VPN

I just setup a box with m0n0wall 1.3b3.  PPTP clients are able to authenticate and connect, but once connected, they can only see the firewall's PPTP interface.  LAN clients can't see PPTP either.  Doing a tracert shows the packets trying to go out through each machine's external interface, like m0n0wall didn't realize it was suppose to route them to the other network segment.


LAN IP: 192.168.0.254
Mask: 255.255.255.0
DHCP Range: 192.168.0.1-99

PPTP IP: 192.168.1.254
PPTP Range: 192.168.1.0/24


LAN Rules:

Proto     Source     Port     Destination     Port     Description
*          LAN net        *         *                     *        Allow LAN to Any

PPTP Rules:

Proto     Source     Port     Destination     Port     Description
*          PPTP clients *         *                     *        Allow PPTP to Any


PPP adapter M0n0wall VPN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.0
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.0.100
                                             192.168.0.101

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : mydomain.net
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network Connection
   Physical Address. . . . . . . . . : 00-16-41-E6-24-CD
   Dhcp Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IP Address. . . . . . . . . . . . : 192.168.0.99
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.254
   DHCP Server . . . . . . . . . . . : 192.168.0.254
   DNS Servers . . . . . . . . . . . : 192.168.0.100
                                             192.168.0.101


Should there be a default gateway value for the PPTP client?  Do I need to enable support for fragmented packets or configure something else?

Doing a tracert shows the packets trying to go out through each machine's external interface, like m0n0wall didn't realize it was suppose to route them to the other network segment.

Traceroute from where to where?

I'm troubleshooting what sounds like potentially the same issue with pfsense right now, though it's very difficult to replicate it seems.

Traceroute from where to where?

The following is from a PPTP client that is connected to the m0n0wall from another location...

C:\>tracert 192.168.0.254

Tracing route to 192.168.0.254 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  internalserver.internaldomain.com [10.10.1.1]     <---  This is the inside gateway of the PPTP client
  2     1 ms     1 ms     1 ms  #-#-#-#.ded.ameritech.net [#.#.#.#]     <---  This is the ISP's router and an external (public) IP address.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.     <---  And so on...

Well I know what the problem is, but I'm not sure how to resolve it.

The PPTP clients will only talk to the LAN when I check the "Use defualt gateway" box in Windows.  However, I don't want to do that because it screws up connectivity to local network resources and forces internet traffic to go over the much slower PPTP link.

My previous PPTP VPN experience was with Cisco PIX and ClarkConnect, both of which automagically added a route to the client that looked like this:

Network Destination        Netmask          Gateway       Interface  Metric
         192.168.1.0        255.255.255.0      192.168.1.254     192.168.1.10       1

(192.168.1.10 is the client's PPTP IP address and .254 is the firewall's.)

With that setup, internet and local traffic on the PPTP client would be route as normal, and traffic for the remote network was routed over the remove link.

Maybe you could try to make a batch file which adds the missing route; just start it right after connecting to your PPTP

I did a little bit of Googling and found some additional info.

Windows 2000, Windows XP, and Windows Server 2003-based VPN clients send a DHCPInform message to the VPN server, requesting a set of DHCP options. This is done so that the VPN client can obtain an updated list of DNS and WINS servers and a DNS domain name that is assigned to the VPN connection. The DHCPInform message is forwarded to a DHCP server on the organization intranet by the VPN server and the response is sent back to the VPN client.

Windows XP and Windows Server 2003-based VPN clients include the Classless Static Routes DHCP option in their list of requested DHCP options. If configured on the DHCP server, the Classless Static Routes DHCP option contains a set of routes representing the address space of your intranet. These routes are automatically added to the routing table of the requesting client when it receives the response to the DHCPInform message and automatically removed when the VPN connection is terminated.

http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx#EVF

It sounds like M0n0wall either doesn't support this option or it isn't enabled.

You shouldn't need to do that. Is the client machine on the same IP subnet as the remote network?