On Tue, 22 Jun 2004, Martin Holst wrote:
> Hi Fisch!
> Try allowing fragmented packets from LAN to WAN.
> I had to do this to get a Cisco VPN client running behind m0n0wall.
> ("Allow fragmented packets" is a checkbox option under firewall rules).
That's unrelated. And it would probably be unnecessary if ICMP errors
were getting through properly so that PMTU Discovery could work.
> -----Original Message-----
> From: fisch [mailto:fisch at conne dash island dot de]
> Sent: 21. juni 2004 15:15
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] pptp-client behind m0n0
> I can't connect from LAN to an oustide PPTP-Server, I allowed GRE from
> WAN -> LAN and from LAN -> WAN, but I can't connect. The PPTP-Client
> config is ok - it works when direct connected to WAN.
Doesn't help when it doesn't know *where* on the LAN to send it. :-)
On Wed, 23 Jun 2004, fisch wrote:
> that isn't the point - I found the problem:
> situation [192.168.1.0/20 = LAN]:
> 1) reboot m0n0wall
> 2) connect with client (192.168.1.100) to the outside-pptp-server -
> 3) disconnect vpn
> 4) connect with client (192.168.1.111) to the outside-pptp-server -
> not working
> all incoming pptp-traffic from the outside-pptp-server is always [until
> a m0n0wall-reboot] send to the client who connected first
> ok, problem found but how to resolve?
Write a PPTP Proxy. :-)
Seriously, PPTP has *major* problems with NAT. Not only are there issues
with getting the GRE packets directed properly, but also the protocol
forbids more than one control connection between any two client/server
machines, and NAT makes *all* your machines look like one.
If you only need to use *one* machine on your LAN as a PPTP client or
server, then you can get around it by setting up PPTP redirection on
m0n0wall pointing to that machine. This was intended solely for directing
*incoming* PPTP sessions, but can be used for outgoing ones as well.