[ previous ] [ next ] [ threads ]
 From:  "Claude Morin" <klodefactor at gmail dot com>
 To:  "m0n0wall Mailing List" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: PPTP connections fail for several hours after ending a PPTP session
 Date:  Mon, 23 Jul 2007 13:18:22 -0400
Just found this post by Chris Buechler
http://m0n0.ch/wall/list/showmsg.php?id=322/75.  With m0n0wall, each
external IP on the WAN interface can support only one PPTP connection.  This
appears to be a limitation of m0n0wall rather than a limitation of the PPTP
protocol.  For my scenario below, this means that as long as userA is
connected to site1, userB can't connect to any PPTP server, even if it's a
different one (i.e. site2).

However, this doesn't explain the behaviour I'm seeing once userA
disconnects from site1.  Shouldn't userB be able to connect anywhere once
userA disconnects and no PPTP sessions exist?

Oh and lastly, I forgot to mention that after userA disconnects from site1,
they can immediately re-connect to site1, or make a new connection to
site2.  This is what leads me to think there's state being maintained


On 7/23/07, Claude Morin <klodefactor at gmail dot com> wrote:
> I have several users trying to make PPTP connections from behind a
> m0n0wall (v1.231) to an Internet-connected PPTP server.  The m0n0wall has
> private IP addresses for the LAN, a single static IP for the WAN, and hide
> NAT for outbound connections.  Here's the problem scenario:
>    - userA connects to site1 successfully
>    - userB can not connect to site1 while userA is connected
>       - This is a known limitation when all LAN hosts hide behind
>       only one external IP, correct?
>    - userB can not connect to site2 while userA is connected
>       - I believe this should work.  Can anyone verify?
>    - userA disconnects from site1
>    - userB still can not connect to site1 or site2
>       - I believe both should work.
>    - If we wait several hours, something must get reset or time out
>    somewhere, because the first user to try to connect via PPTP (to either
>    site1 or site2) succeeds.
>       - Rebooting the m0n0wall has the same effect: once the
>       m0n0wall is back up, the first user to try succeeds.
>       - Using "Diagnostics -> Reset state" for "Firewall state
>    table" has no effect.
>       - BTW I just now asked my users to try the "Reset state"
>       operation for just "NAT table", and then for both.
> Thanks in advance for any insights,
> -klode