VPN

We updated from 1.233 to 1.3b11 (first to 1.3b7). No change to the config. Hardware: Soekris 5501-70.

We use VPN (PPTP) with no problems bevor. After the update, we now can connect but there are a couple of strange things:

1. I can't connect to the webinterafce of the m0n0wall as bevor, wether not pint the m0n0wall by internal ip.

2. I can't use the internal DNS-Names to connect to internal servers. But I can connect to a server by IP.

3. When I connect to the VPN, I can't access any other website. No DNS lookup possible.


My local resolv.conf does not show the IP of the m0n0wall for nameserver.

For me, it looks like that there is some configuration missing to access the entire internal network via VPN/PPTP. As we do not change any configuration, maybe there is some changes from 1.233 to 1.3b11 so we have to add some new rules or settings.

Does anyone have the same problem or any idea to solve this?

Thanks in advance,
Jannik

Update:

It seems, that the PPTP connection within 1.3b11 is very faulty. I try to set rules on the vpn/pptp interface because no ping to the m0n0wall is possible but to other internal servers via VPN. Ony one rule said that every traffic is allowed to everywhere via VPN. But if I disable this rule or set a rule to block any traffic this had no effect. With this rule I can ping internal server. Strange behavior.

I downgrade to 1.233 and everything works normal.

I'm using 1.3b11 as well and can't get it working either. Well I have to admit I didn't have PPTP VPN working before but the output of windows ipconfig looks like the one get for my other working vpn connection. The network address 192.168.1.1 is the Gateway/DNS Adress of monowall in my lan. I also didn't forget about the firewall rule to allow all "pptp clients" to connect to * using any protocol.

PPP adapter mono:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : mono
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.3.65(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

What I'm actually after is using PPTP as an additonal encryption for my wlan.
laptopt -----(WPA2 WLAN + PPTP VPN)-----> [mono] ----> Internet

Update:

I updated to 1.3b7 and the VPN with PPTP works.

I'm running 1.3b11 on six net5501-70 and have no VPN/PPTP problems at all.  what exactly are you trying to do that causes it to fail?

CS...

I have 1.3B11 LiveCD and have the same problem
I can not acces to private firewall IP

with 1.3B9 work fine

I also have problems with PPTP VPN in 1.3b11.
I upgraded directly from 1.3b4 to 1.3b11 without changing configuration (I have a rule set to allow any traffic to any on PPTP interface) and I can't access m0n0 dns when connected through PPTP VPN.

UPDATE
Actually when I connect via PPTP VPN I can connect to any other host in my lan or wan but not to m0n0 host.
When I ping m0n0 host i get timeout, can't login to m0n0 webGUI and in firewall logs I have entries which are showing that every connection from PPTP to m0n0 host gets blocked 

UPDATE
Actually when I connect via PPTP VPN I can connect to any other host in my lan or wan but not to m0n0 host.
When I ping m0n0 host i get timeout, can't login to m0n0 webGUI and in firewall logs I have entries which are showing that every connection from PPTP to m0n0 host gets blocked 

Yes, this is the same beavour as mine. So my quickfix is to downgrade to the last stable release (1.233) and everything works. I think we have to wait until the next beta or stable. 

Any news on this topic ? Is this a bug or is there a way to solve this issue without downgrading ?

Any news on this topic ? Is this a bug or is there a way to solve this issue without downgrading ?

This is a bug for 1.3b11. I found no way to solve this within 1.3b11.

As I see the problem still exist in 1.3b12 

I have tried to reproduce this problem when testing 1.3b12, but it all worked fine for me. Maybe you should post your (anonymized) config.xml so we can see if we can trigger it with your settings...

"ET" sent me his config, and while I couldn't use it verbatim (as he had to mask out many IP addresses), I could reproduce the problem simply by copying the relevant bits over a default configuration.

The problem appears when a traffic shaper rule matches GRE traffic on the WAN interface (as in his case). m0n0wall has a kernel patch to work around an issue where packets that exit dummynet (after shaping) get NATed again. However, it turns out that the same workaround causes firewall processing on the PPTP VPN interface to be skipped for inbound packets that have gone through dummynet while they were still PPTP/GRE encapsulated (because ng_pptpgre doesn't create a new mbuf, but merely strips the GRE header, and thus preserves m_flags). This has two effects: a) firewall rules on PPTP VPN don't work (it's essentially a "pass all") *if* the traffic shaper catches GRE packets, and b) because of this, PPTP VPN clients cannot communicate with m0n0wall directly: since the inbound packet from the PPTP VPN client doesn't go through the firewall, no state table entry is created, and the reply from m0n0wall (ping, DNS etc.) is hence blocked.

This is actually quite a nasty issue, and I'm glad that we've found it - thanks for your help!

I've created 1.3b13-pre images with a kernel fix for this issue; I hope it doesn't break anything else, so it would be great if someone with a complicated config with lots of features, including IPsec (like "ET" could give it a try.

http://m0n0.ch/wall/downloads-local/generic-pc-1.3b13-pre.img
http://m0n0.ch/wall/downloads-local/net45xx-1.3b13-pre.img
http://m0n0.ch/wall/downloads-local/net48xx-1.3b13-pre.img
http://m0n0.ch/wall/downloads-local/wrap-1.3b13-pre.img
(not digitally signed)

I'll give it a try on a production m0n0 tomorrow and post some feedback in the evening or the next day.
Hope this works 

I'm back  with good news
I've been testing pre 1.3b13 generic pc image on high network loads (transfering backup images localy and over IPSEC VPN etc.) and for now everything woks great, especially PPTP VPN. There's no sign of any problem with PPTP VPN.
In this version I have lots of messages: "racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument". I don't use udp encapsulation in any of my IPSEC Tunels. Is this something I should worry about ?

BTW thank you Manuel for your great work on m0n0wall