[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP Problem
 Date:  Sat, 22 May 2004 17:16:43 -0700 (PDT)
On Sun, 23 May 2004, Julien wrote:

> i have a problem with PPTP. First of all let me introduce me my 
> Settings: My M0n0wall is at the moment only used as Access Point,so i 
> built in one Wireless NIC(defined as WAN) for the (Host)AP and one 
> Ethernet NIC for the Connection. The LAN Side is connected to the 
> integrated switch of an DSL Router, together with the some stationary 
> clients. What i´m trying to realize is that Mobile Users can Dial in via 
> WLAN, authenticate via PPTP, use LAN Resources and access the Internet  
> via the DSL Router. At the moment  i´m so far that  the mobile clients 
> can access the  LAN but NOT the Internet, so it must be some kind of 
> routing problem. I tried to setup a default route for the PPTP Interface 
> to the Internet with the Destination Network (i´m not sure 
> about the netmask to use here?!?!) and the routers LAN interface as 
> Gateway. So, has anybody an idea how to solve this? Thanks a lot ;-)

Well, only matches packets directed precisely to, so
it's pretty useless. :-)

There's no "clean" way to set this up, since m0n0wall doesn't allow for
the possibility of having an external default gateway on the
LAN.  Swapping LAN and WAN designations would fix this, but would have
other problems.

The only way I know of to do this is to manually edit the config.xml file
to include the line

	<shellcmd>route add default w.x.y.z</shellcmd>

in the "system" section, where "w.x.y.z" should be the LAN IP of the DSL
router.  I recommend putting it between the "timezone" and
"timeservers" entries.

Use the m0n0wall ping feature to verify that you can access the Internet
from the m0n0wall itself, though note that if you want to use symbolic
hostnames you'll need at least one correct DNS IP in the m0n0wall config.

Outbound traffic from PPTP clients should then work as long as they see
the m0n0wall as the default gateway, but routing the return traffic needs
the DSL router to see the m0n0wall as the gateway to those machines, which
can be done in one of three ways.

1) Use NAT to map the PPTP clients to a LAN IP.  Unfortunately, this would
be "backwards NAT" in the current LAN/WAN setup, and I don't think it's

2) Put the PPTP clients in a different subnet and add a static route entry
to the DSL router to make that subnet reachable via the m0n0wall.  The
latter may or may not be possible, depending on the router.

3) Put the PPTP clients on LAN IPs and have the m0n0wall do Proxy ARP for
them.  Its current ProxyARP support isn't really set up for that case,
though (and Proxy ARP should always be a last resort, anyway).

Swapping LAN and WAN designations would allow #1, but would create a host
of other problems.  Replacing the DSL router with another m0n0wall would
allow #2.

					Fred Wright