Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PPTP rule wierdness

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    4
    10
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yaw
      last edited by

      I'm not sure what is happening here. Perhaps someone can explain:

      PPTP works but clients cannot access anything once connected. Firewall rules issue right? Read on…

      On the PPTP VPN rules tab everything works as long as I have "any" for the source. It breaks once I change the source to "PPTP clients". That is the only rule I have for that tab.

      It seems to me that "PPTP clients" should work. Perhaps there is something wrong with the PPTP system alias, or perhaps I am misunderstanding that alias.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • Y
        yaw
        last edited by

        Some more info:

        It also works if I replace "PPTP clients" with the actual IP address of the connecting client or the entire subnet. I'm thinking there is something wrong with the pptp system alias.

        This is on latest beta as of today.

        Can anyone confirm?

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Show /tmp/rules.debug and show a picture of your pptp settings.

          1 Reply Last reply Reply Quote 0
          • Y
            yaw
            last edited by

            Here you go:

            #System aliases

            loopback = "{ lo0 }"
            LAN = "{ vr0 }"
            WAN = "{ vr1 }"
            WIRELESS = "{ vr2 }"
            GUEST_VLAN2 = "{ vr0_vlan2 }"
            pptp = "{ pptp }"

            #SSH Lockout Table
            table <sshlockout>persist
            table <webconfiguratorlockout>persist
            #Snort2C table
            table <snort2c>table <virusprot># User Aliases
            table <vpn_net>{  192.168.4.0/24 }
            VPN_Net = "<vpn_net>"

            Gateways

            GWGW_WAN = " route-to ( vr1 X.X.X.X ) "

            set loginterface vr0
            set loginterface vr1
            set loginterface vr2
            set loginterface vr0_vlan2
            set optimization normal
            set limit states 23000
            set limit src-nodes 23000

            set skip on pfsync0

            scrub in on $LAN all    fragment reassemble
            scrub in on $WAN all    fragment reassemble
            scrub in on $WIRELESS all    fragment reassemble
            scrub in on $GUEST_VLAN2 all    fragment reassemble

            altq on  vr2 hfsc bandwidth 10Mb queue {  qInternet  }
            queue qInternet on vr2 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
            queue qACK on vr2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qDefault on vr2 bandwidth 9.968% hfsc (  ecn  , default  ) 
            queue qP2P on vr2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
            queue qVoIP on vr2 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
            queue qGames on vr2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qOthersHigh on vr2 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
            queue qOthersLow on vr2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

            altq on  vr0_vlan2 hfsc bandwidth 10Mb queue {  qInternet  }
            queue qInternet on vr0_vlan2 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
            queue qACK on vr0_vlan2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qDefault on vr0_vlan2 bandwidth 9.968% hfsc (  ecn  , default  ) 
            queue qP2P on vr0_vlan2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
            queue qVoIP on vr0_vlan2 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
            queue qGames on vr0_vlan2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qOthersHigh on vr0_vlan2 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
            queue qOthersLow on vr0_vlan2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

            altq on  vr0 hfsc bandwidth 10Mb queue {  qInternet  }
            queue qInternet on vr0 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
            queue qACK on vr0 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qDefault on vr0 bandwidth 9.968% hfsc (  ecn  , default  ) 
            queue qP2P on vr0 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
            queue qVoIP on vr0 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
            queue qGames on vr0 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
            queue qOthersHigh on vr0 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
            queue qOthersLow on vr0 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

            altq on  vr1 hfsc bandwidth 1.8Mb queue {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
            queue qACK on vr1 bandwidth 19.644% hfsc (  ecn  , linkshare 19.644%  ) 
            queue qDefault on vr1 bandwidth 9.822% hfsc (  ecn  , default  ) 
            queue qP2P on vr1 bandwidth 4.911% hfsc (  ecn  , linkshare 4.911%  , upperlimit 4.911%  ) 
            queue qVoIP on vr1 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.644% ) 
            queue qGames on vr1 bandwidth 19.644% hfsc (  ecn  , linkshare 19.644%  ) 
            queue qOthersHigh on vr1 bandwidth 9.822% hfsc (  ecn  , linkshare 9.822%  ) 
            queue qOthersLow on vr1 bandwidth 4.911% hfsc (  ecn  , linkshare 4.911%  )

            nat-anchor "natearly/"
            nat-anchor "natrules/
            "

