[ previous ] [ next ] [ threads ]
 From:  "Brandon Kahler" <bkahler at techline dot com>
 To:  <bkahler at techline dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Standalone PPTP/IPsec Server: Questions on setup
 Date:  Tue, 7 Feb 2006 18:50:26 -0800
Ok, so I've fixed a few things, learned a few things, and have other

It seems I totally missed making Any/Any rules for the PPTP interface.
Traffic flows now from a PPTP client to the internal networks, and vice
versa.  ICMP from any host to any other host without issue.

This is where more trouble begins.  It's dog slow :(
In my testing all of this took place on a 100Mbps LAN (even testing from
outside the PIX as a remote client).
The tunnel comes up fine, but passing traffic is like pulling teeth.  I did
some iperf tests and got back some strange results.

iperf from the internal network to the PPTP client I can get ~1.5 Mbits/sec
(I was expecting far more)
iperf from the PPTP client to the internal network I can get 800 bits/sec!

Even watching the PPTP interface statistics in Windows shows a massive
difference between received packets and sent packets.  Where received is in
the millions sent is barely breaking 30,000.  So what gives?

It doesn't appear to be cpu or memory on m0n0wall (1Ghz P3, 256MB, fxp NICs)

Any reason one side of the tunnel would work better than the other?

Well now this is interesting.  I just tried the same PPTP connection from
home (DSL 1.5/256) and I'm getting a full 256kbps sending with iperf to the
internal network.  Hrm.. perhaps I should revisit the setup at work where I
was testing my client from.


-----Original Message-----
From: bkahler at techline dot com [mailto:bkahler at techline dot com]
Sent: Tuesday, February 07, 2006 10:11 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Standalone PPTP/IPsec Server: Questions on setup

I've been trying to setup a standalone PPTP/IPsec server off a stub segment
work.  I want an external client to be able to access anything on the
network through PPTP (and eventually site-to-site IPsec tunnels as well).
included a Visio drawing that should explain what I'm trying to do.


Here's what I've got:
PIX 515E Boarder Firewall
3662 Internal Router
Internal Network (consisting of two subnets [secondary addressing]) directly
attached to Fa0/1
A route statement to the OPT1 interface of the m0n0wall (NAT turned off,
Firewall Rules)

External clients can connect via PPTP to the OPT1 interface just fine.  The
ACLs on the PIX are in place for Any/PPTP and Any/GRE to OPT1.
When the tunnel comes up the DNS server is always listed as the LAN
(instead of the two specified DNS servers)
No traffic wants to pass in/out of the tunnel.

I can access both the WAN and OPT1 interfaces from anywhere on the internal
network for management/ICMP just fine.  Routing is working fine.

What am I doing wrong or can this not be done?

This mail sent through IMP: http://horde.org/imp/

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch