[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  Michiel van Es <mve at pcintelligence dot nl>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] how to set up a the PPTP server with firewall rules
 Date:  Sat, 5 Jul 2003 13:51:05 -0700 (PDT) 
On Sat, 5 Jul 2003, Michiel van Es wrote:
> On 5-7-2003 at 13:28 Fred Wright wrote:
> >On Sat, 5 Jul 2003, Michiel van Es wrote:
> >
> >> I think the pptp connection of my ADSL (mxstream KPN) is conflicting
> >> with the PPTP server..
> >
> >Ah, yes.  You need to redirect only *some* of the GRE traffic.  This
> isn't
> >the same issue I mentioned earlier, since it's all PPTP.  Instead, it
> >would need to know which GRE/PPTP packets go where (the TCP portion
> should
> >work properly via NAT), which ideally should be based on the Call ID,
> but
> >in this case could be based on the remote IP address.  You'd probably
> like
> >to be able to say that GRE traffic from any IP *except* the modem
> should
> >be redirected.
> >
> >The NAT code could do this automatically if it used the established
> >control-connection entries to determine the routing of the GRE
> packets, as
> >long as there's a 1:1 correspondence between local and remote
> endpoints.

Actually I didn't state that quite correctly.  This scheme would work fine
for multiple incoming sessions to a single server.  What it doesn't handle
is multiple outgoing sessions to a single server from different LAN
clients.

> How to set this up?
> I do not understand you how I can fix my problem.

AFAIK you can't. :-) That was a general comment on how the NAT code could
be enhanced to handle this case better, and I hadn't noticed that the
thread had gone off-list, perhaps unintentionally.

You *may* be able to get this to work by having some rules with the proper
priorities such that GRE traffic from the modem gets delivered locally and
all other GRE traffic gets forwarded.

Or perhaps you could make the m0n0wall the PPTP server instead of whatever
other server you're using.  Having all PPTP terminate in the same endpoint
avoids these issues.

> >Or you could find a modem that uses PPPoE instead of PPTP. :-)
> Yes..but I bought this for a lot of money :-)
> I can tweak it to use PPPoE but I now this is not necesarry..

Do you mean that the modem could be configured to use PPPoE?  If so,
that's probably worthwhile, since it avoids the PPTP conflicts.  PPTP is a
really nasty protocol, and the only reason a lot of modems use it is
because it's available "out of the box" in Windoze.

					Fred Wright