OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: gmiserk on November 29, 2016, 05:22:44 pm
-
Hi all,
I have a pptp server inside my lan (192.168.1.99) and want to reach it by client pptp
i've found this info:
"The PPTP server redirection mode has been removed. It can be emulated by the two following NAT port forward rules: From incoming WAN interface, redirect all traffic to PPTP server IP target for protocol GRE. From incoming WAN interface redirect all traffic to PPTP server IP target for protocol TCP, port 1723. Note that due to the design of GRE, only one server can be reached by incoming clients at any given time."
with last last update pptp was removed
I suppose that for me, It'snt necessary to add this plugin because my server is inside the lan, and i want to redirect correctly the vpn connection to my pptp server
so, i have added two Nat redirection : GRE and tcp/1723 from WAN to LAN 192.168.1.99
But that doen't work !
What i have missed,
Thank for any help
config opnsense ip :192.168.1.1
-
Hi there,
The redir mode did the following:
$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto gre from any to any -> {$pptpdtarget}\n";
$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto tcp from any to any port 1723 -> {$pptpdtarget}\n";
Can you compare with your rules from the file /tmp/rules.debug ?
Cheers,
Franco
-
Hi thank you for your reply
in /tmp/rules.debug, i havn't any lines begin with : $natrules
here is lines with 1723
cat /tmp/rules.debug | grep 1723
rdr on bge0 inet proto tcp from any port 1723 to 192.168.100.1 -> 192.168.100.99 port 1723
no nat on re0 proto tcp from re0 to 192.168.100.99 port 1723
nat on re0 proto tcp from 192.168.100.0/22 to 192.168.100.99 port 1723 -> 192.168.100.1 port 1024:65535
pass in log on $WAN proto tcp from any to 8x.xxx.xx.xxx port = 1723 modulate state label "allow pptpd 8x.xxx.xx.xxx"
pass in quick on $WAN reply-to ( bge0 8x.xxx.xx.xxx ) inet proto tcp from any port 1723 to 192.168.100.99 port 1723 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on $LAN inet proto tcp from 192.168.100.0/22 port 1723 to 8x.xxx.xx.xxx/29 flags S/SA keep state label "USER_RULE"
and here lines with gre :
cat /tmp/rules.debug | grep gre
rdr on bge0 inet proto gre from any to any -> 192.168.100.99
no nat on re0 proto gre from re0 to 192.168.100.99
nat on re0 proto gre from 192.168.100.0/22 to 192.168.100.99 -> 192.168.100.1 port 1024:65535
pass in log on $WAN proto gre from any to any keep state label "allow gre pptpd"
pass in quick on $WAN reply-to ( bge0 8x.xxx.xx.xxx ) inet proto gre from any to 192.168.100.99 keep state label "USER_RULE: NAT "
pass in quick on $LAN inet proto gre from any to any keep state label "USER_RULE"
pass in quick on $LAN inet6 proto gre from any to any keep state label "USER_RULE"
ps : jsute te be sure {$pptpdtarget} is my ip auth machine, is this correct ?
i hope this info can help
-
rdr on bge0 inet proto tcp from any port 1723 to 192.168.100.1 -> 192.168.100.99 port 1723
This seems wrong, assuming bge0 is your WAN. 1723 was set for source, but needs to be set to destination. You should lose the destination WAN address if you can, too. GRE looks ok.
There is more PPTP redirection going on than it should. Are there more PPTP workarounds? Please double-check you're not accidentally policing the traffic.
-
you find it
thantks franco :)
-
Hello,
I follow your message but Franco is too fast ;) , nice to see your problem solved
-
Easy with the right help from you guys 8)