[ previous ] [ next ] [ threads ]
 
 From:  "Herron, David S" <DSHerron at nbc dot edu>
 To:  "Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PPTP through m0n0 not authenticating
 Date:  Fri, 13 Aug 2004 15:43:45 -0600
Fred,

I appreciate hearing that what I've done is correct.  I DO have the
'Enable advanced outbound NAT' turned on, and the table is empty.  That
was the only combination that did what I wanted - No NATing at all from
the m0n0wall.  You are correct in assuming that all NAT is done from our
primary firewall.

However, my problem still lingers - even with no NATing, the connection
will not authenticate.  Hmmmph!

Any other suggestions?!?!?

--David


-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Friday, August 13, 2004 3:36 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] PPTP through m0n0 not authenticating


On Fri, 13 Aug 2004, Herron, David S wrote:

> I didn't want to over-complicate things by adding the whole network
> structure (at least in the first email), but here it goes....  I'll
> throw in some IP Ranges just so you get an idea of how things route...
> 
> WiFi DMZ/LAN (10.0.3.0/24)
>   |
>   |
> M0n0wall
>   |
>   |
> DMZ2 Segment (10.0.2.0/24)
>   |           __________
>   |          |          DMZ1 Segment (other use/24)
> Primary Firewall
>   |          |__________Internet
>   |
> Corporate LAN w/ VPN Concentrator (216.112.203.0/24)
>                                   (note public IP's)
> 
> Static entries on firewall allow for routing between networks.
Primary
> Firewall has 4 interfaces (one trusted/corporate LAN, one Internet,
two
> DMZ's (DMZ2 is used for the wireless network).  So let's say that m0n0
> WAN interface is on 10.0.2.2.  If I attach my client directly to that
> segment (at, say 10.0.2.3) the PPTP session creates perfectly.
However,
> when it is on 10.0.3.<some DHCP address>, the authentication does not
> complete.
> 
> Because the networks are fully routable, when I get any sort of
> connection from the wireless network to my corporate LAN, I don't
apply
> any NAT to those connections, and I see their actual IP's
(10.0.3.<some
> DHCP address>).  If those same clients go to connect to the Internet,
> they are NAT'ed at the Primary Firewall before traversing the
Internet.
> 
> Also note that all other kinds of connections work perfectly after the
> captive portal is satisfied.  Either to the Internet or to open
services
> on the Corporate LAN work great, and NAT only when necessary.
Basically
> what I am saying is that the connection to the VPN Concentrator is not
a
> NAT'ed connection.

By default, outbound connections through m0n0wall to its WAN are NATted.

It sounds like they don't need to be for your WiFi<->Corporate cases, so
what you need to do is configure "Advanced Outbound NAT" to avoid
NATting
those connections, and also make sure your primary firewall knows that
the
route to 10.0.3.0/24 is via the m0n0wall's 10.0.2.x address.

It sounds like you don't need NAT on the m0n0wall at all, as long as
your
primary firewall does NAT for "real Internet" connections.  In that
case,
just enable "Advanced Outbound NAT" and leave the table empty.  But if
you
do need NAT to Internet at the m0n0wall level, then just add an outbound
NAT entry with "not corporate LAN" (e.g. !216.112.203.0/24) as the
destination.

					Fred Wright


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch