PPTP rule wierdness



  • I'm not sure what is happening here. Perhaps someone can explain:

    PPTP works but clients cannot access anything once connected. Firewall rules issue right? Read on…

    On the PPTP VPN rules tab everything works as long as I have "any" for the source. It breaks once I change the source to "PPTP clients". That is the only rule I have for that tab.

    It seems to me that "PPTP clients" should work. Perhaps there is something wrong with the PPTP system alias, or perhaps I am misunderstanding that alias.

    Thanks!



  • Some more info:

    It also works if I replace "PPTP clients" with the actual IP address of the connecting client or the entire subnet. I'm thinking there is something wrong with the pptp system alias.

    This is on latest beta as of today.

    Can anyone confirm?



  • Show /tmp/rules.debug and show a picture of your pptp settings.



  • Here you go:

    #System aliases

    loopback = "{ lo0 }"
    LAN = "{ vr0 }"
    WAN = "{ vr1 }"
    WIRELESS = "{ vr2 }"
    GUEST_VLAN2 = "{ vr0_vlan2 }"
    pptp = "{ pptp }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort2C table
    table <snort2c>table <virusprot># User Aliases
    table <vpn_net>{  192.168.4.0/24 }
    VPN_Net = "<vpn_net>"

    Gateways

    GWGW_WAN = " route-to ( vr1 X.X.X.X ) "

    set loginterface vr0
    set loginterface vr1
    set loginterface vr2
    set loginterface vr0_vlan2
    set optimization normal
    set limit states 23000
    set limit src-nodes 23000

    set skip on pfsync0

    scrub in on $LAN all    fragment reassemble
    scrub in on $WAN all    fragment reassemble
    scrub in on $WIRELESS all    fragment reassemble
    scrub in on $GUEST_VLAN2 all    fragment reassemble

    altq on  vr2 hfsc bandwidth 10Mb queue {  qInternet  }
    queue qInternet on vr2 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
    queue qACK on vr2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qDefault on vr2 bandwidth 9.968% hfsc (  ecn  , default  ) 
    queue qP2P on vr2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
    queue qVoIP on vr2 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
    queue qGames on vr2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qOthersHigh on vr2 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
    queue qOthersLow on vr2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

    altq on  vr0_vlan2 hfsc bandwidth 10Mb queue {  qInternet  }
    queue qInternet on vr0_vlan2 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
    queue qACK on vr0_vlan2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qDefault on vr0_vlan2 bandwidth 9.968% hfsc (  ecn  , default  ) 
    queue qP2P on vr0_vlan2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
    queue qVoIP on vr0_vlan2 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
    queue qGames on vr0_vlan2 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qOthersHigh on vr0_vlan2 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
    queue qOthersLow on vr0_vlan2 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

    altq on  vr0 hfsc bandwidth 10Mb queue {  qInternet  }
    queue qInternet on vr0 bandwidth 10Mb hfsc (  ecn  , linkshare 10Mb  , upperlimit 10Mb  )  {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
    queue qACK on vr0 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qDefault on vr0 bandwidth 9.968% hfsc (  ecn  , default  ) 
    queue qP2P on vr0 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  , upperlimit 4.984%  ) 
    queue qVoIP on vr0 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.936% ) 
    queue qGames on vr0 bandwidth 19.936% hfsc (  ecn  , linkshare 19.936%  ) 
    queue qOthersHigh on vr0 bandwidth 9.968% hfsc (  ecn  , linkshare 9.968%  ) 
    queue qOthersLow on vr0 bandwidth 4.984% hfsc (  ecn  , linkshare 4.984%  )

    altq on  vr1 hfsc bandwidth 1.8Mb queue {  qACK,  qDefault,  qP2P,  qVoIP,  qGames,  qOthersHigh,  qOthersLow  }
    queue qACK on vr1 bandwidth 19.644% hfsc (  ecn  , linkshare 19.644%  ) 
    queue qDefault on vr1 bandwidth 9.822% hfsc (  ecn  , default  ) 
    queue qP2P on vr1 bandwidth 4.911% hfsc (  ecn  , linkshare 4.911%  , upperlimit 4.911%  ) 
    queue qVoIP on vr1 bandwidth 32Kb hfsc (  ecn  ,  realtime 19.644% ) 
    queue qGames on vr1 bandwidth 19.644% hfsc (  ecn  , linkshare 19.644%  ) 
    queue qOthersHigh on vr1 bandwidth 9.822% hfsc (  ecn  , linkshare 9.822%  ) 
    queue qOthersLow on vr1 bandwidth 4.911% hfsc (  ecn  , linkshare 4.911%  )

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    nat on $WAN  from 192.168.1.0/24 to any -> X.X.X.X/32 port 1024:65535
    nat on $WAN  from 192.168.2.0/24 to any -> X.X.X.X/32 port 1024:65535
    nat on $WAN  from 192.168.3.0/24 to any -> X.X.X.X/32 port 1024:65535
    nat on $WAN  from 192.168.4.0/24 to any -> X.X.X.X/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ 192.168.1.0/24 71.61.184.0/21 192.168.2.0/24 192.168.3.0/24 192.168.4.208/32 }

    NAT Inbound Redirects

    rdr on vr1 proto tcp from any to X.X.X.X port 80:81 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 443 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 22 -> 192.168.1.5
    rdr on vr1 proto udp from any to X.X.X.X port 22 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 21 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 25 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 26 -> 192.168.1.5 port 25
    rdr on vr1 proto tcp from any to X.X.X.X port 143 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 993 -> 192.168.1.5
    rdr on vr1 proto tcp from any to X.X.X.X port 83 -> 192.168.2.21 port 80

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    pass in quick on { vr2 } proto tcp from any to { 192.168.2.1 } port { 8000 8001 } keep state(sloppy)
    pass out quick on { vr2 } proto tcp from { 192.168.2.1 } port { 8000 8001 } to any keep state(sloppy)
    anchor "relayd/*"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    snort2c

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for vr0

    allow access to DHCP server on LAN

    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for vr1

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    allow our DHCP client out to the WAN

    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

    Not installing DHCP server firewall rules for WAN which is configured for DHCP.

    antispoof for vr2

    allow access to DHCP server on WIRELESS

    pass in on $WIRELESS proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $WIRELESS proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
    pass out on $WIRELESS proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for vr0_vlan2

    allow access to DHCP server on GUEST_VLAN2

    pass in on $GUEST_VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $GUEST_VLAN2 proto udp from any port = 68 to 192.168.3.1 port = 67 label "allow access to DHCP server"
    pass out on $GUEST_VLAN2 proto udp from 192.168.3.1 port = 67 to any port = 68 label "allow access to DHCP server"

    loopback

    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( vr1 X.X.X.X ) from X.X.X.X to !71.61.184.0/21 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on vr0 proto tcp from any to (vr0) port { 80 22 } keep state label "anti-lockout rule"

    PPTPd rules

    pass in on $WAN proto tcp from any to X.X.X.X port = 1723 modulate state label "allow pptpd X.X.X.X"

    User-defined rules follow

    pass  out  proto udp  from any to any port 5059 >< 5070  queue (qVoIP)  label "USER_RULE: m_voip  outbound"
    pass  out  proto udp  from any to any port 9999 >< 20001  queue (qVoIP)  label "USER_RULE: m_voip  outbound"
    pass  out  proto tcp  from any to any port 7668  queue (qP2P)  label "USER_RULE: m_P2P Aimster outbound"
    pass  out  proto tcp  from any to any port 6880 >< 7000  queue (qP2P)  label "USER_RULE: m_P2P BitTorrent outbound"
    pass  out  proto udp  from any to any port 6880 >< 7000  queue (qP2P)  label "USER_RULE: m_P2P BitTorrent outbound"
    pass  out  proto tcp  from any to any port 7788  queue (qP2P)  label "USER_RULE: m_P2P BuddyShare outbound"
    pass  out  proto tcp  from any to any port 2340  queue (qP2P)  label "USER_RULE: m_P2P CuteMX outbound"
    pass  out  proto tcp  from any to any port 6665 >< 6669  queue (qP2P)  label "USER_RULE: m_P2P dcc outbound"
    pass  out  proto tcp  from any to any port 412  queue (qP2P)  label "USER_RULE: m_P2P DirectConnect outbound"
    pass  out  proto tcp  from any to any port 1043 >< 1046  queue (qP2P)  label "USER_RULE: m_P2P DirectFileExpress outbound"
    pass  out  proto tcp  from any to any port 4660 >< 4666  queue (qP2P)  label "USER_RULE: m_P2P EDonkey2000 outbound"
    pass  out  proto tcp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Gnutella-TCP outbound"
    pass  out  proto udp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Gnutella-UDP outbound"
    pass  out  proto tcp  from any to any port 8037 >< 8040  queue (qP2P)  label "USER_RULE: m_P2P grouper outbound"
    pass  out  proto tcp  from any to any port 28863 >< 28866  queue (qP2P)  label "USER_RULE: m_P2P hotComm outbound"
    pass  out  proto tcp  from any to any port 5499 >< 5504  queue (qP2P)  label "USER_RULE: m_P2P HotlineConnect outbound"
    pass  out  proto tcp  from any to any port 4329  queue (qP2P)  label "USER_RULE: m_P2P iMesh outbound"
    pass  out  proto tcp  from any to any port 6698 >< 6702  queue (qP2P)  label "USER_RULE: m_P2P Napster outbound"
    pass  out  proto tcp  from any to any port 8887 >< 8890  queue (qP2P)  label "USER_RULE: m_P2P OpenNap outbound"
    pass  out  proto tcp  from any to any port 8311  queue (qP2P)  label "USER_RULE: m_P2P Scour outbound"
    pass  out  proto tcp  from any to any port 6346  queue (qP2P)  label "USER_RULE: m_P2P Shareaza outbound"
    pass  out  proto tcp  from any to any port 5190  queue (qP2P)  label "USER_RULE: m_P2P SongSpy outbound"
    pass  out  proto tcp  from any to any port 6699  queue (qP2P)  label "USER_RULE: m_P2P WinMX outbound"
    pass  out  proto udp  from any to any port 27650  queue (qGames)  label "USER_RULE: m_Game DOOM3-1 outbound"
    pass  out  proto udp  from any to any port 27666  queue (qGames)  label "USER_RULE: m_Game DOOM3-2 outbound"
    pass  out  proto tcp  from any to any port 27015  queue (qGames,qACK)  label "USER_RULE: m_Game HL-1 outbound"
    pass  out  proto udp  from any to any port 27650  queue (qGames)  label "USER_RULE: m_Game HL-2 outbound"
    pass  out  proto udp  from any to any port 27666  queue (qGames)  label "USER_RULE: m_Game HL-3 outbound"
    pass  out  proto tcp  from any to any port 27019 >< 27051  queue (qGames,qACK)  label "USER_RULE: m_Game HL2-1 outbound"
    pass  out  proto udp  from any to any port 1200  queue (qGames)  label "USER_RULE: m_Game HL2-2 outbound"
    pass  out  proto udp  from any to any port 26999 >< 27016  queue (qGames)  label "USER_RULE: m_Game HL2-3 outbound"
    pass  out  proto udp  from any to any port 27909 >< 27920  queue (qGames)  label "USER_RULE: m_Game quakeiii outbound"
    pass  out  proto udp  from any to any port 7776 >< 7788  queue (qGames)  label "USER_RULE: m_Game ur1 outbound"
    pass  out  proto tcp  from any to any port 7776 >< 7788  queue (qGames,qACK)  label "USER_RULE: m_Game ur2 outbound"
    pass  out  proto tcp  from any to any port 27960  queue (qGames,qACK)  label "USER_RULE: m_Game WolfET-1 outbound"
    pass  out  proto udp  from any to any port 88  queue (qGames)  label "USER_RULE: m_Game xbox360-1 outbound"
    pass  out  proto udp  from any to any port 3074  queue (qGames)  label "USER_RULE: m_Game xbox360-2 outbound"
    pass  out  proto tcp  from any to any port 3074  queue (qGames,qACK)  label "USER_RULE: m_Game xbox360-3 outbound"
    pass  out  proto tcp  from any to any port 3389  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other MSRDP outbound"
    pass  out  proto tcp  from any to any port 5899 >< 5931  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other VNC outbound"
    pass  out  proto tcp  from any to any port 3283  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
    pass  out  proto tcp  from any to any port 5900  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
    pass  out  proto udp  from any to any port 3283  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
    pass  out  proto udp  from any to any port 5900  queue (qOthersHigh)  label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
    pass  out  proto tcp  from any to any port 5631  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other pcany1 outbound"
    pass  out  proto udp  from any to any port 5632  queue (qOthersHigh)  label "USER_RULE: m_Other pcany2 outbound"
    pass  out  proto tcp  from any to any port 6666 >< 6671  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
    pass  out  proto tcp  from any to any port 5222  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
    pass  out  proto tcp  from any to any port 5223  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
    pass  out  proto tcp  from any to any port 5269  queue (qOthersLow,qACK)  label "USER_RULE: m_Other IRC outbound"
    pass  out  proto tcp  from any to any port 5190  queue (qOthersLow,qACK)  label "USER_RULE: m_Other ICQ1 outbound"
    pass  out  proto udp  from any to any port 5190  queue (qOthersLow)  label "USER_RULE: m_Other ICQ2 outbound"
    pass  out  proto tcp  from any to any port 5190  queue (qOthersLow,qACK)  label "USER_RULE: m_Other AIM outbound"
    pass  out  proto tcp  from any to any port 1863  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN1 outbound"
    pass  out  proto tcp  from any to any port 6890 >< 6901  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN2 outbound"
    pass  out  proto tcp  from any to any port 6901  queue (qOthersLow,qACK)  label "USER_RULE: m_Other MSN3 outbound"
    pass  out  proto udp  from any to any port 6901  queue (qOthersLow)  label "USER_RULE: m_Other MSN4 outbound"
    pass  out  proto tcp  from any to any port 14534  queue (qOthersLow,qACK)  label "USER_RULE: m_Other teamspeak1 outbound"
    pass  out  proto tcp  from any to any port 51234  queue (qOthersLow,qACK)  label "USER_RULE: m_Other teamspeak2 outbound"
    pass  out  proto udp  from any to any port 8766 >< 8769  queue (qOthersLow)  label "USER_RULE: m_Other teamspeak3 outbound"
    pass  out  proto tcp  from any to any port 1723  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other PPTP outbound"
    pass  out  proto gre  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other PPTPGRE outbound"
    pass  out  proto udp  from any to any port 500  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    pass  out  proto ah  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    pass  out  proto esp  from any to any  queue (qOthersHigh)  label "USER_RULE: m_Other IPSEC outbound"
    pass  out  proto tcp  from any to any port 7999 >< 8101  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other STREAMINGMP3 outbound"
    pass  out  proto tcp  from any to any port 554  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other RTSP1 outbound"
    pass  out  proto tcp  from any to any port 53  queue (qOthersHigh,qACK)  label "USER_RULE: m_Other DNS1 outbound"
    pass  out  proto udp  from any to any port 53  queue (qOthersHigh)  label "USER_RULE: m_Other DNS2 outbound"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 25  label "USER_RULE: NAT SMTP"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 79 >< 82  label "USER_RULE: NAT HTTP"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 22  label "USER_RULE: NAT SSH"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto udp  from any to  192.168.1.5 port 22  label "USER_RULE: NAT SSH"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 21  label "USER_RULE: NAT FTP"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to X.X.X.X port 21  label "USER_RULE: NAT FTP"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 993  label "USER_RULE: NAT SSL"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 143  label "USER_RULE: NAT IMAP"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.1.5 port 443  label "USER_RULE: NAT HTTPs"
    pass  in  quick  on $WAN reply-to ( vr1 X.X.X.X )  proto tcp  from any to  192.168.2.21 port 80  flags S/SA keep state  label "USER_RULE: NAT Webcam"
    pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE"

    LANWANWIRELESSGUEST_VLAN2pptp enc0 array key does not exist for  label "USER_RULE"

    LANWANWIRELESSGUEST_VLAN2pptp l2tp array key does not exist for  label "USER_RULE"

    pass  in  quick  on $WIRELESS  from 192.168.2.1/24 to any keep state  label "USER_RULE"
    pass  in  quick  on $GUEST_VLAN2  from 192.168.3.1/24 to X.X.X.X keep state  dnpipe ( 2, 1)  label "USER_RULE"
    pass  in  quick  on $pptp  from  $VPN_Net to any keep state  label "USER_RULE"

    VPN Rules

    anchor "tftp-proxy/*"

    uPnPd

    anchor "miniupnpd"


    </bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></vpn_net></vpn_net></virusprot></snort2c></webconfiguratorlockout></sshlockout>



  • Just to confirm that this is an issue. I have the exact same behaviour I have with

    2.0-BETA4 (amd64)
    built on Wed Nov 17 05:45:58 UTC 2010

    "PPTP clients" does not seem to be working for any firewall rules. Rules specifying the correct IP or IP range works fine.



  • Any word on a fix?



  • I added following rules to firewall:

    • allow TCP PPTP on WAN1/WAN2 (2 rules)
    • allow source: PPTP Clients on LAN iface in/out (2 rules)
    • did some test, telnet to 1723 from outside (port is open)
    • state of connection: estabilished:estabilished
    • PPTP configured like.. screen attached.

    But it isn't working.




  • ermal: Any update on this?



  • From what i can see it should work correctly!

    Can you do a ifconfig -l group after one of your clients is connected?



  • I'm not sure that ifconfig -l group makes sense. Did you mean ifconfig -g group?

    Here is the output from ifconfig -l
    vr0 vr1 vr2 pfsync0 lo0 pflog0 enc0 vr0_vlan2 pptpd0 pptpd1 pptpd2 pptpd3 pptpd4 pptpd5 pptpd6 pptpd7 pptpd8 pptpd9 ipfw0

    Here is the output from ifconfig -g pptp
    pptpd0


Locked