[SOLVED] pptp redirect

[gmiserk]

Hi all,

I have a pptp server inside my lan (192.168.1.99)  and want to reach it by client pptp

i've found this info:
"The PPTP server redirection mode has been removed. It can be emulated by the two following NAT port forward rules: From incoming WAN interface, redirect all traffic to PPTP server IP target for protocol GRE. From incoming WAN interface redirect all traffic to PPTP server IP target for protocol TCP, port 1723. Note that due to the design of GRE, only one server can be reached by incoming clients at any given time."

with last  last update pptp was removed

I suppose that for me, It'snt necessary to add this plugin because my server is inside the lan, and i want to redirect correctly the vpn connection to my pptp server

so, i have added two Nat redirection : GRE and tcp/1723 from WAN to LAN 192.168.1.99

But that doen't work !

What i have missed,

Thank for any help

config opnsense ip :192.168.1.1

[franco]

Hi there,

The redir mode did the following:

$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto gre from any to any -> {$pptpdtarget}\n";
$natrules .= "rdr on \${$FilterIflist['wan']['descr']} proto tcp from any to any port 1723 -> {$pptpdtarget}\n";

Can you compare with your rules from the file /tmp/rules.debug ?


Cheers,
Franco

[gmiserk]

Hi thank you for your reply

in /tmp/rules.debug, i havn't any lines begin with : $natrules

here is lines with 1723
cat /tmp/rules.debug | grep 1723
rdr on bge0 inet proto tcp from any port 1723 to 192.168.100.1 -> 192.168.100.99 port 1723
no nat on re0 proto tcp from re0 to 192.168.100.99 port 1723
nat on re0 proto tcp from 192.168.100.0/22 to 192.168.100.99 port 1723 -> 192.168.100.1 port 1024:65535
pass in log on $WAN proto tcp from any to 8x.xxx.xx.xxx port = 1723 modulate state label "allow pptpd 8x.xxx.xx.xxx"
pass  in  quick  on $WAN reply-to ( bge0 8x.xxx.xx.xxx ) inet proto tcp  from any port 1723 to 192.168.100.99 port 1723 flags S/SA keep state  label "USER_RULE: NAT "
pass  in  quick  on $LAN inet proto tcp  from 192.168.100.0/22 port 1723 to 8x.xxx.xx.xxx/29 flags S/SA keep state  label "USER_RULE"


and here lines with gre :

cat /tmp/rules.debug | grep gre
rdr on bge0 inet proto gre from any to any -> 192.168.100.99
no nat on re0 proto gre from re0 to 192.168.100.99
nat on re0 proto gre from 192.168.100.0/22 to 192.168.100.99 -> 192.168.100.1 port 1024:65535
pass in log on $WAN proto gre from any to any keep state label "allow gre pptpd"
pass  in  quick  on $WAN reply-to ( bge0 8x.xxx.xx.xxx ) inet proto gre  from any to 192.168.100.99 keep state  label "USER_RULE: NAT "
pass  in  quick  on $LAN inet proto gre  from any to any keep state  label "USER_RULE"
pass  in  quick  on $LAN inet6 proto gre  from any to any keep state  label "USER_RULE"


ps : jsute te be sure  {$pptpdtarget} is my ip auth machine, is this correct ?
i hope this info can help

[franco]

rdr on bge0 inet proto tcp from any port 1723 to 192.168.100.1 -> 192.168.100.99 port 1723

This seems wrong, assuming bge0 is your WAN. 1723 was set for source, but needs to be set to destination. You should lose the destination WAN address if you can, too. GRE looks ok.

There is more PPTP redirection going on than it should. Are there more PPTP workarounds? Please double-check you're not accidentally policing the traffic.

[gmiserk]

you find it
thantks franco 

[echappatte]

Hello,

I follow your message but Franco is too fast , nice to see your problem solved

[franco]

Easy with the right help from you guys