[ previous ] [ next ] [ threads ]
 From:  "Herron, David S" <DSHerron at nbc dot edu>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PPTP through m0n0 not authenticating
 Date:  Fri, 13 Aug 2004 15:43:45 -0600

I appreciate hearing that what I've done is correct.  I DO have the
'Enable advanced outbound NAT' turned on, and the table is empty.  That
was the only combination that did what I wanted - No NATing at all from
the m0n0wall.  You are correct in assuming that all NAT is done from our
primary firewall.

However, my problem still lingers - even with no NATing, the connection
will not authenticate.  Hmmmph!

Any other suggestions?!?!?


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Friday, August 13, 2004 3:36 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] PPTP through m0n0 not authenticating

On Fri, 13 Aug 2004, Herron, David S wrote:

> I didn't want to over-complicate things by adding the whole network
> structure (at least in the first email), but here it goes....  I'll
> throw in some IP Ranges just so you get an idea of how things route...
> WiFi DMZ/LAN (
>   |
>   |
> M0n0wall
>   |
>   |
> DMZ2 Segment (
>   |           __________
>   |          |          DMZ1 Segment (other use/24)
> Primary Firewall
>   |          |__________Internet
>   |
> Corporate LAN w/ VPN Concentrator (
>                                   (note public IP's)
> Static entries on firewall allow for routing between networks.
> Firewall has 4 interfaces (one trusted/corporate LAN, one Internet,
> DMZ's (DMZ2 is used for the wireless network).  So let's say that m0n0
> WAN interface is on  If I attach my client directly to that
> segment (at, say the PPTP session creates perfectly.
> when it is on 10.0.3.<some DHCP address>, the authentication does not
> complete.
> Because the networks are fully routable, when I get any sort of
> connection from the wireless network to my corporate LAN, I don't
> any NAT to those connections, and I see their actual IP's
> DHCP address>).  If those same clients go to connect to the Internet,
> they are NAT'ed at the Primary Firewall before traversing the
> Also note that all other kinds of connections work perfectly after the
> captive portal is satisfied.  Either to the Internet or to open
> on the Corporate LAN work great, and NAT only when necessary.
> what I am saying is that the connection to the VPN Concentrator is not
> NAT'ed connection.

By default, outbound connections through m0n0wall to its WAN are NATted.

It sounds like they don't need to be for your WiFi<->Corporate cases, so
what you need to do is configure "Advanced Outbound NAT" to avoid
those connections, and also make sure your primary firewall knows that
route to is via the m0n0wall's 10.0.2.x address.

It sounds like you don't need NAT on the m0n0wall at all, as long as
primary firewall does NAT for "real Internet" connections.  In that
just enable "Advanced Outbound NAT" and leave the table empty.  But if
do need NAT to Internet at the m0n0wall level, then just add an outbound
NAT entry with "not corporate LAN" (e.g. ! as the

					Fred Wright

To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch