[ previous ] [ next ] [ threads ]
 
 From:  "Mike Ansell" <mike dot ansell at norrcom dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  VPN firewall NAT problem - please help me
 Date:  Sun, 30 Apr 2006 19:50:03 +1200
Hi all.

I gave up trying to use m0n0wall as a vpn redirect server.

I ended up setting it up as purely a firewall between our wireless network
and VPN server.

I am experiencing trouble (something NAT going on) when I try to connect 2
or more VPN  connections through the firewall.

We are setting this up to keep wireless clients secure from the LAN. Any
data is inside a VPN tunnel.

Current Setup:

Wireless clients 172.16.3.x
            |
            |
Lan-172.16.3.2/16
M0n0wall firewall
- I had the LAN/WAN on the other sides - Chris Buechler said to swap as the
GW should be pointing at the VPN server, makes a lot of sense.
Wan-192.168.103.2/24
GW-192.168.103.1
            |
            |
192.168.103.1/24
VPN Server (Windows 2003 running RAS, plain old PPTP)
192.168.1.10/24
GW-192.168.1.1
            |
            |
192.168.1.1/24
Internet Router
 
Wireless clients use the ip address of the VPN server 192.168.103.1 to make
the connection, as the m0n0 box Default Gateway is the VPN server it routes
to it correctly.
 
I have the below firewall rules. They don't interfere anyway, it still
doesn't work when a Allow ANY ANY ANY rule is at the top of both interfaces.

I did some testing and found that if I disconnect my VPN, do a NAT table
reset, a different machine can make the vpn connection. Then no one else can
connect until the NAT table is reset again.

The second user can't get past the Verifying Username and password screen.

I have no inbound/outbound/server/1:1 nat rules. I haven't ticked the
'Enable Advanced Outbound NAT' box. (no vpn works when this is ticked)

It has got to be something stupid I have overlooked. I welcome all ideas.


Thanks everyone.

Mike.

 

WAN rules:

ALLOW GRE 
ALLOW UDP 500 
ALLOW UDP 1701 
ALLOW TCP 1723


LAN rules:

ALLOW GRE 
ALLOW UDP 500 
ALLOW UDP 1701 
ALLOW TCP 1723