            Outbound NAT rules

            nat on $WAN  from 192.168.1.0/24 to any -> X.X.X.X/32 port 1024:65535
            nat on $WAN  from 192.168.2.0/24 to any -> X.X.X.X/32 port 1024:65535
            nat on $WAN  from 192.168.3.0/24 to any -> X.X.X.X/32 port 1024:65535
            nat on $WAN  from 192.168.4.0/24 to any -> X.X.X.X/32 port 1024:65535

            Load balancing anchor

            rdr-anchor "relayd/*"

            TFTP proxy

            rdr-anchor "tftp-proxy/*"
            table <direct_networks>{ 192.168.1.0/24 71.61.184.0/21 192.168.2.0/24 192.168.3.0/24 192.168.4.208/32 }

            NAT Inbound Redirects

            rdr on vr1 proto tcp from any to X.X.X.X port 80:81 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 443 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 22 -> 192.168.1.5
            rdr on vr1 proto udp from any to X.X.X.X port 22 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 21 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 25 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 26 -> 192.168.1.5 port 25
            rdr on vr1 proto tcp from any to X.X.X.X port 143 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 993 -> 192.168.1.5
            rdr on vr1 proto tcp from any to X.X.X.X port 83 -> 192.168.2.21 port 80

            UPnPd rdr anchor

            rdr-anchor "miniupnpd"

            pass in quick on { vr2 } proto tcp from any to { 192.168.2.1 } port { 8000 8001 } keep state(sloppy)
            pass out quick on { vr2 } proto tcp from { 192.168.2.1 } port { 8000 8001 } to any keep state(sloppy)
            anchor "relayd/*"
            #–-------------------------------------------------------------------------

            default deny rules

            #---------------------------------------------------------------------------
            block in log all label "Default deny rule"
            block out log all label "Default deny rule"

            We use the mighty pf, we cannot be fooled.

            block quick proto { tcp, udp } from any port = 0 to any
            block quick proto { tcp, udp } from any to any port = 0

            Block all IPv6

            block in quick inet6 all
            block out quick inet6 all

            snort2c

            block quick from <snort2c>to any label "Block snort2c hosts"
            block quick from any to <snort2c>label "Block snort2c hosts"

            SSH lockout

            block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

            webConfigurator lockout

            block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
            block in quick from <virusprot>to any label "virusprot overload table"
            antispoof for vr0

            allow access to DHCP server on LAN

            pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
            pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
            pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
            table <bogons>persist file "/etc/bogons"

            block bogon networks

            http://www.cymru.com/Documents/bogon-bn-nonagg.txt

            block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
            antispoof for vr1

            block anything from private networks on interfaces with the option set

            antispoof for $WAN
            block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
            block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
            block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
            block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

            allow our DHCP client out to the WAN

            pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
            pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

            Not installing DHCP server firewall rules for WAN which is configured for DHCP.

            antispoof for vr2

            allow access to DHCP server on WIRELESS

            pass in on $WIRELESS proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
            pass in on $WIRELESS proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
            pass out on $WIRELESS proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
            antispoof for vr0_vlan2

            allow access to DHCP server on GUEST_VLAN2

            pass in on $GUEST_VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
            pass in on $GUEST_VLAN2 proto udp from any port = 68 to 192.168.3.1 port = 67 label "allow access to DHCP server"
            pass out on $GUEST_VLAN2 proto udp from 192.168.3.1 port = 67 to any port = 68 label "allow access to DHCP server"

            loopback

            pass in on $loopback all label "pass loopback"
            pass out on $loopback all label "pass loopback"

            let out anything from the firewall host itself and decrypted IPsec traffic

            pass out all keep state allow-opts label "let out anything from firewall host itself"
            pass out route-to ( vr1 X.X.X.X ) from X.X.X.X to !71.61.184.0/21 keep state allow-opts label "let out anything from firewall host itself"

            make sure the user cannot lock himself out of the webConfigurator or SSH

            pass in quick on vr0 proto tcp from any to (vr0) port { 80 22 } keep state label "anti-lockout rule"

            PPTPd rules

            pass in on $WAN proto tcp from any to X.X.X.X port = 1723 modulate state label "allow pptpd X.X.X.X"

            User-defined rules follow

            pass  out  proto udp  from any to any port 5059 >< 5070  queue (qVoIP)  label "USER_RULE: m_voip  outbound"
            pass  out  proto udp  from any to any port 9999 >< 20001  queue (qVoIP)  label "USER_RULE: m_voip  outbound"
            pass  out  proto tcp  from any to any port 7668  queue (qP2P)  label "USER_RULE: m_P2P Aimster outbound"
            pass  out  proto tcp  from any to any port 6880 >< 7000  queue (qP2P)  label "USER_RULE: m_P2P BitTorrent outbound"
            pass  out  proto udp  from any to any port 6880 >< 7000  queue (qP2P)  label "USER_RULE: m_P2P BitTorrent outbound"
            pass  out  proto tcp  from any to any port 7788  queue (qP2P)  label "USER_RULE: m_P2P BuddyShare outbound"
            pass  out  proto tcp  from any to any port 2340  queue (qP2P)  label "USER_RULE: m_P2P CuteMX outbound"
            pass  out  proto tcp  from any to any port 6665 >< 6669  queue (qP2P)  label "USER_RULE: m_P2P dcc outbound"
            pass  out  proto tcp  from any to any port 412  queue (qP2P)  label "USER_RULE: m_P2P DirectConnect outbound"
            pass  out  proto tcp  from any to any port 1043 >< 1046  queue (qP2P)  label "USER_RULE: m_P2P DirectFileExpress outbound"
            pass  out  proto tcp  from any to any port 4660 >< 4666  queue (qP2P)  label "USER_RULE: m_P2P EDonkey2000 outbound"
            pass  out  proto tcp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Gnutella-TCP outbound"
            pass  out  proto udp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Gnutella-UDP outbound"
            pass  out  proto tcp  from any to any port 8037 >< 8040  queue (qP2P)  label "USER_RULE: m_P2P grouper outbound"
            pass  out  proto tcp  from any to any port 28863 >< 28866  queue (qP2P)  label "USER_RULE: m_P2P hotComm outbound"
            pass  out  proto tcp  from any to any port 5499 >< 5504  queue (qP2P)  label "USER_RULE: m_P2P HotlineConnect outbound"
            pass  out  proto tcp  from any to any port 4329  queue (qP2P)  label "USER_RULE: m_P2P iMesh outbound"
            pass  out  proto tcp  from any to any port 6698 >< 6702  queue (qP2P)  label "USER_RULE: m_P2P Napster outbound"
            pass  out  proto tcp  from any to any port 8887 >< 8890  queue (qP2P)  label "USER_RULE: m_P2P OpenNap outbound"
            pass  out  proto tcp  from any to any port 8311  queue (qP2P)  label "USER_RULE: m_P2P Scour outbound"
            pass  out  proto tcp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Shareaza outbound"
            pass  out  proto tcp  from any to any port 5190  queue (qP2P)  label "USER_RULE: m_P2P SongSpy outbound"
            pass  out  proto tcp  from any to any port 6699  queue (qP2P)  label "USER_RULE: m_P2P WinMX outbound"
            pass  out  proto udp  from any to any port 27650  queue (qGames)  label "USER_RULE: m_Game DOOM3-1 outbound"
            pass  out  proto udp  from any to any port 27666  queue (qGames)  label "USER_RULE: m_Game DOOM3-2 outbound"
            pass  out  proto tcp  from any to any port 27015  queue (qGames,qACK)  label "USER_RULE: m_Game HL-1 outbound"
            pass  out  proto udp  from any to any port 27650  queue (qGames)  label "USER_RULE: m_Game HL-2 outbound"
            pass  out  proto udp  from any to any port 27666  queue (qGames)  label "USER_RULE: m_Game HL-3 outbound"
            pass  out  proto tcp  from any to any port 27019 >< 27051  queue (qGames,qACK)  label "USER_RULE: m_Game HL2-1 outbound"
            pass  out  proto udp  from any to any port 1200  queue (qGames)  label "USER_RULE: m_Game HL2-2 outbound"
            pass  out  proto udp  from any to any port 26999 >< 27016  queue (qGames)  label "USER_RULE: m_Game HL2-3 outbound"
            pass  out  proto udp  from any to any port 27909 >< 27920  queue (qGames)  label "USER_RULE: m_Game quakeiii outbound"
            pass  out  proto udp  from any to any port 7776 >< 7788  queue (qGames)  label "USER_RULE: m_Game ur1 outbound"
            pass  out  proto tcp  from any to any port 7776 >< 7788  queue (qGames,qACK)  label "USER_RULE: m_Game ur2 outbound"
            pass  out  proto tcp  from any to any port 27960  queue (qGames,qACK)  label "USER_RULE: m_Game WolfET-1 outbound"
            pass  out  proto udp  from any to any port 88  queue (qGames)  label "USER_RULE: m_Game xbox360-1 outbound"
            pass  out  proto udp  from any to any port 3074  queue (qGames)  label "USER_RULE: m_Game xbox360-2 outbound"
            pass  out  proto tcp  from any to any port 3074  queue (qGames,qACK)  label "USER_RULE: m_Game xbox360-3 outbound"
            pass  out  proto tcp  from any to any port 3389  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other MSRDP outbound"
            pass  out  proto tcp  from any to any port 5899 >< 5931  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other VNC outbound"
            pass  out  proto tcp  from any to any port 3283  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
            pass  out  proto tcp  from any to any port 5900  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
            pass  out  proto udp  from any to any port 3283  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
            pass  out  proto udp  from any to any port 5900  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
            pass  out  proto tcp  from any to any port 5631  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other pcany1 outbound"
            pass  out  proto udp  from any to any port 5632  queue (qOthersHigh)  label "USER_RULE: m_Other pcany2 outbound"
            pass  out  proto tcp  from any to any port 6666 >< 6671  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
            pass  out  proto tcp  from any to any port 5222  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
            pass  out  proto tcp  from any to any port 5223  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
            pass  out  proto tcp  from any to any port 5269  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
            pass  out  proto tcp  from any to any port 5190  queue (qOthersLow,qACK)  label "USER_RULE: m_Other ICQ1 outbound"
            pass  out  proto udp  from any to any port 5190  queue (qOthersLow)  label "USER_RULE: m_Other ICQ2 outbound"
            pass  out  proto tcp  from any to any port 5190  queue (qOthersLow,qACK)  label "USER_RULE: m_Other AIM outbound"
            pass  out  proto tcp  from any to any port 1863  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN1 outbound"
            pass  out  proto tcp  from any to any port 6890 >< 6901  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN2 outbound"
            pass  out  proto tcp  from any to any port 6901  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN3 outbound"
            pass  out  proto udp  from any to any port 6901  queue (qOthersLow)  label "USER_RULE: m_Other MSN4 outbound"
            pass  out  proto tcp  from any to any port 14534  queue (qOthersLow,qACK)  label "USER_RULE: m_Other teamspeak1 outbound"
            pass  out  proto tcp  from any to any port 51234  queue (qOthersLow,qACK)  label "USER_RULE: m_Other teamspeak2 outbound"
            pass  out  proto udp  from any to any port 8766 >< 8769  queue (qOthersLow)  label "USER_RULE: m_Other teamspeak3 outbound"
            pass  out  proto tcp  from any to any port 1723  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other PPTP outbound"
            pass  out  proto gre  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other PPTPGRE outbound"
            pass  out  proto udp  from any to any port 500  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
            pass  out  proto ah  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
            pass  out  proto esp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
            pass  out  proto tcp  from any to any port 7999 >< 8101  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other STREAMINGMP3 outbound"
            pass  out  proto tcp  from any to any port 554  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other RTSP1 outbound"
            pass  out  proto tcp  from any to any port 53  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other DNS1 outbound"
            pass  out  proto udp  from any to any port 53  queue (qOthersHigh)  label "USER_RULE: m_Other DNS2 outbound"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 25  label "USER_RULE: NAT SMTP"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 79 >< 82  label "USER_RULE: NAT HTTP"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 22  label "USER_RULE: NAT SSH"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto udp  from any to  192.168.1.5 port 22  label "USER_RULE: NAT SSH"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 21  label "USER_RULE: NAT FTP"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to X.X.X.X port 21  label "USER_RULE: NAT FTP"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 993  label "USER_RULE: NAT SSL"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 143  label "USER_RULE: NAT IMAP"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 443  label "USER_RULE: NAT HTTPs"
            pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.2.21 port 80  flags S/SA keep state  label "USER_RULE: NAT Webcam"
            pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE"

