Hi!=0D =0D I''ve got a problem with the PPTP server which is working with the firewall at the moment. The problem is that when just one client wants to connect it s alright, but if anyone else tries then it doesn''t work properly.=0D =0D For example, if the first user connects, then no problem, he can do pings to the remote network, etc. The second user connects well, but from the moment of the connection none of them can do any pings to the remote network. And if any of them switches off their machine then both of them are automatically disconnected.=0D =0D My configuration files are the following:=0D =0D /etc/shorewall/interfaces =0D net eth0 detect norfc1918 =0D sec eth1 detect dhcp,routestopped =0D ofi eth2 detect dhcp,routestopped =0D pro eth3 detect dhcp,routestopped =0D sec ppp+ =0D =0D /etc/shorewall/hosts =0D sec eth1:192.168.1.0/24 =0D ofi eth2:192.168.100.0/24 =0D pro eth3:192.168.101.0/24 =0D sec ppp+:192.168.1.0/24 =0D =0D /etc/shorewall/rules =0D ACCEPT net fw tcp 1723 =0D ACCEPT net fw 47 - =0D ACCEPT fw net 47 - =0D =0D /etc/pptp.conf =0D speed 115200 =0D option /etc/ppp/pptpd-options =0D debug =0D localip 192.168.1.100 =0D remoteip 192.168.1.201-205 =0D =0D /etc/ppp/pptp-options =0D debug =0D domain domain.com =0D auth =0D +chap =0D +chapms =0D +chapms-v2 =0D mppe-128 =0D mppe-stateless =0D ms-dns 192.168.1.100 =0D ms-dns 194.224.52.36 =0D ms-wins 192.168.100.1 =0D netmask 255.255.255.0 =0D nodefaultroute =0D proxyarp =0D lock =0D =0D eth0 -> Internet Interface =0D eth1: 192.168.1.100 =0D eth2: 192.168.100.100 =0D eth3: 192.168.101.100 =0D =0D If I change in the file /etc/pptp.conf the following "localip 192.168.1 100" for "localip 192.168.1.206-210", no problems with the first connection, but the second one can not connect.=0D =0D Regards and thank you beforehand.=0D =0D =0D ---------------------------------------------=0D Sergio Navarro i Fajardo=0D snavarro@odec.es=0D Valencia - Spain=0D =20
On Thu, 10 Apr 2003, sergio wrote:> Hi! > > I''ve got a problem with the PPTP server which is working with the firewall > at the moment. The problem is that when just one client wants to connect it > s alright, but if anyone else tries then it doesn''t work properly. > > For example, if the first user connects, then no problem, he can do pings to > the remote network, etc. The second user connects well, but from the moment > of the connection none of them can do any pings to the remote network. And > if any of them switches off their machine then both of them are > automatically disconnected. >The only way to solve this problem is to patch your kernel using the Patch-o-matic facility from netfilter to include the PPTP connection tracking and NAT code. -Tom PS -- there may be some distributions that include PPTP connection-tracking/NAT support. You can try: modprobe ip_conntrack_pptp modprobe ip_nat_pptp If those commands fail then your kernel does not have that support. -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
The problem is that PPTP has no notion of session number or such. When the second client tries to connect, the remote side doesn?t knows if it is a new connection or the old one misbehaving. I?d really tried to patch-o-magic my kernel and use the pptp connection track module, but had no success. As my ISP gives me 32 valid public IPs, I used a large NAT table to do the trick, with fixed ips for my inside workstations mapping each to a public IP. But I?m not that good on linux, and may have missed something in the way... Hope it helps, Duda shorewall-users-bounces@lists.shorewall.net wrote on 10/04/2003 12:36:48:> On Thu, 10 Apr 2003, sergio wrote: > > > Hi! > > > > I''ve got a problem with the PPTP server which is working with thefirewall> > at the moment. The problem is that when just one client wants toconnect it> > s alright, but if anyone else tries then it doesn''t work properly. > > > > For example, if the first user connects, then no problem, he can dopings to> > the remote network, etc. The second user connects well, but from themoment> > of the connection none of them can do any pings to the remote network.And> > if any of them switches off their machine then both of them are > > automatically disconnected. > > > > The only way to solve this problem is to patch your kernel using the > Patch-o-matic facility from netfilter to include the PPTP connection > tracking and NAT code. > > -Tom > > PS -- there may be some distributions that include PPTP > connection-tracking/NAT support. You can try: > > modprobe ip_conntrack_pptp > modprobe ip_nat_pptp > > If those commands fail then your kernel does not have that support. > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall. > net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm