[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] PPTP through m0n0 not authenticating
 Date:  Fri, 13 Aug 2004 17:04:26 -0700 (PDT)
On Fri, 13 Aug 2004, Herron, David S wrote:

> 
> Yes, the routing entry is in place, and m0n0wall's PPTP and IPSEC VPN
> are both disabled.  The GRE rule I have tried with & without.... neither
> seem to make a difference.  As for the packet trace, I'm not very
> experienced in that area.... I appreciate all your help!  Hopefully
> somebody will have an idea I haven't tried!

One other thing:  Does your primary firewall need a rule to pass GRE
traffic between the corporate LAN and DMZ2, and if so, does the existing
rule cover the 10.0.3.x range?  If not, it looks like you could include it
by changing a /24 to /23.

The problem with packet traces is that m0n0wall has no built-in support,
so it's a hassle to set up.  Before getting to that, you might be able to
get some clues as to what's happening from the firewall hit counters.  In
exec.php, you can use:

	ipfstat -hnio

and/or

	ipfstat -sl

The former lists the rules (the real filter rules, which are more complex
than what's in the WebGUI).  Except for the counters, this list will
remain constant unless you change the config.

The latter lists the state table entries, which also have counters for
both packets and bytes.  These entries are created and destroyed
dynamically.  In some cases, they linger for a substantial amount of time
after the triggering traffic, so the list can get long.

Between the two (as well as the normal firewall log), you should be able
to get an idea of what traffic is attempting to pass through the m0n0wall.

					Fred Wright