This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

pptp and NAT

Hi

I have a Problem with pptp and NAT using Astaro 3.050

Configuration:

Firewall with 2 NIC `s 1st IP 212.202.151.100
2nd IP 10.0.1.254

Windows 2000 pptp Host (IP 10.0.1.210 called win2k) connected to 2nd NIC.
Windows 2000 VPN (pptp ) Client (212.202.151.56) via permanent Internet connected to 1st NIC.
Now I make a IP alias 212.202.151.200 called pptpserver for the 1st NIC. Than I make a DNAT rule.

Source address dest address service
Any pptpserver any

Change source to no change
Change dest to win2k service dest no change

For test the Filter Rule any any any allow is set.
Now I think any incoming call to 212.202.151.200 should be send to 10.0.1.210 and the VPN connection should be work but it do not.

Has anybody an Idea to solve that Problem.

This thread was automatically locked due to age.

0 Polluxxx over 23 years ago

can i have a look at WebAdmin > Packet Filter > Live Log

two boxes are displaying kernel filter rules,
could you post them here?

thanx
polluxxx
Cancel
Vote Up 0 Vote Down

Cancel
0 LTR over 23 years ago in reply to Polluxxx

Current packet filter rules Font Size:   Large Normal Small Very Large

  Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
1786  147K LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1360  105K PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1360  105K FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1360  105K IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1360  105K HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
1360  105K AUTO_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15  2004 USR_INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15  2004 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
  139 10888 LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
  139 10888 PSD_MATCHER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  139 10888 FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  139 10888 IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
  139 10888 AUTO_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    6   288 USR_FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
2255 1381K LOCAL      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1829 1339K FIX_CONNTRACK  all  --  *      *       0.0.0.0/0            0.0.0.0/0
1829 1339K IPSEC      all  --  *      *       0.0.0.0/0            0.0.0.0/0
1829 1339K HA         all  --  *      *       0.0.0.0/0            0.0.0.0/0
1829 1339K AUTO_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 USR_OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGDROP    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AUTO_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
   11   660 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
   18  1492 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
  231 15165 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:443
    0     0 LOGDROP    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1024:65535 dpt:443
    9   454 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain AUTO_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    9   706 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:1024:65535 dpts:33000:34000
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0          icmp type 11 code 0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:222
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:1:65535 dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spts:53:65535 dpt:53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0          udp spts:53:65535 dpt:53
  343  241K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED

Chain FIX_CONNTRACK (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain HA (2 references)
pkts bytes target     prot opt in     out     source               destination

Chain IPSEC (3 references)
pkts bytes target     prot opt in     out     source               destination

Chain LOCAL (3 references)
pkts bytes target     prot opt in     out     source               destination
  426 41742 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  426 41742 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Chain LOGDROP (4 references)
pkts bytes target     prot opt in     out     source               destination
   15  2004 LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   15  2004 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGREJECT (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG_CHAIN  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable

Chain LOG_CHAIN (2 references)
pkts bytes target     prot opt in     out     source               destination
    3   144 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
   12  1860 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_ACTION (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain PSD_MATCHER (2 references)
pkts bytes target     prot opt in     out     source               destination

Chain USR_FORWARD (1 references)
pkts bytes target     prot opt in     out     source               destination
    1    48 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain USR_INPUT (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain USR_OUTPUT (1 references)
pkts bytes target     prot opt in     out     source               destination




  Current NAT rules Font Size:   Large Normal Small Very Large

  Chain PREROUTING (policy ACCEPT 231 packets, 22868 bytes)
pkts bytes target     prot opt in     out     source               destination
   20  1169 SPOOF_DROP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
   20  1169 AUTO_NAT_PRE  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT 107 packets, 6550 bytes)
pkts bytes target     prot opt in     out     source               destination
    8   499 AUTO_NAT_POST  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 96 packets, 5932 bytes)
pkts bytes target     prot opt in     out     source               destination
    2   151 AUTO_NAT_OUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain AUTO_NAT_OUT (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       all  --  *      *       0.0.0.0/0            212.202.151.200    to:10.0.1.210

Chain AUTO_NAT_POST (1 references)
pkts bytes target     prot opt in     out     source               destination

Chain AUTO_NAT_PRE (1 references)
pkts bytes target     prot opt in     out     source               destination
    6   348 DNAT       all  --  *      *       0.0.0.0/0            212.202.151.200    to:10.0.1.210

Chain LOGDROP (0 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        ah   --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain SPOOF_DROP (1 references)
pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  eth0   *       212.202.151.100      0.0.0.0/0
    0     0 DROP       all  --  eth0   *       212.202.151.100      0.0.0.0/0
    0     0 LOG        all  --  eth0   *       10.0.1.0/24          0.0.0.0/0
    0     0 DROP       all  --  eth0   *       10.0.1.0/24          0.0.0.0/0
    0     0 LOG        all  --  eth1   *       10.0.1.254           0.0.0.0/0
    0     0 DROP       all  --  eth1   *       10.0.1.254           0.0.0.0/0
    0     0 LOG        all  --  eth1   *       212.202.151.0/24     0.0.0.0/0
    0     0 DROP       all  --  eth1   *       212.202.151.0/24     0.0.0.0/0

hope this is right

If i try to connect VPN from Client it hang up at
Benutzername und Kennwort werden verifiziert
and that error 721 is shown
Cancel
Vote Up 0 Vote Down

Cancel
0 KoC over 23 years ago in reply to LTR

Yepp, just unload the masquerading Module ip_nat_pptp and try again.

CONSOLE: rmmod ip_nat_pptp

Everytime this Modules is loaded you cannot establish a PPTP connection from outside via DNAT to an PPTP Server behind the Firewall. An Timeout occurs.

But if you remove this Module you cant use PPTP Connections from inside to an outside PPTP Server. Maybe someone has a better idea.
Cancel
Vote Up 0 Vote Down

Cancel
0 LTR over 23 years ago in reply to KoC

Yeah!

Big thanks works fine now!

cu
LTR
Cancel
Vote Up 0 Vote Down

Cancel