[ previous ] [ next ] [ threads ]
 
 From:  "Herron, David S" <DSHerron at nbc dot edu>
 To:  "Chet Harvey" <chet at pittech dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PPTP through m0n0 not authenticating
 Date:  Fri, 13 Aug 2004 15:02:15 -0600
Chet,

I didn't want to over-complicate things by adding the whole network
structure (at least in the first email), but here it goes....  I'll
throw in some IP Ranges just so you get an idea of how things route...

WiFi DMZ/LAN (10.0.3.0/24)
  |
  |
M0n0wall
  |
  |
DMZ2 Segment (10.0.2.0/24)
  |           __________
  |          |          DMZ1 Segment (other use/24)
Primary Firewall
  |          |__________Internet
  |
Corporate LAN w/ VPN Concentrator (216.112.203.0/24)
                                  (note public IP's)

Static entries on firewall allow for routing between networks.  Primary
Firewall has 4 interfaces (one trusted/corporate LAN, one Internet, two
DMZ's (DMZ2 is used for the wireless network).  So let's say that m0n0
WAN interface is on 10.0.2.2.  If I attach my client directly to that
segment (at, say 10.0.2.3) the PPTP session creates perfectly.  However,
when it is on 10.0.3.<some DHCP address>, the authentication does not
complete.

Because the networks are fully routable, when I get any sort of
connection from the wireless network to my corporate LAN, I don't apply
any NAT to those connections, and I see their actual IP's (10.0.3.<some
DHCP address>).  If those same clients go to connect to the Internet,
they are NAT'ed at the Primary Firewall before traversing the Internet.

Also note that all other kinds of connections work perfectly after the
captive portal is satisfied.  Either to the Internet or to open services
on the Corporate LAN work great, and NAT only when necessary.  Basically
what I am saying is that the connection to the VPN Concentrator is not a
NAT'ed connection.

-- David