Bug in routing?
-
Version 1.2.3-RELEASE .
I was playing with connecting my home router (RouterOS) to my remote pfSense machine via PPTP as I wanted to play with using Freeradius to auth with an AP on my network @ Home (I don't want to stick another box at home just for radius on the home network)
The Home Network is 192.168.2.xxx
LAN on pfsense is 192.168.3.xxx
the PPTP server gives ip's within the range of 192.168.11.x
VPN server IP 192.168.10.0 (I think i'm not infront of the machine atm)I successfully established a PPTP Connection between routerOS and pfSense, I then added a Static route in RouterOS for 192.168.3.0/24 reachable via PPTP-1
I then setup a Static route on pfsense that in order to reach 192.168.2.0/24 it needs to use 192.168.11.1 (The Address it assigns the PPTP user which was set to always be assigned to that user)
The connection worked and I could Ping 192.168.3.1 (pfSense) from the home router, I successfully setup a Virtual AP on one of my DD-WRT boxes and had it doing WPA2 Enterprise against the freeradius server on pfsense.
However then the PPTP connection dropped and reconnected then it all stopped working, I confirmed that the router at my end still had 192.168.11.1 and that the static route for 192.168.2.0/24 interface PPTP via IP 192.168.11.1 still exists in the pfSense web UI
However if I try to ping 192.168.2.1 from Pfsense I get a reponse from my Providers upstream gateway telling me that 192.168.11.1 is not reachable.ย :o
It seems that if you try and setup pfSense to route outgoing traffic for a set IP range to a connected PPTP client if that client subsequently reconnects it then tries to send the Traffic for it's IP to the WAN interface instead of the PPTP interface.
Now I'm not sure if this is a Bug or just me being an Idiot when setting it up.
-
PPTP is not meant to be used for site-to-site links in this manner, it's only for client access.
You'll probably need to use a real site-to-site VPN option like OpenVPN or IPsec.
-
PPTP is not meant to be used for site-to-site links in this manner, it's only for client access.
You'll probably need to use a real site-to-site VPN option like OpenVPN or IPsec.
That is quite true, and I only used PPTP as it was quick to setup for a test.
However that said pfSense really should know where to route traffic for a connected PPTP client regardless of what that other device was, after it it was pfSense that assigned the connected client (In this case my RouterOS router) 192.168.11.1 so why it's trying to send packets for 192.168.1.11 to the WAN interface i'm not sure.
-
That's comparing apples to oranges, it's not a good test. It would have been much less effort to setup IPsec or OpenVPN than mess with PPTP for a site-to-site link.
That said, you might also double check your other PPTP server settings. In particular, the "Server Address" should be an IP in the same subnet as "Remote Address Range".
