[ previous ] [ next ] [ threads ]
 From:  William Arlofski <waa dash m0n0wall at revpol dot com>
 To:  Greg Miller <gmiller at mainstaydata dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP and multiple subnets
 Date:  Fri, 23 Sep 2005 10:22:17 -0400
Greg Miller wrote:
> Is it possible to access IPSEC and DMZ networks via a PPTP connection
> with m0n0wall?  I would like to be able to remote in from home and
> access all the remote locations but it seems that I can only access the
> LAN portion on m0n0wall.  Thanks.
> --
> Greg Miller
> www.mainstaydata.com

heh... Hi Greg, I was JUST reviewing my Freenode #m0n0wall IRC logs from
January 2005 and a long conversation between me (mtnbkr) and GeekGod
trying to work on JUST this issue. I was resurfacing the issue because I
wanted to see if the upcoming 1.2 release takes care of the problem we
were working on - which you are now asking about. I needed to review and
refresh my memory about the issue before I could research the m0n0

Not sure if the Freenode #m0n0wall logs are archived online anywhere,
but I can tell you that our conversation was on January 12th (and maybe
the 13th I am still re-reading).

If they are not archived I can forward you my logs as I am still pouring
over them to try to see if the issues we were discussing have been
addressed in one of the more recent m0n0wall updates.

The issue was that the packets from the internal subnets are hitting and
are allowed to leave the PPTP interfaces (ng1-ng16), replies are being
allowed back INTO the ng1-ng16 interfaces but they are being stopped by
the default deny rule on their way OUT of the LAN interface on their way
to internal subnets that are NOT the "LAN Network".

We were able to make this work way back when by use of the <shellcmd>,
but anytime any rule change was made with the web gui, a reboot would be
required so that the shellcmd would run and properly appliy our custom
rules.   Not too big an issue since m0n0 on this WRAP takes 23 seconds
to boot and my client is ONLY using it as a VPN gateway, but it is
obviously not the best idea to be rebooting a firewall everytime a minor
change is made.  :)

You can check the m0n0wall list archives on or about January 12th 2005
for my post(s) on this topic a well.

Bill Arlofski
Reverse Polarity
email: waa dash m0n0wall at revpol dot com
jabber id: waa at jabber dot org