Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Bill Marquette]

That's a standalone setting.  You don't want the frickin' package
(which as Chris mentioned, may be broken anyway) if you use this
setting.

--Bill

On Nov 19, 2007 12:06 PM, Luciano Areal <[EMAIL PROTECTED]> wrote:
> Hi Bill!
>
> The pfSense box is in front of the PPTP server. In other ways, it will act
> as the main gateway, and the PPTP server will be on the LAN. Clients will
> access it from WAN, passing through the pfSense box.
>
> I just did what you said. Removed all rules from NAT and firewall using
> PPTP/GRE, and activated that option (Redirect incoming PPTP connections
> to:). I also installed Frickin PPTP proxy package on system, and did a bind
> of this software on WAN port.
>
> I'll test it as soon as I arrive at home, and hope it will work correctly.
>
> Regards,
>
> Luciano Areal
>
>
> > I'm not sure, based on your email, if the pfSense box is in front of
> > the PPTP server or not.  If t is, then go to the VPN menu, select
> > PPTP, on "Configuration" tab, select "Redirect incoming PPTP
> > connections to:" radio button and fill in the text box ("PPTP
> > redirection") with the IP address of your internal PPTP server.
> > Remove the rules you created too, btw :)
> >
> > --Bill
> >
>
>
>
>
>   _
>
> avast! Antivirus  : Outbound message clean.
>
>
> Virus Database (VPS): 071119-0, 19/11/2007
> Tested on: 19/11/2007 15:06:20
>
> avast! - copyright (c) 1988-2007 ALWIL Software.
>
>
>
>

Re: RES: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Chris Buechler]

Luciano Areal wrote:

Hi Bill!

The pfSense box is in front of the PPTP server. In other ways, it will act
as the main gateway, and the PPTP server will be on the LAN. Clients will
access it from WAN, passing through the pfSense box.

I just did what you said. Removed all rules from NAT and firewall using
PPTP/GRE, and activated that option (Redirect incoming PPTP connections
to:). I also installed Frickin PPTP proxy package on system, and did a bind
of this software on WAN port.
  


Last I checked, the Frickin package is broken. Haven't had a chance to 
verify more recently, but I'm almost positive it isn't going to work. It 
won't break anything, it just isn't going to do anything. You likely 
don't need that when running a server accepting inbound connections 
anyway, that's more for multiple outbound sessions to the same external 
server.

RES: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Luciano Areal]

Hi Bill!

The pfSense box is in front of the PPTP server. In other ways, it will act
as the main gateway, and the PPTP server will be on the LAN. Clients will
access it from WAN, passing through the pfSense box.

I just did what you said. Removed all rules from NAT and firewall using
PPTP/GRE, and activated that option (Redirect incoming PPTP connections
to:). I also installed Frickin PPTP proxy package on system, and did a bind
of this software on WAN port.

I'll test it as soon as I arrive at home, and hope it will work correctly.

Regards,

Luciano Areal


> I'm not sure, based on your email, if the pfSense box is in front of
> the PPTP server or not.  If t is, then go to the VPN menu, select
> PPTP, on "Configuration" tab, select "Redirect incoming PPTP
> connections to:" radio button and fill in the text box ("PPTP
> redirection") with the IP address of your internal PPTP server.
> Remove the rules you created too, btw :)
>
> --Bill
>




  _  

avast! Antivirus  : Outbound message clean. 


Virus Database (VPS): 071119-0, 19/11/2007
Tested on: 19/11/2007 15:06:20
avast! - copyright (c) 1988-2007 ALWIL Software.

Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Bill Marquette]

I'm not sure, based on your email, if the pfSense box is in front of
the PPTP server or not.  If t is, then go to the VPN menu, select
PPTP, on "Configuration" tab, select "Redirect incoming PPTP
connections to:" radio button and fill in the text box ("PPTP
redirection") with the IP address of your internal PPTP server.
Remove the rules you created too, btw :)

