[ previous ] [ next ] [ threads ]
 
 From:  JR <tiresias at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  PPTP redirection oddity
 Date:  Thu, 25 Jan 2007 01:06:02 -0500
Hello,
I am experiencing unexpected behavior with PPTP redirection enabled on
m0n0wall 1.21.

I have a m0n0wall with several servers behind it, one being a windows
PPTP VPN server. I am using 1:1 NAT to map public IP's on the WAN to
internal IP's for the servers. I am also using Server NAT for one of
the public IP's. I have firewall rules allowing access only to some
specific ports on the servers and workstations, but no rules allow
traffic on TCP port 1723. I am using the PPTP redirection option to
forward PPTP traffic arriving at the m0n0wall WAN IP to the windows
PPTP server.

PPTP connections through the m0n0wall WAN IP to the internal windows
PPTP server work fine. The odd/unexpected behavior is that the
m0n0wall seems to also be opening TCP port 1723 on both the public IP
of the windows PPTP server (assigned via 1:1 Nat) as well as the
Server NAT public IP. Although TCP 1723 is clearly open on those IP's
(verified with telnet), PPTP connections do not succeed on those IP's.

Example to help make this clear:

m0n0wall WAN IP: 1.1.1.2 / LAN IP: 10.0.0.1
1:1 NAT IP's:
  1.1.1.3 <-> 10.0.0.3 (fw rules allow ports 22 and 3306 only)
  1.1.1.4 <-> 10.0.0.4 (fw rules allow ports 80 and 443 only)
  1.1.1.5 <-> 10.0.0.5 (fw rules allow port 3389 only)
Server NAT IP: 1.1.1.7 (incoming nat/fw rules fwd ports 5901 and 5202
to 10.0.0.77 and 10.0.0.78, respectively)
m0n0wall PPTP redirection address: 10.0.0.4

With that configuration, TCP port 1723 was inexplicably open on
1.1.1.2, 1.1.1.4 and 1.1.1.7, but PPTP connections succeeded only on
1.1.1.2.

I have worked around the issue by disabling PPTP redirection and
instead adding firewall rules to pass GRE and TCP 1723 traffic to the
windows PPTP server. Making only those changes resulted in TCP 1723
being blocked (filtered) from the outside on all IP's except for the
windows PPTP server public IP (1.1.1.4 above), as expected.

If I revert to the orig config (remove the rules forwarding TCP 1723
and GRE; enable PPTP redirection to 10.0.0.4), then I find port 1723
again open on three public IPs.

This leaves me to wonder exactly what the PPTP redirection option
supposed to do. Is it just a convenience feature that is supposed to
create NAT and firewall rules behind the scenes to do what I have now
setup manually, or does it do something else as well? Is there any
valid reason for it to open/pass TCP 1723 on IP's other than m0n0wall WAN
IP, or could this be a strange bug?

Regards,
JR