Date: Sat, 10 Sep 2011 10:18:25 -0300 From: Mario Lobo <lobo@bsd.com.br> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem Message-ID: <201109101018.25383.lobo@bsd.com.br> In-Reply-To: <20110910054538.GA29437@insomnia.benzedrine.cx> References: <201109091646.15327.lobo@bsd.com.br> <20110910054538.GA29437@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 10 September 2011 02:45:38 Daniel Hartmeier wrote:
> On Fri, Sep 09, 2011 at 04:46:15PM -0300, Mario Lobo wrote:
> > Any suggestions?
>
> Unlike most commercial NAT devices, pf is not aware of payload in PPTP
> packets, which means it only supports a single PPTP connection between
> your single external home addresses and the constant public work address
> (i.e. demultiplexing incoming PPTP packets to the right local client is
> based solely on IP adresses, and not any information inside the PPTP
> payload, like a session ID or such).
>
I don't know if I understood this right but I know for shure that I can have
multiple users coneccted to the work FBSD MPD server. Are you talking about
multilink PPTP connections here?
> Run pfctl -ss on the home NAT box and check that there is no unexpected
> prior PPTP (GRE) state when you try to open yours.
>
Ahhh! a thread of light here. On my previous layout,
home WS <---> FBSD home GW <---> Internet <---> FBSD work GW <---> work WS
MPD Server
The "funny" thing is that either if I'm trying to establish a VPN tunnel from
a home WS or a work WS to any external site, I have to make several attempts
before achieving success. Even with the tunnel established, with Windows
workstations for instance, the VPN connection is very unstable and keeps
dropping.
Sometimes, opening an ssh session from my home WS to FBSD work GW may
"help" in establishing the VPN.
Like I said, the FBSD work GW MPD Server works flawlessly. My colleagues can
connect to it from their homes (NATted cable modems or 3G modems) without
problems. And coneecting from FBSD home GW as client --> FBSD work GW works
without glitches EVERYTIME. The same holds true for FBSD work GW as a client.
The problems happens ONLY to machines behind the FBSD xxx GW. That's why I
made NAT a suspect.
> If this is the problem, you can try a PPTP proxy. Or, yes, try ipfw,
> but I think it's not PPTP payload-aware, either.
>
Like I said, I don't want to go to ipfw. I love the way things are done with
pf!. Never heard of a PPTP proxy. Could you name one for me that works on
FBSD?
> More details in an old thread
> http://lists.freebsd.org/pipermail/freebsd-pf/2006-November/002834.html
>
> If this is not the problem, you'll have to provide more details, like
> tcpdump on the pf NAT box (on both external and internal interfaces)
> while trying to establish a connection, run pfctl -vvss, pfctl -si
> before and after, use 'set debug misc' and watch /var/log/messages, etc.
>
> Daniel
Thanks Daniel!
I'll follow your steps to the letter as soon as I can and let you know the
results.
--
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109101018.25383.lobo>