[ previous ] [ next ] [ threads ]
 
 From:  Chris Van Vorous <m0unds at speakeasy dot net>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Using m0n0wall as a remote PPTP/VPN server
 Date:  Fri, 03 Jun 2005 19:42:25 -0600
Well, I removed the firewall and NAT rules that dealt with the PPTP 
traffic, and instead of getting a blocked GRE protocol message in the 
firewall, I get this:

	08:38:02.216056 	WAN 	IP.IP.IP.IP, port 50681 	IP.IP.IP.IP port 1723 	TCP
	08:37:59.203420 	WAN 	IP.IP.IP.IP, port 50681 	IP.IP.IP.IP, port 1723 	TCP
	08:37:56.692952 	WAN 	IP.IP.IP.IP, port 50681 	IP.IP.IP.IP, port 1723 	TCP


What do you think would cause the migration from blocking GRE traffic to 
blocking TCP traffic across that port? I was under the impression that 
m0n0's default ruleset was to deny all.

Thanks,
Chris

Chris Buechler wrote:

>On 6/3/05, Chris Van Vorous <m0unds at speakeasy dot net> wrote:
>  
>
>> Hi everyone, this is my first post.
>> 
>> I've read through lots of questions regarding PPTP/VPN functionality
>>withing m0n0wall, but I couldn't really find a concrete answer to my
>>particular problem. 
>>        1. Remote connections to my external IP, requesting a PPTP session
>>fail with Microsoft Windows error 619
>>        2. Connections on the LAN work just fine (so do connections from my
>>wlan)
>>     
>> I've setup a NAT Forwarding rule to take traffic to TCP port 1723 (PPTP)
>>and send it to one interface address of the m0n0wall (192.168.1.5 in this
>>instance). I set up a matching firewall rule to permit traffic across that
>>NAT link. After seeing my firewall log (as I have pasted), I also tried to
>>forward GRE traffic to see if it would matter. I've also run a full-on
>>forward firewall rule: WAN, any port, any protocol, etc with no result.
>> 
>>    
>>
>
>If m0n0wall isn't behind another firewall, you don't need any NAT
>entries or firewall rules.  All that gets added automatically.  I'd
>suspect this NAT entry is breaking things by sending the TCP traffic
>to a different interface than the GRE traffic.  Remove all the NAT and
>firewall rule stuff and it should just work.
>
>-Chris
>
>
>
>  
>
block.gif (0.4 KB, image/gif)