[opensuse] Problem routing pptp traffic through openSUSE 11.0 box
Hi all, I currently have an openSUSE box that is dual homed with one public IP address and one private address. It serves as the default route to my location. It also hosts a few services (ie. http, ftp, smtp, dns), and it also masquerades one internal service (https). Since I love switching out MS boxes with openSUSE equivalents, I used the PopTop+MSCHAPv2+Samba+Radius+MS_AD readme on the PopTop site (http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm) to add PPTP support to this box. I'll admit that, for now, I did use an existing MS IAS server as my RADIUS server, but the actual connection to the PPTP server is working from external machines. I can log in, ping, and even SSL the server. But that is the end of my success. For the life of my, I can't get to any boxes behind the PPTP server. When I try to ping them, I get the message: Reply from 192.168.100.50: Destination protocol unreachable. I've checked my servers firewall logs and I see these entries when I try to ping an internal machine from the outside: Nov 25 14:02:17 inferno kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth0 SRC=192. 168.100.51 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=19552 PROTO=IC MP TYPE=8 CODE=0 ID=768 SEQ=1024 Nov 25 14:02:18 inferno kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth0 SRC=192. 168.100.51 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=19784 PROTO=IC MP TYPE=8 CODE=0 ID=768 SEQ=1280 Nov 25 14:02:19 inferno kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth0 SRC=192. 168.100.51 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=19857 PROTO=IC MP TYPE=8 CODE=0 ID=768 SEQ=1536 Nov 25 14:02:20 inferno kernel: SFW2-FWDint-DROP-DEFLT IN=ppp0 OUT=eth0 SRC=192. 168.100.51 DST=192.168.100.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=19942 PROTO=IC MP TYPE=8 CODE=0 ID=768 SEQ=1792 If I'm reading it correctly, it looks like the packets are being dropped (which I kinda knew). But iptables is one area that I have not been able to spend enough research time and for the life of me, I cannot figure out how to send them back to the remote machine. So I would be much a appreciative if some kind soul would throw me a bone and at least point me to some hidden How-To on routing ppp0 clients through a openSUSE firewall and/or let me know if my configuration has any obvious errors. For the record, here are some of the things I've tried that didn't work: 1) Moving the PPTP ip addresses to a different subnet and routing. 2) Trying with and without proxyarp in options.pptp 3) Tried adding these iptables entries: iptables -A forward_int -o ppp0 -i eth0 -j ACCEPT iptables -A forward_int -i ppp0 -o eth0 -j ACCEPT 4) I've added ip_conntrack_pptp and ip_nat_pptp to FW_LOAD_MODULES Also, for the record: My pptpd.conf file is: option /etc/ppp/options.pptpd debug logwtmp localip 192.168.100.50 remoteip 192.168.100.51-60 connections 10 pidfile /var/run/pptpd.pid My options.pptpd file is: name pptpd debug refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 192.168.100.1 ms-dns 192.168.100.2 ms-wins 192.168.100.3 ms-wins 192.168.100.4 proxyarp lock nobsdcomp novj novjccomp nologfd auth nodefaultroute plugin radius.so plugin radattr.so Before a machine connects, the servers routing table is: inferno:/etc/ppp # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface xxx.yyy.zzz.40 0.0.0.0 255.255.255.248 U 0 0 0 eth1 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 xxx.yyy.zzz.41 0.0.0.0 UG 0 0 0 eth1 Once a remote system connects, the routing table is updated to: inferno:/etc/ppp # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.51 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 xxx.yyy.zzz.40 0.0.0.0 255.255.255.248 U 0 0 0 eth1 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 xxx.yyy.zzz.41 0.0.0.0 UG 0 0 0 eth1 Regards, K -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Gramm wrote:
Hi all,
I currently have an openSUSE box that is dual homed with one public IP address and one private address. It serves as the default route to my location. It also hosts a few services (ie. http, ftp, smtp, dns), and it also masquerades one internal service (https).
Since I love switching out MS boxes with openSUSE equivalents, I used the PopTop+MSCHAPv2+Samba+Radius+MS_AD readme on the PopTop site (http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm) to add PPTP support to this box. I'll admit that, for now, I did use an existing MS IAS server as my RADIUS server, but the actual connection to the PPTP server is working from external machines. I can log in, ping, and even SSL the server. But that is the end of my success. For the life of my, I can't get to any boxes behind the PPTP server.
When I try to ping them, I get the message: Reply from 192.168.100.50: Destination protocol unreachable.
