[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] routing
 Date:  Sun, 29 Aug 2004 13:47:21 -0700 (PDT)
On Sun, 29 Aug 2004, Seth Rothenberg wrote:
> One of the big attractions of m0n0wall is the inclusion of PopTop.
> I am trying to use PopTop to secure the wireless segment
> _on the way to_ the Internet.

That would be a pretty good trick, considering m0n0wall doesn't use
PoPToP.  Oh, you mean MPD. :-)

> PopTop is working, as I can read my mail
> over the LAN which is on the other side of the tunnel,
> but I can't route to the internet from the Laptop.

Based on the rules you have, this shouldn't have worked.  This seems like
a bug.  But maybe not, see below.

> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default      UGSc        3    54542   sis1
> 10.248.126/24      link#1             UC          1        0   sis0
>     00:20:ed:45:17:4f  UHLW        1    13399   sis0   1197
> 10.248.127/24      link#7             UC          1        0    wi0
>      00:02:6f:07:56:a8  UHLW        6   592036    wi0   1190
>          UH          1        0    lo0
> link#2             UC          1        0   sis1
>    00:00:c5:97:30:20  UHLW        5      267   sis1   1091
>          UGHS        0        0    lo0

This from m0n0wall?

You don't specify what IP addresses you use for the PPTP tunnels.  And
your routing tables seem to have been obtained without the tunnel actually

> I have a rule for OPT1 (
>  *  	 OPT1 net  	 *  	 *  	 *  	 OPT1 -> any
> I also have 2 rules on LAN interface, one for just LAN Net,
> and for testing, a rule for LAN interfacae, but ANY network, to anywhere.
>  *  	 *  	 *  	 *  	 *  	 Default LAN -> any

Changing the source on the LAN rule shouldn't be needed unless you plan to
have traffic from other networks routed through the LAN.  This is *not*
the way to allow PPTP traffic.

You don't mention a "PPTP Clients" rule.  Without that, your PPTP clients
shouldn't get any connectivity at all.  The fact that they can reach your
LAN suggests another problem (see below).

It's a bit confusing that the "PPTP Clients" category doesn't display when
it's empty.  But it *is* available as a choice for new rules.

On Sun, 29 Aug 2004, Seth Rothenberg wrote:

> The windows ROUTE command says this (below), but as
> I mentioned, I don't think windows is the problem
> (for once :-)  I think the m0n0 can be configured
> to grab these packeets and send them out.
> Maybe a NAT is missing ?

NAT on the client side?  Not unless the Windows machine is going to be
routing for others.

> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metric
> 	  1
> 	  31

Typical Windows with multiple default gateways. :-) I think the first one
wins, either by position or by metric.  That's confirmed below.

>	  50
>	  30
>	  30
>	  30
>	  50
>	  30
>	  1
>	  30
>	  1
>               2	  1
>	  1
> Default Gateway:

You have LAN and WLAN at the same time?  If the wired LAN is really
connected, how do you know the PPTP connection to LAN was working at all?
And you have to be careful about split routing when any form of stateful
filtering is involved.

					Fred Wright