[ previous ] [ next ] [ threads ]
 
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP Server with PPTP Clients Behind]
 Date:  Mon, 16 Feb 2004 11:18:23 +1000
Hi All,

> From: darkside <darkside at ricerage dot org>
> 
> Hi again Hilton :)
> 
> On Sun, 2004-02-15 at 18:12, Hilton Travis wrote:
> > Hi Brian,
> > 
> > On Mon, 2004-02-16 at 09:06, darkside wrote:
> > > On Sun, 2004-02-15 at 17:55, Hilton Travis wrote:
> > > > Hi Ben,
> > > > 
> > > > On Mon, 2004-02-16 at 07:06, Ben Carlisle wrote:
> > > > > Folks,
> > > > >    Just got m0n0 working and I love it (convert from shorewall on a Linux
> > > > > machine). I am having one problem however. When I enable the PPTP server on
> > > > > m0n0, my LAN clients from behind m0n0 cannot open VPN PPTP connections to
> > > > > the outside world. If I disable the PPTP server, connections are opened
> > > > > fine.
> > > > > 
> > > > >    I'd like to have my m0n0 machine as a PPTP server for road warrior-type
> > > > > connections from the outside world, and allow PPTP from clients on the LAN
> > > > > to outside PPTP servers. Can I do both?
> > > > 
> > > > The reason you cannot do this is because when the PPTP Server is running
> > > > on m0n0wall, it needs to use the same ports/protocols that need to be
> > > > forwarded thru the m0n0wall if you want to get internal machines making
> > > > PPTP connections.  The only way this could possibly work is if you had
> > > > multiple public IPs, and utilize one for the PPTP Server, and another
> > > > for the outbound clients.
> > > 
> > > I'm not trying to be argumentative, but I doubt thats the case. Before
> > > discovering m0n0wall my firewall ran on a minimal Debian GNU/linux
> > > install, with both the poptop pptpd, as well as netfilter and pppd
> > > patches. pptpd acted as the PPTP server for inbound connections, and the
> > > netfilter patches allowed the NAT'ed hosts behind it to connect to
> > > remote pptpd's. Granted this was accomplished through netfilter
> > > patch-o-matic voodoo, but it worked great.
> > > 
> > > As for ports/protocols, again I'm pretty sure thats incorrect. On the
> > > external interface, one would need to allow port 1723 and GRE traffic
> > > inbound. On outbound initiated connections, one would need to make sure
> > > that GRE traffic wasn't munged by the NAT implementation. Outbound
> > > connections certainly wouldn't require 1723, but instead would initiate
> > > on a "high port". 
> > 
> > It still uses protocol GRE in both directions, but yes, different ports
> > are used.  I've not had my coffee yet!  :)

I now have a coffee in front of me, and I'm feeling much better, now.  <maniacal grin>

> > > Now that I've actually thought that through enough to provide you with
> > > the above explanation, sounds more like ipfilter's "proxy" requirements
> > > for particular protocols (ftp, irc dcc, etc, ad nauseum) getting in the
> > > way.
> > 
> > Does, kinda, doesn't it.
> 
> Hell. Sent this mail from a freshly imaged box, and apparently my mail
> settings are incorrect. I was hoping the previous mail would hit the
> list.
> 
> Mind taking care of that for me, since apparently I'm too silly to
> properly set it up myself? Much appreciated. :)

Sure, I'll also add Ben's question - hope he doesn't mind.  :)

On Mon, 2004-02-16 at 09:52, Ben Carlisle wrote: 
> Could I get around this by forwarding WAN PPTP traffic to a
> LAN PPTP server?

You could, but thinking about it now, this may not be necessary.

Inbound PPTP (to your internal/m0n0wall PPTP Server) requires 
TCP/1723/Inbound and Protocol 47 Inbound to be opened (and forwarded 
to an internal server, if the m0n0wall box is not acting as the PPTP 
Server).

Outbound PPTP (from your internal LAN to a remote server) shouldn't 
require anything - m0n0wall should allow the traffic out without 
issue.  HOWEVER, returned traffic will be using GRE and port 1723, 
therefore this is where the issue may well be.

Not having used PPTP myself in dsuch a situation, I'd need to play 
with this a bit more to come up with a "supported" answer.  :)

Hopefully someone else in here has this working and can let us all 
know how to configure things before I have to set it up just to play.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.