Worked like a charm! Just update your Solaris 10 05/08 (or any, I suggest) by rebuilding sources and replacing original ipfilter ;) http://192.9.162.102/thread.jspa?threadID=5339408 -= Mail sent through WebTop2 =- Da: Gabriele Bulfon A: [email protected] Data: 11 novembre 2010 13.02.40 CET Oggetto: Re: Confused by pptp and gre, what is the true way to do it? After tricking with rules (modified the pass out / pass in of gre as "from any to any") now I can see reply gre packet going out of the win machine, go through the firewall and out of the wan to the remote machine. Authentication fails anyway (it goes perfectly when not passint through ipfilter, both when directly public or when passing through a zywall, but...I want it to go through ipfilter!) How can I see if the packets are correctly masquerated? Here are the two snoops: -LAN interface- remoteserverip -winlanip TCP D=4472 S=1723 Syn Ack=3520565303 Seq=1081340933 Len=0 Win=5840 Options= remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565459 Seq=1081340934 Len=0 Win=5840 remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565459 Seq=1081340934 Len=156 Win=5840 remoteserverip -winlanip TCP D=4472 S=1723 Push Ack=3520565627 Seq=1081341090 Len=32 Win=6432 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49052, TOS=0x0, TTL=52 remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49053, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49054, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49055, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49058, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49060, TOS=0x0, TTL=52 remoteserverip -winlanip IP D=winlanip S=remoteserverip LEN=61, ID=49061, TOS=0x0, TTL=52 remoteserverip -winlanip TCP D=4472 S=1723 Fin Ack=3520565651 Seq=1081341122 Len=0 Win=6432 remoteserverip -winlanip TCP D=4472 S=1723 Ack=3520565652 Seq=1081341123 Len=0 Win=6432 -WAN interface- wanip -remoteserverip TCP D=1723 S=19463 Syn Seq=3520565302 Len=0 Win=64240 Options= remoteserverip -wanip TCP D=19463 S=1723 Syn Ack=3520565303 Seq=1081340933 Len=0 Win=5840 Options= wanip -remoteserverip TCP D=1723 S=19463 Ack=1081340934 Seq=3520565303 Len=0 Win=64240 wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081340934 Seq=3520565303 Len=156 Win=64240 remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565459 Seq=1081340934 Len=0 Win=5840 remoteserverip -wanip TCP D=19463 S=1723 Push Ack=3520565459 Seq=1081340934 Len=156 Win=5840 wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341090 Seq=3520565459 Len=168 Win=64084 remoteserverip -wanip TCP D=19463 S=1723 Push Ack=3520565627 Seq=1081341090 Len=32 Win=6432 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49052, TOS=0x0, TTL=53 wanip -remoteserverip TCP D=1723 S=19463 Push Ack=1081341122 Seq=3520565627 Len=24 Win=64052 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=25178, TOS=0x0, TTL=127 remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565651 Seq=1081341122 Len=0 Win=6432 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=20698, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49053, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=29457, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49054, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=9153, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49055, TOS=0x0, TTL=53 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49056, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=1984, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49057, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=671, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49058, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=14495, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49059, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=19126, TOS=0x0, TTL=127 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49060, TOS=0x0, TTL=53 remoteserverip -wanip IP D=wanip S=remoteserverip LEN=61, ID=49061, TOS=0x0, TTL=53 wanip -remoteserverip IP D=remoteserverip S=wanip LEN=57, ID=5577, TOS=0x0, TTL=127 remoteserverip -wanip TCP D=19463 S=1723 Fin Ack=3520565651 Seq=1081341122 Len=0 Win=6432 wanip -remoteserverip TCP D=1723 S=19463 Fin Ack=1081341123 Seq=3520565651 Len=0 Win=64052 remoteserverip -wanip TCP D=19463 S=1723 Ack=3520565652 Seq=1081341123 Len=0 Win=6432 -= Mail sent through WebTop2 =- Da: Gabriele Bulfon A: [email protected] Data: 11 novembre 2010 12.17.55 CET Oggetto: Re: Confused by pptp and gre, what is the true way to do it? Hello, I investigated further the problem. Using 2 snoops, one on each ethernet card (public and private), I can see traffic on 1732 started by my internal win machine, the I can see the reply on that port coming to my wan, then to my lan up to the win machine. After, I just can see packets coming from the remote machine (stated as IP, but probably gre), getting into the firewall and going into the lan up to the win machine. No packet is going from the win machine on any destination. Maybe the gre traffic is not correctly natted? Does ipfilter do masquerading on gre? Gabriele. -= Mail sent through WebTop2 =- Da: Gabriele Bulfon A: [email protected] Data: 10 novembre 2010 17.02.22 CET Oggetto: Confused by pptp and gre, what is the true way to do it? Hello, I've read around about how to make windows pptp vpn work behind ipfilter, but I've seen a lot of confusion...(to me, at least). My windows machine is in the LAN, passing through a solaris machine with ipfilter 4.1.9. What are the general rules to let Windows pass the NAT and run the handshake? Some talks about proxy / pptp rules mappings, some talks about just opening the ports... I tried this but it doesn't work: ipnat: #NAT rules map igb1 mylan/24 -mypubip/32 proxy port ftp ftp/tcp map igb1 mylan/24 -mypubip/32 portmap tcp/udp 10000:40000 map igb1 mylan/24 -mypubip/32 #redirect gre to my windows machine rdr igb1 mypubip/32 -winlanip gre ipf: #NAT windows machine pass out quick on igb1 from mywinip/32 to any keep state #Let gre enter the firewall pass in quick on igb1 proto gre from any to mypubip/32 #Let gre pass the rdr pass in quick on igb1 proto gre from any to winlanip/32 -= Mail sent through WebTop2 =-