            LANWANWIRELESSGUEST_VLAN2pptp enc0 array key does not exist for  label "USER_RULE"

            LANWANWIRELESSGUEST_VLAN2pptp l2tp array key does not exist for  label "USER_RULE"

            pass  in  quick  on $WIRELESS  from 192.168.2.1/24 to any keep state  label "USER_RULE"
            pass  in  quick  on $GUEST_VLAN2  from 192.168.3.1/24 to X.X.X.X keep state  dnpipe ( 2, 1)  label "USER_RULE"
            pass  in  quick  on $pptp  from  $VPN_Net to any keep state  label "USER_RULE"

            VPN Rules

            anchor "tftp-proxy/*"

            uPnPd

            anchor "miniupnpd"

            Untitled.jpg
            Untitled.jpg_thumb</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></vpn_net></vpn_net></virusprot></snort2c></webconfiguratorlockout></sshlockout>

            1 Reply Last reply Reply Quote 0
            • W
              winge
              last edited by

              Just to confirm that this is an issue. I have the exact same behaviour I have with

              2.0-BETA4 (amd64)
              built on Wed Nov 17 05:45:58 UTC 2010

              "PPTP clients" does not seem to be working for any firewall rules. Rules specifying the correct IP or IP range works fine.

              1 Reply Last reply Reply Quote 0
              • Y
                yaw
                last edited by

                Any word on a fix?

                1 Reply Last reply Reply Quote 0
                • T
                  toomeek
                  last edited by

                  I added following rules to firewall:

                  • allow TCP PPTP on WAN1/WAN2 (2 rules)
                  • allow source: PPTP Clients on LAN iface in/out (2 rules)
                  • did some test, telnet to 1723 from outside (port is open)
                  • state of connection: estabilished:estabilished
                  • PPTP configured like.. screen attached.

                  But it isn't working.

                  pfsense_PPTP.png
                  pfsense_PPTP.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yaw
                    last edited by

                    ermal: Any update on this?

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      From what i can see it should work correctly!

                      Can you do a ifconfig -l group after one of your clients is connected?

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yaw
                        last edited by

                        I'm not sure that ifconfig -l group makes sense. Did you mean ifconfig -g group?

                        Here is the output from ifconfig -l
                        vr0 vr1 vr2 pfsync0 lo0 pflog0 enc0 vr0_vlan2 pptpd0 pptpd1 pptpd2 pptpd3 pptpd4 pptpd5 pptpd6 pptpd7 pptpd8 pptpd9 ipfw0

                        Here is the output from ifconfig -g pptp
                        pptpd0

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.