--Bill

On Nov 19, 2007 7:07 AM, Luciano Areal <[EMAIL PROTECTED]> wrote:
>
> Good morning, folks!
>
> Here in my company, we have this network scenario:
>
> Our network has one internal VPN server, based on a Windows 2003 Enterprise,
> using PPTP and GRE protocol. We have several workers who eventually need to
> connect in our network, to get some data and disconnect. Sometimes, they
> need to work in our network from home, airport, etc., just like in a
> "roadwarrior way". Following:
>
> --   --   -
> |PPTP SERVER|  <---> |GATEWAY| <---> |INTERNET| <---> |ROADWARRIOR|
> --   --   -
> 192.168.0.0 /24  200.*.*.* /28(ISP IP) *.*.*.* (any IP)
>
> I did a basic installation of pfSense firewall solution on a machine here,
> and set up all needed ports for our basic NAT (webserver, e-mail, etc.).
> Here follows the part mentioned for PPTP:
>
> Firewall: NAT: Port Forward Options
>
> If  Proto   Ext. port range NAT IP  Int. port range
> Description
> WAN TCP 1723192.168.0.141723
> Allow PPTP (TCP 1723)
> WAN GRE 192.168.0.14
> Allow GRE (Protocol 47)
>
> These rules were also inserted on Firewall: Rules (WAN section)
>
> Proto   Source  PortDestination PortGateway
> Description
> TCP WAN address 1723192.168.0.141723*
> Allow PPTP (TCP 1723)
> GRE WAN address *   192.168.0.14*   *
> Allow GRE (Protocol 47)
>
> Then, I tried to connect from home to my server, putting its WAN IP on my
> VPN connection, but when I try to connect, nothing happens.
>
> Am I doing anything wrong here? Did I forget any point here? I tried to get
> some info on pfSense mail discussion archives, but didn't find anything
> similar to my problem. :-(
>
> Is there anything that I still need to do in order to free up traffic of
> PPTP and GRE protocols, from my box to the internal server? If anyone here
> have passed through this issue, please light up my path. ;-)
>
> Best regards,
>
> Luciano Pereira Areal
> Network Administrator
> E-mail: [EMAIL PROTECTED]
> Mobile #1: +55 21 8176-7376
> Mobile #2: +55 21 8169-3362
> Nextel ID: 55*8*64731
> Skype: luciano_areal
>
> Bizvox Voice Services
> Avenida Nilo Peçanha, 50 Grupo 1516 - Centro
> CEP: 20020-906
> Rio de Janeiro - RJ - Brasil
> Phone: +55 21 2212-1650
> Fax: +55 21 2212-1675
> Website: http://www.bizvox.com.br/
>
>
>
>
>   _
>
> avast! Antivirus  : Outbound message clean.
>
>
> Virus Database (VPS): 071119-0, 19/11/2007
> Tested on: 19/11/2007 10:07:26
> avast! - copyright (c) 1988-2007 ALWIL Software.
>
>
>
>

Re: [pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Greg Hennessy]

Luciano Areal wrote:

Then, I tried to connect from home to my server, putting its WAN IP on my
VPN connection, but when I try to connect, nothing happens.

Am I doing anything wrong here? Did I forget any point here? I tried to get
some info on pfSense mail discussion archives, but didn't find anything
similar to my problem. :-(
  


Just forwarding and address translating GRE traffic is not going to 
work. It requires a GRE protocol aware helper application to fixup (pun 
intended) the GRE flows.  It will do this in analogous fashion to hide 
nat changing & tracking the source port of a UDP/TCP flow. In this case 
it will use the Call ID field of the GRE header to track multiple GRE 
flows through  source/destination NAT.


There is a Frickin (pun intended) helper app available to do this.
I believe it used to be available for PFSense as a package, dunno the 
current status of it.



Greg

[pfSense-discussion] Problems to use PPTP/GRE traffic to connect in a server - Please advice.

[Luciano Areal]

Good morning, folks!

Here in my company, we have this network scenario:

Our network has one internal VPN server, based on a Windows 2003 Enterprise,
using PPTP and GRE protocol. We have several workers who eventually need to
connect in our network, to get some data and disconnect. Sometimes, they
need to work in our network from home, airport, etc., just like in a
"roadwarrior way". Following:

--   --   -
|PPTP SERVER|  <---> |GATEWAY| <---> |INTERNET| <---> |ROADWARRIOR|
--   --   -
192.168.0.0 /24  200.*.*.* /28(ISP IP) *.*.*.* (any IP)

I did a basic installation of pfSense firewall solution on a machine here,
and set up all needed ports for our basic NAT (webserver, e-mail, etc.).
Here follows the part mentioned for PPTP:

Firewall: NAT: Port Forward Options

If  Proto   Ext. port range NAT IP  Int. port range
Description
WAN TCP 1723192.168.0.141723
Allow PPTP (TCP 1723)
WAN GRE 192.168.0.14
Allow GRE (Protocol 47)

These rules were also inserted on Firewall: Rules (WAN section)

Proto   Source  PortDestination PortGateway
Description
TCP WAN address 1723192.168.0.141723*
Allow PPTP (TCP 1723)
GRE WAN address *   192.168.0.14*   *
Allow GRE (Protocol 47)

Then, I tried to connect from home to my server, putting its WAN IP on my
VPN connection, but when I try to connect, nothing happens.

Am I doing anything wrong here? Did I forget any point here? I tried to get
some info on pfSense mail discussion archives, but didn't find anything
similar to my problem. :-(

Is there anything that I still need to do in order to free up traffic of
PPTP and GRE protocols, from my box to the internal server? If anyone here
have passed through this issue, please light up my path. ;-)

Best regards,

Luciano Pereira Areal
Network Administrator
E-mail: [EMAIL PROTECTED]
Mobile #1: +55 21 8176-7376
Mobile #2: +55 21 8169-3362
Nextel ID: 55*8*64731
Skype: luciano_areal

Bizvox Voice Services
Avenida Nilo Peçanha, 50 Grupo 1516 - Centro
CEP: 20020-906
Rio de Janeiro - RJ - Brasil
Phone: +55 21 2212-1650
Fax: +55 21 2212-1675
Website: http://www.bizvox.com.br/




  _  

avast! Antivirus  : Outbound message clean. 


Virus Database (VPS): 071119-0, 19/11/2007
Tested on: 19/11/2007 10:07:26
avast! - copyright (c) 1988-2007 ALWIL Software.