OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: echappatte on August 02, 2016, 08:39:29 pm
-
Hello all ;)
Perhaps I read too quickly the notice to upgrade from 16.1.x to 16.7, but I saw PPTP is now as a plugin, not included as standard anymore. Well, no problem. But perhaps there are any recommandation ? They was wrote before updating but I can't find them now ? (yes I'am a good beta user ::) )
The problem seem to be the PPTP server bind to PPTP server address instead my WAN IP, can you help me ?
Here is the log :
Aug 2 20:28:08 pptps: bind: Can't assign requested address
Aug 2 20:27:58 pptps: bind: Can't assign requested address
Aug 2 20:27:48 pptps: bind: Can't assign requested address
Aug 2 20:27:38 pptps: bind: Can't assign requested address
Aug 2 20:27:28 pptps: bind: Can't assign requested address
Aug 2 20:27:18 pptps: PPTP: waiting for connection on 192.168.12.1 1723
Aug 2 20:27:18 pptps: bind: Can't assign requested address
Aug 2 20:27:18 pptps: process 23314 started, version 5.8 (root@sensey32 07:59 18-Jan-2016)
Every ten seconds last message repeat...
Many thanks !
-
Hi there,
The server needs to listen on an existing IP on your firewall in order to work. As far as I could gather, this was an MPD5 requirement (16.1 and down used MPD4).
The message was:
Legacy VPN Servers for L2TP, PPPoE, and PPTP moved to plugins and need to be installed in order to still make use of them. Your configurations will persist, but may have to be adapted to adhere to the requirements of the MPD5 server daemon. The most important change is that your listening address needs to be a known address, preferably using a Virtual IP from the firewall settings.
Cheers,
Franco
-
Hi Franco,
Thanks a lot for your quick reply ;)
Ok. After searching for PPTP and Virtual IP I found this thread, with the message when you upgrade (yes, the one I did not read carefully :o ) :
https://forum.opnsense.org/index.php?topic=3399.0
Most important steps, I qote them, it can be useful :
•Legacy VPN Servers for L2TP, PPPoE, and PPTP moved to plugins and need to be installed in order to still make use of them. Your configurations will persist, but may have to be adapted to adhere to the requirements of the MPD5 server daemon. The most important change is that your listening address needs to be a known address, preferably using a Virtual IP from the firewall settings.
•The PPTP server redirection mode has been removed. It can be emulated by the two following NAT port forward rules: From incoming WAN interface, redirect all traffic to PPTP server IP target for protocol GRE. From incoming WAN interface redirect all traffic to PPTP server IP target for protocol TCP, port 1723. Note that due to the design of GRE, only one server can be reached by incoming clients at any given time.
So now I'm able to connect to my PPTP VPN :)
But I'm not able to access anything :( despite a rule allowing me (my user in PPTP has an IP) to access anything.
In log I can see :
@5 block drop in log inet all label "Default deny rule IPv4"
What does this mean ? My rule in PPTP server is not good ? It worked before but now not anymore ?
-
Hi echappatte,
That's expected. Under Firewall: Rules, tab PPTP you will need to add an allow rule for your clients in order to reach other networks or the internet.
Cheers,
Franco
-
Hi Franco,
Many thanks for your help ;)
But yes... and no 8) . Yes by default, PPTP has no rule so nothing allowed. But I used PPTP in the past, so I already made a rule to allow my ip to access anything. Rule is still the same, but it does not work.
I even added a rule to allow whole PPTP net to anything, unsuccessful. Last try, a rule that allow all is not working better:
Proto Source Port Destination Port Gateway Schedule Description
IPv4+6 * * * * * * All VPN to all
In the firewall log, blocks are seen with interface "ng0", and in the rules interface is named "PPTP". Even if I click "Easy rule pass traffic" the rule is added nowhere. What I do wrong ?
Thanks again,
Emilien
-
Tried last update, to 16.7.1, no change.
Anyone as this ng0 interface ? This is ok or it looks strange ?
Thanks,
Emilien
-
Hi Emilien,
I've looked into PPTP and found a potential caveat when setting it up. Can you send me a dump of your /tmp/rules.debug via PM?
ng0 from the interfaces looks ok, it's the netgraph PPTP interface. Which rule blocks it, the default deny?
Thanks,
Franco
-
PS: Worst case, we can use a floating rule to allow the PPTP traffic to flow on 16.7.1. :)
-
Hi Franco,
Thanks for taking time to help me ! ;)
As you said, adding a floating rule make it working ! But in "interface" of this floating rule, if I select PPTP it does not works. Without selecting any interface and configuring source IP as my PPTP attributed IP it works great :) So something can be wrong with PPTP server and matching PPTP rule tab : it's the same as it was no rule there, and it's the last "default any" implicit rule that drop all.
I send you the debug file, thanks again ;)
Emilien
-
Hi all,
We solved this during PM conversations. I lost the linkup interface grouping during the "pluginification" of the multi-point VPN servers and this brings it back:
https://github.com/opnsense/plugins/commit/7f0f05199e33
There are some other fixes so all the VPN plugins got bumped to a new version and will automatically update along with 16.7.2.
Thanks again to Emilien for helping to resolve this.
Cheers,
Franco
-
Hi Franco,
Yes, many thanks Franco for solving this little issue and all the quick help given, really nice :)
With the modified plugin it works perfectly with the rules defined in the PPTP tab.
It's great to have this nice software but it's even better to have this this kind of support when we discover a small issue. Keep up this great work ;)
Thanks again,
Emilien