Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1999 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing PPTP connections fail

Rob_Bridges
Hello, thanks in advance for any help provided.  I am trying to connect through the our ASG425 to a remote VPN server.  The first 2 packet filter rules I have are Any-> PPTP ->Any and Any->Gre->Any.  Still the log drops the gre protocal 47.  Any ideas?


This thread was automatically locked due to age.
  • 0
    Rob, your first post in 4 years?  Let's see if we can make you feel welcome!

    I suspect this is an issue of what traffic you're trying to allow.  Please post the lines from the PF log (the actual log, not the live log as that shows only part of the story).  Also, please show a picture of your two PF rules.

    Cheers - Bob
  • 0 in reply to BAlfson
    Rob, you should change those packet filter rules... setting both the source and destination to "ANY" in a rule is bad news.  Try setting the internal network as the source instead of "ANY".  Also make sure the packet filter rules are enabled.

    If you don't have one defined, you also need a Internal Network Masquerading Rule setup... this can be done under the NAT settings.

    Also, Since you are using PPTP, Go to Network Security / Packet Filter / Advanced Tab, and make sure the PPTP Connection Tracking Helper is selected.
  • 0
    Hi Guys...  Thanks for the help.  I'm thinking the problem may lie somewhere else.  The PF log shows less dropped GRE packets than I thought when I first posted.  It actually shows more passed than dropped, none the less I am having a heck of a time trying to connect and it does randomly drop them.  If I keep trying, eventually the connection goes through.  The connection traffic help for PPTP is checked.  My orgininal PF rules did specify my internal network until I started trouble shooting.


    /var/log/packetfilter.log:2009:12:31-09:59:43 guro1 ulogd[3557]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="xx:xx:xx:xx:xx:xx" srcmac="00:00:00:00:00:00" srcip="99.xx.xx.xx" dstip="64.xx.xx.xx" proto="47" length="65" tos="0x00" prec="0x00" ttl="59"
    /var/log/packetfilter.log:2009:12:31-10:02:02 guro1 ulogd[3557]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" seq="0" initf="eth1" outitf="unknown" dstmac="xx:xx:xx:xx:xx:xx" srcmac="00:00:00:00:00:00" srcip="99.xx.xx.xx" dstip="64.xx.xx.xx" proto="47" length="65" tos="0x00" prec="0x00" ttl="59" 
    /var/log/packetfilter.log:2009:12:31-10:03:34 guro1 ulogd[3557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="2" seq="0" initf="eth0" outitf="eth1" dstmac="00:xx:xx:xx:xx:xx" srcmac="00:xx:xx:xx:xx:xx" srcip="131.xx.xx.xx" dstip="99.xx.xx.xx" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1363" dstport="1723" tcpflags="SYN" 
    /var/log/packetfilter.log:2009:12:31-10:11:03 guro1 ulogd[3557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="2" seq="0" initf="eth0" outitf="eth1" dstmac="00:xx:xx:xx:xx:xx" srcmac="00:xx:xx:xx:xx:xx" srcip="131.xx.xx.xx" dstip="99.xx.xx.xx" proto="6" length="196" tos="0x00" prec="0x00" ttl="126" srcport="1364" dstport="1723" tcpflags="ACK PSH" 
    /var/log/packetfilter.log:2009:12:31-10:11:41 guro1 ulogd[3557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="2" seq="0" initf="eth0" outitf="eth1" dstmac="00:xx:xx:xx:xx:xx" srcmac="00:xx:xx:xx:xx:xx" srcip="131.xx.xx.xx" dstip="99.xx.xx.xx" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1365" dstport="1723" tcpflags="SYN" 
    /var/log/packetfilter.log:2009:12:31-10:12:17 guro1 ulogd[3557]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="2" seq="0" initf="eth0" outitf="eth1" dstmac="00:xx:xx:xx:xx:xx" srcmac="00:xx:xx:xx:xx:xx" srcip="131.xx.xx.xx" dstip="99.xx.xx.xx" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1366" dstport="1723" tcpflags="SYN"
  • 0
    For the two dropped packets, the log indicates fwrule="60001", the default-drop rule for the INPUT chain.  In other words, the packet is one that was destined for the Astaro External interface with IP 99.xx.xx.xx, and this was blocked before the packet filter rules in your picture were considered.  You likely have a DNAT for that traffic, so you should just tick the box for "Auto packet filter rule" in that definiton.

    For a bit more of an explanation, check out: https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39358

    Cheers - Bob