PPTP User VPN
-
We are having a problem ever since we upgraded to the new 2.0 release. We are currently on "2.0-RC1 (i386) built on Mon Mar 7 12:03:17 EST 2011"
If you have a the vpn server setup for PPTP with local pfsense user authentication, a user can log in and use the vpn with no problem but when a user disconnects their vpn its almost like states get reset. We have installed the latest 2.0-RC1 on a brand new box and tested just setting up the PPTP vpn and a single user and it still happens. The easiest way to see this interruption is on a computer that is on the LAN side, bring up an ssh connection to a server that is out on the internet through the WAN connection then have a vpn user log into the vpn and then disconnect. when you check your ssh connection to the outside server you will notice that it has been disconnected, this happens every time a user disconnects from the vpn.
If anyone could shed some light on this it would be appreciated, as i can find nothing in the logs that tells anything about what is going on.
Thank you.
-
It should only be killing the states for that specific connection.
You can edit /usr/local/sbin/vpn-linkdown and change it so it logs that last line instead of running pfctl. I wonder if one or both of the IPs are empty, causing it to reset all states instead of the ones it's supposed to do.
-
You might also try changing
/sbin/pfctl -b $3 -b $4
to
/sbin/pfctl -b $4 -b $5
It looks like we changed OpenVPN to use 4/5 a while ago, not sure if the other didn't get updated on purpose (because mpd passes different values) or what.
-
Ok,
Changing the
/sbin/pfctl -b $3 -b $4
to
/sbin/pfctl -b $4 -b $5
solves the problem.
From doing the logging this is what I found out those mean.
$4 = VPN users IP
$5 = VPN users login name
$3 = WAN IP (could be the ip the vpn server is running on as well, these are the same for me)so hence when it pfctl clears $3 it resets states on the WAN IP which causes the problem. Not sure if $5 being the user name really resets anything at all, but not reseting the wan fixes the problem for me.
Should I submit this as a bug so that it is fixed in the newer snapshots?
Thank you for all your help.
-
Yeah, open a ticket on redmine.pfsense.org - it will need some further review, because that same file is used for PPTP, PPPoE server, and L2TP - so the change doesn't only impact PPTP.