VPN

Hi,

Cannot manage with this issue.
Local net 192.168.0.0/24 - router with PPTP or IPSec mobile client
Remote net 172.17.1.0/24 - m0n0 1.34

PPTP or IPSec rule - any any any - everything is open.

In both cases after establishing a connection I can reach any host (windows or linux), network storage in remote LAN, in DMZ on m0n0 also, but 2 hosts in LAN:
WiFi AP & Network printer. Both devices are in arp table on LAN. Pinged well from m0n0 LAN. I had the same issue with ip camera as well. Cannot understand the reason.
I have tried different subnets for PPTP, IPSec and so on, added a fake route to the LAN & PPTP interfaces. Changed default gateways on these devices to 0.0.0.0. I even compared icmp echo req packets from PPTP client and local host to the network printer - no difference when I use LAN address space for pptp clients .  So I 
Something happens on return path, I guess. No more ideas. Through logging I see packet outgoing from PPTP but no one incoming. Maybe the reason is a some crooked TCP/IP stack implementation on standalone devices...  On Wednesday will try to set up port mirroring on another switch that can do it and see the whole session between devices. Very interesting.

What is the defualt gateway on those two items?

What is the defualt gateway on those two items?

m0n0 LAN IP of course. As on all others, given by DHCP.

Anyway, if I use for PPTP LAN address space (partially - 16 addresses), devices dont have to send echo replies to DGW. For them Source IP belongs to the LAN. But MAC address is the same as DGW has. Probably arp cache of these devices cannot hold 2 IPs with one MAC.... hmmm
The problem stays the same whether I use new subnet and traffic should be sent through DGW, or LAN subnet when it shouldn't.

It sounds like your config is fine, but there is something off about those two systems...

Yes, it's seemed to be like that. On Wednesday evening will see how the packets are running. I'm going to bring a smart switch and capture all the packets in each segment. On m0n0 interface and devices interfaces.

Ok. I have bad news for m0n0.

I've just captured all traffic from/to m0n0 LAN physical (NIC) interface. Full duplex is being captured. With NI Observer.
So, when I ping 3 IP addresses in my LAN through PPTP tunnel (i.e. printer, ip cam, wifi ap): NO ONE PAKET leaves LAN interface, I see outgoing packets in PPTP m0n0 log, though. But LAN. That's why they cannot respond They have no one incoming echo packet.
When I ping them from m0n0 LAN interface via webGUI- I see all the packets.
With all the others LAN IPs - everything's fine.
MAC addresses of these 3 devices (mean NIC producers) are totally different. Ethernet frames are the same. So, I'm very confused by this issue.
On LAN interface errors: 0/0
Shall I repost that in bug reports thread?

It is working in other locations.  I am having some trouble wrapping my head around your setup, however.  If you want (and feel OK with it) I can take a look at your system.  If you look on the mailing lists, you can find my e-mail easily enough.

Let's reflect a little on setup.

All the hosts are on the L2 switch. So there's no difference one host or another. Right?
PPTP rule is: any any any any. Moreover I see all outgoing echoes in PPTP logs as passed. No one on LAN as blocked.
BTW I have added unnecessary rule PPTP Clients - LAN permit any any any any on LAN interface

I can ping 80% of hosts, but 3. They can have any IP )) Does my setup has MAC filtering?

IPSec has other settings on m0n0 and other logical interface, but result is the same. Do you still think about settings?

P.S. It is not. I have read on this forum a number of abandoned start topics about same issue.
In the past (3 years ago) I gave up attempts to reach my old ip cam via tunnel. It wasn't so important. Now I want to find the cause.

There are a lot of things I would look at, like the arp table, and if fragmented packets are allowed...  Stuff from years of troubleshooting m0n0wall.

arp table is ok, all devices are in it. That was the first thing I looked at. I tried to remove the problem devices from the table, then add via arp req through ping. No changes.
Fragmanted packets are allowed. BTW this setting does not affect anything. It's connected with ESP only. I tried tunnel with NAT traversal as well, i.e. w/o ESP.
To make it clear me too, in the past I was a certified networking engineer and have more than 10 years of troubleshooting experience

The most strange thing that I cannot understand the way how it can be possible.
L1 is ok. Otherwise I'd have errors and discarded packets especially on my smart switch. It analyses every frame. L3 and higher - ok. L2 LLC & Frames are ok. MTU cannot be. Packets are lost by some reason between ng1 and rl2. It's seemed to be on Layer2 MAC sublayer problem. BUT HOW?

ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1456
   inet6 fe80::230:84ff:fe78:8d6f%ng1 prefixlen 64 scopeid 0x7
   inet XXX.YY.1.1 --> XXX.YY.1.140 netmask 0xffffffff
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
   options=8<VLAN_MTU>
   inet XXX.YY.1.13 netmask 0xffffff00 broadcast XXX.YY.1.255
   inet6 fe80::230:84ff:fe78:8d6c%rl2 prefixlen 64 scopeid 0x3
   ether 00:30:84:78:8d:6c
   media: Ethernet autoselect (100baseTX <full-duplex>)
   status: active

Now I have established IPSec tunnel. ESP.
With new subnet address space. Capturing all ICMP on m0n0 LAN interface.
Ping all hosts, watching ICMP req & replies.
Ping "problem" hosts - no one ICMP packet from the interface.
enc0: flags=41<UP,RUNNING> mtu 1536

VPN adds to the packet, so it may be an MTU issue.  Try a 1400 MTU on one of the problem hosts and see if it gets better.

Are the problem hosts DHCP or static IPs?

VPN adds to the packet, so it may be an MTU issue.  Try a 1400 MTU on one of the problem hosts and see if it gets better.

Are the problem hosts DHCP or static IPs?

I was going to change MTU. That was the only thing I was thinking about. Now will try. IMHO useless. Usually pings are ok when MTU is too big, problems start when we have big IP packets in TCP sessions such as web and so on.

Yes. I have 98% of hosts in DHCP leases table. Including these ones.

ng1: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 1400
   inet6 fe80::230:84ff:fe78:8d6f%ng1 prefixlen 64 scopeid 0x7
   inet XXX.YY.1.1 --> XXX.YY.1.140 netmask 0xffffffff

No changes. Still cannot ping. P.S. I used to calculate MTU size for each protocol. As I remember for PPTP 1456 is enough.

MTU IP over Ethernet = 1518-18 = 1500 bytes, header IP = 20 bytes, GRE = 4 bytes. PPTP 1500-20-4 = 1476 bytes.

I suppose it could be a hardware bug. Probably some kernel modules are sligtly incompatible with my old hardware or NICs. Will try to upgrade my hardware. No more ideas...

Just to be clear...  The firewall can ping the problem systems, but a VPN user can not?  And the IP addresses of the VPN are inside the IP address range of the LAN?  And you tried changing IPs of the problem servers?

Just to be clear...  The firewall can ping the problem systems, but a VPN user can not?  And the IP addresses of the VPN are inside the IP address range of the LAN?  And you tried changing IPs of the problem servers?

1. Yes 2. Now Yes with pptp. Had different variants. With IPSec no 3. Of course.

I've been looking yesterday for a new hardware, and... by the evening found mikrotik router board for the price of hardware. 
Will let you know after tunnels set up. Whether the problem will persist.