[ previous ] [ next ] [ threads ]
 
 From:  "Mauricio Culibrk" <Mauricio dot Culibrk at infohit dot si>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  PPTP clients - blocked traffic - bug/misconfiguration?
 Date:  Sat, 4 Feb 2006 14:48:26 +0100
Hi!

Lately I spent a lot of time playing with m0n0 and PPTP connections and I think there is a
"misconfiguration" or a flaw in the original setup of PPTP client access in m0n0wall.

Correct me if I'm wrong...

If you set the PPTP server on m0n0wall to serve your clients with a set of LAN ip addresses (yes, to
have the client look as they are really on LAN segment), m0n0wall will create/activate ngX
interfaces and add additional (proxy)arp entries to "serve" the cliens. That's all Ok and working as
supposed.
When the clients generate some trafic, it is going through FW rules to the LAN (or other
destination) and responses get back as expected. Basically, from the CLIENT side it's working OK, as
expected.

The problem is, the clients are NOT ACCESSIBLE FROM the LAN or other "internal" networks...
For example, when some client is connected, it gets the IP 192.168.1.100, pptp server has
192.168.1.2, m0n0 lan 192.168.1.1.
Now I can ping (or whatever is enabled in FW rules) TO some internal hosts and all is working as
expected, for example, if I ping 192.168.1.10 (which is a server) from the client it is all ok.
If now, I ping the client (192.168.1.100) from the same host (192.168.1.10) the m0n0 firewall is
dropping ANY packets that are GENERATED from "inside" towards pptp clients....

I tried with all possible rules in FW on all interfaces (lan, wan, pptp) without success...

Afer some debugging and researching I found such a setup is not supported with the current
"hardwired" set of fw rules and there is no way to "fix" this by entering some "user rules" via
GUI...

Any comment on this would be appreciated.

Thanks,
Mauricio