Re: PoPToP and... routing?

From: Paul Friedrich (pf_at_i-security.at)
Date: 09/06/04

• Next message: Reid Nichol: "Re: OpenBSD 3.5 Internet Gateway"
• Previous message: Ettore Aldrovandi: "Re: OpenBSD 3.5 Internet Gateway"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Mon, 06 Sep 2004 20:29:34 +0200

does your internal traffic pass by default through your vpnbox? do your
internal machines know about the vpn network ranke (eg is there a route
to it?). i had a similar problem and got it working when i manually (or
throug a script which is called when a vpn interface goes up) that ads
the ip of the vpn client with the mac address of the internal nic to the
arp table

cheers

paul

Archevis wrote:

> Oooops..... Sorry, folks!
>
> I forgot to mention that I have even removed the third network interface and
> turned off named and dhcpd, just to get the pptpd VPN functional again. I
> thought I had restored the system to it's previously working state, but
> obviously something went bad along the way.
>
> Also, I should probably state explicitly that having had a working PoPToP
> installation also implies that yes, I have followed the advice of
> recompiling the kernel without GRE support... :)
>
> - 4rch3v15
>
>
> "Archevis" <archevis@hotmail.com> wrote in message
> news:d99f9148.0408280601.5d81b006@posting.google.com...
>
>>I'm at a complete loss here... I had PoPToP VPN up and running on my
>>OpenBSD 3.5 firewall before installing a third network card for an
>>"external" IP zone. After setting up dhcpd and named on the firewall
>>for the new nic (rl1) I discovered that I could still connect and
>>login on the firewall/VPN server, but all of a sudden I was unable to
>>ping anything behind the firewall.
>>
>>To be as specific as I can: I can ping the firewall's local IP from
>>the Windows XP (built-in VPN) client, and also ping both the XP client
>>and all machines on the local network ("behind" the firewall) from the
>>firewall/VPN server. But I'm unable to ping machines behind the
>>firewall from the XP client, and the XP client is also unreachable
>>from machines behind the firewall/VPN server.
>>
>>Aside from the above problems everything works like a charm. The
>>web/mail server (behind the firewall) is accessible through ordinary
>>access over the Internet. Similarly, the Internet is accessible from
>>every machine behind the firewall (I'm using packet filter NAT).
>>
>>My first thought was: Check, double check and then triple check
>>pf.conf, in case the firewall is accidentally blocking traffic. But
>>the problem persists even if i add "pass in quick all" and "pass out
>>quick all" as the first filtering lines in pf.conf. So I'm assuming
>>that the firewall is innocent...
>>
>>Which leads me to suspect routing to be my cause of grief. Which gives
>>me the shivers, since I'm by far no qualified system administrator. ;)
>>
>>Output from "route show" yields (my external IP shown as
>><A>.<B>.<C>.<D>):
>>
>>Internet:
>>Destination Gateway Flags
>>default <A>.<B>.<C>.<D> UG
>><A>.<B>.<C>.<D-2> link#2 U
>><A>.<B>.<C>.<D-1> <a MAC address> UH
>>localhost localhost UG
>>localhost localhost UH
>>192.168.0.0 link#1 U
>>gate localhost UGH
>>euclid <a MAC address> UH
>>galileo <a MAC address> UH
>>192.168.0.145 <a MAC address> UH
>>BASE-ADDRESS.MCA localhost U
>>
>>Line 3 is my ISP's gateway for my external nic, with last IP byte a
>>value of 1 less than on my IP. Knowing less than little of the inner
>>workings of routing, I'm still a little surprised by line 2 where the
>>last of the four IP bytes is 2 less than on my external nic. This
>>being link#2 and all...
>>
>>>From my XP client (at 192.168.0.145) I'm able to tracert machines
>>behind the firewall to my firewall/VPN server at 192.168.0.1, but no
>>further.
>>
>>Anyone have any idea what I'm up against? Is there some setting in the
>>PoPToP or PPP config files reagrding routing? Or is this perhaps noe a
>>routing problem at all? How can I figure out if it is?
>>
>>All suggestions appriciated :)
>>
>>- 4rch3v15
>
>
>

---

• Next message: Reid Nichol: "Re: OpenBSD 3.5 Internet Gateway"
• Previous message: Ettore Aldrovandi: "Re: OpenBSD 3.5 Internet Gateway"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages RE: can ping but not browse ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ... (Fedora) Re: Travelling laptops over VPN ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ... (microsoft.public.windowsxp.work_remotely) Re: Travelling laptops over VPN ... >>> on the user's machine within the properties of the VPN Dialup Connectiod. ... >> network administrators would want to do that to prevent the users from enabling ... when the user connects to the VPN using the Cisco ... the firewall shuts off because it sees the domain. ... (microsoft.public.windowsxp.security_admin) RE: Hidden Ports ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ... (Security-Basics) Re: cups relaying remote broadcasts to a local subnet (SOLVED) ... This sounds like an application that could use a vpn (virtual private ... network) over the internet. ... port 9100 it only has to be set up on the gateway machine. ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)