[ previous ] [ next ] [ threads ]
 From:  Nik Clayton <nik at ngo dot org dot uk>
 To:  m0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  PPTP from OPT1 to LAN
 Date:  Thu, 15 Sep 2005 23:19:47 +0100
Hi all,

I'm trying to get m0n0wall to act as a PPTP server for my wireless 
clients, and I'm not getting anywhere.

Here's the scenario.

I have a triple homed Soekris net4801 box.

sis0 => LAN,  192.168.0.x (DHCP server enabled)
sis1 => WAN,  192.168.1.x
sis2 => OPT1, 192.168.2.x (DHCP server enabled)

Yes, the WAN address really is 192.168.1.x.

Anyway, m0n0wall is doing just fine routing between LAN and WAN, 
everything there is great.

I have an 802.11b bridge plugged directly in to OPT1.  Wireless clients 
can connect, and are handed out 192.168.2.x addresses by the DHCP server.

What I'd like to do is use PPTP to encrypt the traffic between the 
wireless clients and m0n0wall, so that all the over-the-air traffic is 
encrypted with something a little stronger than WEP.  I also want to 
make sure that unauthenticated clients can't get on to the network.

And I can't figure out, from the documentation, how to do this.

I can do it on the LAN interface -- that's easy, following these 
instructions that Manuel gave out a few months back:

 > PPTP VPN? Piece of cake! Enable it on m0n0wall (use some "sub-subnet"
 > of your LAN subnet as the remote address range), add at least one
 > user. Then open Internet Connect on your Mac, choose File -> New VPN
 > connection, PPTP, server address = your m0n0wall's WAN IP address or
 > DynDNS name, account name and password matching what you entered on
 > the PPTP users page in the webGUI. Then click Connect and that's it.

That works, clients can connect (if I physically plug them in to the 
network instead of using the wireless).  So I tried to do it on OPT1, by


    [*] Enable PPTP server
    Server address:
    Remote address range: / 28

and creating some users with passwords.  But connecting to the VPN from 
the Mac running OS X over 802.11b doesn't work.  There is an 'allow all' 
rule for PPTP clients in the firewall configuration (interestingly, 
although there's "WAN interface", "PPTP clients", and "LAN interface" 
sections in the firewall page, there's no "OPT1 interface" section).

Any help gratefully received.  The mailing list archives didn't yield 
anything that seemed useful.