[ previous ] [ next ] [ threads ]
 From:  <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP from OPT1 to LAN
 Date:  Fri, 16 Sep 2005 11:55:27 -0500
----- Original Message -----
From: "Nik Clayton" <nik at ngo dot org dot uk>
To: <leesharp at hal dash pc dot org>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Friday, September 16, 2005 3:03 AM
Subject: Re: [m0n0wall] PPTP from OPT1 to LAN

> Lee,

> Thanks for the advice so far.

Glad I can help. Since I can't code, it is my only way to give back to 
the project. :-)

>   OPT1 interface
>   Proto  Source        Port  Destination  Port
>   *      PPTP Clients  *  *

> > Then a ruleset allowing PPTP WAN access.
>   PPTP clients
>   Proto  Source        Port  Destination  Port
>   *      PPTP Clients  *     *            *

> But to no avail.  The wireless clients are given IP addresses using DHCP 
> (that still works, verified by delete/down/up'ing their wireless 
> interfaces, making sure they got a 192.168.2.x IP address, and 
> confirming through the m0n0wall "DHCP leases" diagnostics page) but they 
> can't do anything else.  Attempts to connect to the PPTP server on 
> eventually time out, and they can't ping their subnet's 
> gateway, so

Let me back up and start very basic just to make sure it is all 
covered, and explained.
When you start with no rules at all, nothing can get in or out.  The 
initial rule on the LAN interface allows internet access.
*  LAN net  *  *  *
However, you don't want that for the opt1, you only want them to be 
able to PPTP in from there. So you set up a restrictive rule like the 
one I have allowing me to admin my m0n0 box from the internet.
TCP  *  *  443 (HTTPS)
But, there is no drop down choice for PPTP.  You can just add the two 
ports, or you can open everything up to just the firewall.  The single 
host part is the critical one.
TCP OPT1 * *
Last you need a rule set allowing the PPTP clients out on the internet 
like this.
*  PPTP clients  *  *  *
If you are still having trouble, put the Default wide open rule on the 
opt1 for testing, and lock it down when you are done.