP server is our primary domain controller,  I have set
up monowall for PPTP passthrough.


This works perfectly when connecting from outside the network.


From the wireless subnet, 192.168.2.x, all traffic to the internet is
allowed, all traffic to the lan is blocked EXCEPT PPTP
traffic.  The reason for this is so that the wireless system is set up
for public WiFi and then staff have to use VPN to connect to the
internal network.


Here is where the problem comes in.  When you establish a PPTP
connection to, windows decides to route all traffic to
that address through the wireless connection and not the PPTP
connection.  This wouldn't be a problem if it was a dedicated VPN server
but it has everything else on it.  DNS, authentication, file server,
exchange server, email.


I'll try and explain this in detail, because it took me a really long
time to figure out what was happening.


1.  From wireless network try to ping, obviously it will
fail, m0n0wall is blocking that traffic.

2.  Try to ping any other host ( for example) on that
subnet and it will fail, as monowall is blocking that traffic.

3.  Establish a PPTP connection to

4.  Ping and you will get a reply, this ping is being
routed through the PPTP connection

5.  Try to ping, and you will not get a reply.  Once
windows establishes a PPTP connection to over the wireless
network and through the monowall, it tries to route all traffic to that
address over the wireless network connection and the monowall.  It does
not route any traffic to that address through the PPTP connection.  I
need to emphasize right now that this is an issue in the windows TCP/IP
stack.  No changes made to the monowall can have any effect on this.


Now this problem doesn't affect VPN connections coming in from the
outside.  Why?  When you connect with VPN you connect to,
so when you ping it gets routed properly because windows
sees the IP VPN is connecting to as  NAT is solving the


What I need to do is set up NAT somehow on the OPT1 interface, so that I
can use VPN to connect to and it will NAT the VPN
connection to  That way windows will not get confused
when I try and connect to the exchange server.


This wasn't a problem with our previous router because it supported
loopback.  We could use vpn to connect to from inside the
network.  That doesn't work under monowall.


I know this email probably doesn't make a lot of sense, even working on
it, it took me hours to figure out what was happening, I had to use
tracert basically to figure it out.  I hope someone can help me with