<snip>
Also, for the record:
My pptpd.conf file is: option /etc/ppp/options.pptpd debug logwtmp localip 192.168.100.50 remoteip 192.168.100.51-60 connections 10 pidfile /var/run/pptpd.pid
My options.pptpd file is: name pptpd debug refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 192.168.100.1 ms-dns 192.168.100.2 ms-wins 192.168.100.3 ms-wins 192.168.100.4 proxyarp lock nobsdcomp novj novjccomp nologfd auth nodefaultroute plugin radius.so plugin radattr.so
Your configuration is a bit more complex than mine. Here is how I am currently running on 10.3 and I have been quite happy with the results. Take a look, you might see something I'm missing. Also, in the past, I have always made sure that the remote site was on a different subnet than the lan on which I'm running pptp. I don't think that's related, but just in case. Here are my options, options.pptpd and /etc/pptpd.conf for comparison: /etc/ppp/options name yourhost.yourserver.com noipdefault noauth lock local lcp-echo-interval 30 lcp-echo-failure 4 lcp-max-configure 60 lcp-restart 2 idle 600 noipx file /etc/ppp/filters proxyarp ms-dns 192.168.12.15 ms-wins 192.168.12.15 refuse-chap refuse-mschap /etc/ppp/options.pptp lock noauth nobsdcomp lcp-echo-failure 10 lcp-echo-interval 10 /etc/pptpd.conf option /etc/ppp/options.pptp debug localip 192.168.12.12 remoteip 192.168.12.2-5 pidfile /var/run/pptpd.pid -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2008-11-25 at 22:08 -0600, David C. Rankin wrote:
Ken Gramm wrote:
Hi all,
I currently have an openSUSE box that is dual homed with one public IP address and one private address. It serves as the default route to my location. It also hosts a few services (ie. http, ftp, smtp, dns), and it also masquerades one internal service (https).
Since I love switching out MS boxes with openSUSE equivalents, I used the PopTop+MSCHAPv2+Samba+Radius+MS_AD readme on the PopTop site (http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm) to add PPTP support to this box. I'll admit that, for now, I did use an existing MS IAS server as my RADIUS server, but the actual connection to the PPTP server is working from external machines. I can log in, ping, and even SSL the server. But that is the end of my success. For the life of my, I can't get to any boxes behind the PPTP server.
When I try to ping them, I get the message: Reply from 192.168.100.50: Destination protocol unreachable.
<snip>
Also, for the record:
My pptpd.conf file is: option /etc/ppp/options.pptpd debug logwtmp localip 192.168.100.50 remoteip 192.168.100.51-60 connections 10 pidfile /var/run/pptpd.pid
My options.pptpd file is: name pptpd debug refuse-pap refuse-chap refuse-mschap require-mschap-v2 require-mppe-128 ms-dns 192.168.100.1 ms-dns 192.168.100.2 ms-wins 192.168.100.3 ms-wins 192.168.100.4 proxyarp lock nobsdcomp novj novjccomp nologfd auth nodefaultroute plugin radius.so plugin radattr.so
Your configuration is a bit more complex than mine. Here is how I am currently running on 10.3 and I have been quite happy with the results. Take a look, you might see something I'm missing. Also, in the past, I have always made sure that the remote site was on a different subnet than the lan on which I'm running pptp. I don't think that's related, but just in case. Here are my options, options.pptpd and /etc/pptpd.conf for comparison:
/etc/ppp/options
name yourhost.yourserver.com noipdefault noauth lock local lcp-echo-interval 30 lcp-echo-failure 4 lcp-max-configure 60 lcp-restart 2 idle 600 noipx file /etc/ppp/filters proxyarp ms-dns 192.168.12.15 ms-wins 192.168.12.15 refuse-chap refuse-mschap
/etc/ppp/options.pptp
lock noauth nobsdcomp lcp-echo-failure 10 lcp-echo-interval 10
/etc/pptpd.conf
option /etc/ppp/options.pptp debug localip 192.168.12.12 remoteip 192.168.12.2-5 pidfile /var/run/pptpd.pid
Thanks for the files. I'll give your settings a try and post my results tomorrow. Ken -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Gramm wrote:
Hi all,
I currently have an openSUSE box that is dual homed with one public IP address and one private address. It serves as the default route to my location. It also hosts a few services (ie. http, ftp, smtp, dns), and it also masquerades one internal service (https).
Since I love switching out MS boxes with openSUSE equivalents, I used the PopTop+MSCHAPv2+Samba+Radius+MS_AD readme on the PopTop site (http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm) to add PPTP support to this box. I'll admit that, for now, I did use an existing MS IAS server as my RADIUS server, but the actual connection to the PPTP server is working from external machines. I can log in, ping, and even SSL the server. But that is the end of my success. For the life of my, I can't get to any boxes behind the PPTP server.
You do have IP forwarding enabled on the pptp server box don't you? You can set it through Yast -> network device or echo '0' > /proc/sys/net/ipv4/ip_forward -- David C. Rankin, J.D.,P.E. | openSoftware und SystemEntwicklung Rankin Law Firm, PLLC | Countdown for openSuSE 11.1 www.rankinlawfirm.com | http://counter.opensuse.org/11.1/small -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 2008-11-25 at 22:44 -0600, David C. Rankin wrote:
Ken Gramm wrote:
Hi all,
I currently have an openSUSE box that is dual homed with one public IP address and one private address. It serves as the default route to my location. It also hosts a few services (ie. http, ftp, smtp, dns), and it also masquerades one internal service (https).
Since I love switching out MS boxes with openSUSE equivalents, I used the PopTop+MSCHAPv2+Samba+Radius+MS_AD readme on the PopTop site (http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_1.htm) to add PPTP support to this box. I'll admit that, for now, I did use an existing MS IAS server as my RADIUS server, but the actual connection to the PPTP server is working from external machines. I can log in, ping, and even SSL the server. But that is the end of my success. For the life of my, I can't get to any boxes behind the PPTP server.
You do have IP forwarding enabled on the pptp server box don't you? You can set it through Yast -> network device or
echo '0' > /proc/sys/net/ipv4/ip_forward
Hi David thanks for the replies. Yes, I do have IP forwarding enabled. K -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin -
Ken Gramm