From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 13:18:24 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6714F106564A for ; Sat, 10 Sep 2011 13:18:24 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 286BE8FC0A for ; Sat, 10 Sep 2011 13:18:23 +0000 (UTC) Received: by yib19 with SMTP id 19so1844342yib.13 for ; Sat, 10 Sep 2011 06:18:23 -0700 (PDT) Received: by 10.236.9.106 with SMTP id 70mr5042059yhs.105.1315660703365; Sat, 10 Sep 2011 06:18:23 -0700 (PDT) Received: from papi.localnet ([177.17.68.103]) by mx.google.com with ESMTPS id o48sm9425662yhl.4.2011.09.10.06.18.20 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 10 Sep 2011 06:18:22 -0700 (PDT) From: Mario Lobo To: Daniel Hartmeier Date: Sat, 10 Sep 2011 10:18:25 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109091646.15327.lobo@bsd.com.br> <20110910054538.GA29437@insomnia.benzedrine.cx> In-Reply-To: <20110910054538.GA29437@insomnia.benzedrine.cx> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109101018.25383.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2011 13:18:24 -0000 On Saturday 10 September 2011 02:45:38 Daniel Hartmeier wrote: > On Fri, Sep 09, 2011 at 04:46:15PM -0300, Mario Lobo wrote: > > Any suggestions? > > Unlike most commercial NAT devices, pf is not aware of payload in PPTP > packets, which means it only supports a single PPTP connection between > your single external home addresses and the constant public work address > (i.e. demultiplexing incoming PPTP packets to the right local client is > based solely on IP adresses, and not any information inside the PPTP > payload, like a session ID or such). > I don't know if I understood this right but I know for shure that I can have multiple users coneccted to the work FBSD MPD server. Are you talking about multilink PPTP connections here? > Run pfctl -ss on the home NAT box and check that there is no unexpected > prior PPTP (GRE) state when you try to open yours. > Ahhh! a thread of light here. On my previous layout, home WS <---> FBSD home GW <---> Internet <---> FBSD work GW <---> work WS MPD Server The "funny" thing is that either if I'm trying to establish a VPN tunnel from a home WS or a work WS to any external site, I have to make several attempts before achieving success. Even with the tunnel established, with Windows workstations for instance, the VPN connection is very unstable and keeps dropping. Sometimes, opening an ssh session from my home WS to FBSD work GW may "help" in establishing the VPN. Like I said, the FBSD work GW MPD Server works flawlessly. My colleagues can connect to it from their homes (NATted cable modems or 3G modems) without problems. And coneecting from FBSD home GW as client --> FBSD work GW works without glitches EVERYTIME. The same holds true for FBSD work GW as a client. The problems happens ONLY to machines behind the FBSD xxx GW. That's why I made NAT a suspect. > If this is the problem, you can try a PPTP proxy. Or, yes, try ipfw, > but I think it's not PPTP payload-aware, either. > Like I said, I don't want to go to ipfw. I love the way things are done with pf!. Never heard of a PPTP proxy. Could you name one for me that works on FBSD? > More details in an old thread > http://lists.freebsd.org/pipermail/freebsd-pf/2006-November/002834.html > > If this is not the problem, you'll have to provide more details, like > tcpdump on the pf NAT box (on both external and internal interfaces) > while trying to establish a connection, run pfctl -vvss, pfctl -si > before and after, use 'set debug misc' and watch /var/log/messages, etc. > > Daniel Thanks Daniel! I'll follow your steps to the letter as soon as I can and let you know the results. -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)