[ previous ] [ next ] [ threads ]
 
 From:  "Ben Carlisle" <bcarlisle at 24oz dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] PPTP Server with PPTP Clients Behind]
 Date:  Mon, 16 Feb 2004 10:54:43 -0600
Yah, I had a similar setup as Brian, I was using my shorewall and
mega-patched Poptop/PPPD/Kernel on Redhat. It was allowing both PPTP clients
out as well as PPTP serving.

Thanks for the help guys. I'll play with it too -- luckily, it's just a home
server I'm working with and not a production box. Unluckily, I'm in "road
warrior" mode now, so I won't be able to play with this until Friday when I
am back at home.

Let me know if anyone has any other ideas.

cheers,
-Ben

----- Original Message ----- 
From: "Hilton Travis" <Hilton at QuarkAV dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Sunday, February 15, 2004 7:18 PM
Subject: Re: [m0n0wall] PPTP Server with PPTP Clients Behind]


> Hi All,
>
> > From: darkside <darkside at ricerage dot org>
> >
> > Hi again Hilton :)
> >
> > On Sun, 2004-02-15 at 18:12, Hilton Travis wrote:
> > > Hi Brian,
> > >
> > > On Mon, 2004-02-16 at 09:06, darkside wrote:
> > > > On Sun, 2004-02-15 at 17:55, Hilton Travis wrote:
> > > > > Hi Ben,
> > > > >
> > > > > On Mon, 2004-02-16 at 07:06, Ben Carlisle wrote:
> > > > > > Folks,
> > > > > >    Just got m0n0 working and I love it (convert from shorewall
on a Linux
> > > > > > machine). I am having one problem however. When I enable the
PPTP server on
> > > > > > m0n0, my LAN clients from behind m0n0 cannot open VPN PPTP
connections to
> > > > > > the outside world. If I disable the PPTP server, connections are
opened
> > > > > > fine.
> > > > > >
> > > > > >    I'd like to have my m0n0 machine as a PPTP server for road
warrior-type
> > > > > > connections from the outside world, and allow PPTP from clients
on the LAN
> > > > > > to outside PPTP servers. Can I do both?
> > > > >
> > > > > The reason you cannot do this is because when the PPTP Server is
running
> > > > > on m0n0wall, it needs to use the same ports/protocols that need to
be
> > > > > forwarded thru the m0n0wall if you want to get internal machines
making
> > > > > PPTP connections.  The only way this could possibly work is if you

had
> > > > > multiple public IPs, and utilize one for the PPTP Server, and
another
> > > > > for the outbound clients.
> > > >
> > > > I'm not trying to be argumentative, but I doubt thats the case.
Before
> > > > discovering m0n0wall my firewall ran on a minimal Debian GNU/linux
> > > > install, with both the poptop pptpd, as well as netfilter and pppd
> > > > patches. pptpd acted as the PPTP server for inbound connections, and
the
> > > > netfilter patches allowed the NAT'ed hosts behind it to connect to
> > > > remote pptpd's. Granted this was accomplished through netfilter
> > > > patch-o-matic voodoo, but it worked great.
> > > >
> > > > As for ports/protocols, again I'm pretty sure thats incorrect. On
the
> > > > external interface, one would need to allow port 1723 and GRE
traffic
> > > > inbound. On outbound initiated connections, one would need to make
sure
> > > > that GRE traffic wasn't munged by the NAT implementation. Outbound
> > > > connections certainly wouldn't require 1723, but instead would
initiate
> > > > on a "high port".
> > >
> > > It still uses protocol GRE in both directions, but yes, different
ports
> > > are used.  I've not had my coffee yet!  :)
>
> I now have a coffee in front of me, and I'm feeling much better, now.
<maniacal grin>
>
> > > > Now that I've actually thought that through enough to provide you
with
> > > > the above explanation, sounds more like ipfilter's "proxy"
requirements
> > > > for particular protocols (ftp, irc dcc, etc, ad nauseum) getting in
the
> > > > way.
> > >
> > > Does, kinda, doesn't it.
> >
> > Hell. Sent this mail from a freshly imaged box, and apparently my mail
> > settings are incorrect. I was hoping the previous mail would hit the
> > list.
> >
> > Mind taking care of that for me, since apparently I'm too silly to
> > properly set it up myself? Much appreciated. :)
>
> Sure, I'll also add Ben's question - hope he doesn't mind.  :)
>
> On Mon, 2004-02-16 at 09:52, Ben Carlisle wrote:
> > Could I get around this by forwarding WAN PPTP traffic to a
> > LAN PPTP server?
>
> You could, but thinking about it now, this may not be necessary.
>
> Inbound PPTP (to your internal/m0n0wall PPTP Server) requires
> TCP/1723/Inbound and Protocol 47 Inbound to be opened (and forwarded
> to an internal server, if the m0n0wall box is not acting as the PPTP
> Server).
>
> Outbound PPTP (from your internal LAN to a remote server) shouldn't
> require anything - m0n0wall should allow the traffic out without
> issue.  HOWEVER, returned traffic will be using GRE and port 1723,
> therefore this is where the issue may well be.
>
> Not having used PPTP myself in dsuch a situation, I'd need to play
> with this a bit more to come up with a "supported" answer.  :)
>
> Hopefully someone else in here has this working and can let us all
> know how to configure things before I have to set it up just to play.
>
> -- 
>
> Regards,
>
> Hilton Travis                   Phone: +61-(0)7-3343-3889
> Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
>          Quark Computers         http://www.QuarkAV.com/
> (Brisbane, Australia)            http://www.QuarkAV.net/
>
> Open Source Projects: http://www.ares-desktop.org/
> http://www.mamboband.org/
>
> Non Linear Video Editing Solutions & Digital Audio Workstations
>  Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
>   Conference and Seminar AudioVisual Production and Recording
>
> War doesn't determine who is right. War determines who is left.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>