[ previous ] [ next ] [ threads ]
 
 From:  "Sandro Kehrlein" <sandro at kehrlein dot de>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: AW: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)
 Date:  Mon, 2 Jan 2006 19:31:05 +0100
Here we go!
Ticking 'Allow fragmented packets' does it! :-) I've chosen this option now on every "Pass"-Rule.
Does it make sense to allow DNS- and NetBios-queries from the WLAN (where everything is blocked,
only VPN allowed)? I've seen that there are a lot of log-entries to port 53 and 137 before and while
i'm connecting with PPTP-VPN. I think, this isn't a security-reason for someone who is not allowed
to visit the local net.
Thank you very much!
This list and of course the Wall is great!!
Bye


Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk] 
Gesendet: Montag, 2. Januar 2006 18:40
An: Sandro Kehrlein
Cc: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: AW: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)

Hello,

In that case, I would suspect an issue with MTU size or packet fragmentation. Remote Desktop seems
quite sensitive to packet fragmentation issues. Is your office VPN also PPTP, or some other client?

Try ticking the 'Allow fragmented packets' box on the m0n0wall for each of your rules and see if
that improves things.

Regards,

Kris.

----- Original Message -----
From: "Sandro Kehrlein" <sandro at kehrlein dot de>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, January 02, 2006 5:31 PM
Subject: AW: AW: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)


Hello,
I tried a lot of different rules, but it didn't work :-(
Here are my current rules:

WS = IP Webserver
MW = IP of the WLAN-Interface (not the Standart-LAN-IP)


LAN:
Proto Source Port Dest. Port
pass * LAN net * * *


WAN:
Proto Source Port Dest. Port
Block * RFC 1918 * * *
Pass TCP * * WS 80 internal Webserver
Block * * * * *


PPTP VPN:
Proto Source Port Dest. Port
Pass * PPTP Clients * * *


WLAN (DMZ):
Proto Source Port Dest. Port
Pass TCP/UDP WLAN net * MW 1723 VPN
Block * WLAN net * * *


An additional Rule with GRE-Protocol doen't help. I reboot the Wall 
everytime I change s.th.
The Problem is not, that my VPN isn't working. Only if I try to connect with 
Remotedesktop over an second VPN to my office, I couldn't connect.
My VPN over WLAN works. My Office-VPN over VPN over WLAN works too.

I don't know, what I can try anymore ....

Bob


Von: Jeff Buehler [mailto:jeff at buehlertech dot com]
Gesendet: Montag, 2. Januar 2006 17:23
An: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: AW: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)

Do you have the necessary PPTP VPN specific firewall rule?  When you go to 
the GUI, you should see LAN, WAN and PPTP VPN rules - double check your PPTP 
VPN rule.  Also, you may want to verify the order of your rules (if it makes 
any difference in your case) and finally reboot the router as a last 
resort - this has on occasion made the difference for me.

The configuration you describe (Remote Desktop Client -> pptp vpn -> Remote 
Desktop server) is something I am doing as well and I have no problems with 
it.  So I am guessing it must be a configuration issue.

Jeff


Sandro Kehrlein wrote:

>Hi,
>Thanks for the fast answer, but I didn't help...
>Even allowing ALL on the Interface WLAN (*:* to *:*, all prots) doesn't 
>help. Any ideas?
>Thanks...
>Bob
>

>Von: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
>Gesendet: Montag, 2. Januar 2006 15:15
>An: Sandro Kehrlein; m0n0wall at lists dot m0n0 dot ch
>Betreff: Re: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)
>
>Hello,
>
>Port 1723 is used to set-up the PPTP connect, but the actual traffic is 
>carried over GRE (a protocol type in its own right).
>
>You will also need to allow GRE from the WLAN interface.
>
>Regards,
>
>Kris.
>
>----- Original Message -----
>From: "Sandro Kehrlein" <sandro at kehrlein dot de>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Sent: Monday, January 02, 2006 2:09 PM
>Subject: [m0n0wall] Problem with GRE-Protocoll (VPN over WLAN)
>
>
>Hello,
>first a small introduction: I use a 3rd NIC for WLAN, here I've
>connected a standart AP. I deny all traffic from WLAN to *; except
>TCP/UDP from * to m0n0wall:1723. So I am only allowed to login into VPN
>(PPTP) from WLAN. To connect to my network or the internet, I have to
>connect via VPN and that's all working very fine...
>But now I often connect to my office via VPN. So on my laptop are 3
>connections: Wireless Network, VPN Tunnel to m0n0wall, VPN Tunnel into
>my office. I can access to shares on my office-workstations, that's not
>the problem. But if I like to connect me via Remotedesktopconnection to
>my Office-Server, I'll get an error, that there are network problems.
>There is following entry in the logs: Deny - Interface PPTP - Laptop
>VPN IP - Office Server IP (the ISP IP, not the internal IP) - Protocol GRE.
>I allow everything from PPTP-Clienst to *  -  each protocol. Now I
>added a second rule, allowing especially GRE. It doesn't help...
>Anybody out there who can help me?
>Thanks a lot!
>Bob
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch