PPTP rule wierdness

yaw

I'm not sure what is happening here. Perhaps someone can explain:

PPTP works but clients cannot access anything once connected. Firewall rules issue right? Read on…

On the PPTP VPN rules tab everything works as long as I have "any" for the source. It breaks once I change the source to "PPTP clients". That is the only rule I have for that tab.

It seems to me that "PPTP clients" should work. Perhaps there is something wrong with the PPTP system alias, or perhaps I am misunderstanding that alias.

Thanks!

yaw

Some more info:

It also works if I replace "PPTP clients" with the actual IP address of the connecting client or the entire subnet. I'm thinking there is something wrong with the pptp system alias.

This is on latest beta as of today.

Can anyone confirm?

eri--

Show /tmp/rules.debug and show a picture of your pptp settings.

yaw

Here you go:

#System aliases

loopback = "{ lo0 }"
LAN = "{ vr0 }"
WAN = "{ vr1 }"
WIRELESS = "{ vr2 }"
GUEST_VLAN2 = "{ vr0_vlan2 }"
pptp = "{ pptp }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort2C table
table <snort2c>table <virusprot># User Aliases
table <vpn_net>{ 192.168.4.0/24 }
VPN_Net = "<vpn_net>"

Gateways

GWGW_WAN = " route-to ( vr1 X.X.X.X ) "

set loginterface vr0
set loginterface vr1
set loginterface vr2
set loginterface vr0_vlan2
set optimization normal
set limit states 23000
set limit src-nodes 23000

set skip on pfsync0

scrub in on $LAN all fragment reassemble
scrub in on $WAN all fragment reassemble
scrub in on $WIRELESS all fragment reassemble
scrub in on $GUEST_VLAN2 all fragment reassemble

altq on vr2 hfsc bandwidth 10Mb queue { qInternet }
queue qInternet on vr2 bandwidth 10Mb hfsc ( ecn , linkshare 10Mb , upperlimit 10Mb ) { qACK, qDefault, qP2P, qVoIP, qGames, qOthersHigh, qOthersLow }
queue qACK on vr2 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qDefault on vr2 bandwidth 9.968% hfsc ( ecn , default )
queue qP2P on vr2 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% , upperlimit 4.984% )
queue qVoIP on vr2 bandwidth 32Kb hfsc ( ecn , realtime 19.936% )
queue qGames on vr2 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qOthersHigh on vr2 bandwidth 9.968% hfsc ( ecn , linkshare 9.968% )
queue qOthersLow on vr2 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% )

altq on vr0_vlan2 hfsc bandwidth 10Mb queue { qInternet }
queue qInternet on vr0_vlan2 bandwidth 10Mb hfsc ( ecn , linkshare 10Mb , upperlimit 10Mb ) { qACK, qDefault, qP2P, qVoIP, qGames, qOthersHigh, qOthersLow }
queue qACK on vr0_vlan2 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qDefault on vr0_vlan2 bandwidth 9.968% hfsc ( ecn , default )
queue qP2P on vr0_vlan2 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% , upperlimit 4.984% )
queue qVoIP on vr0_vlan2 bandwidth 32Kb hfsc ( ecn , realtime 19.936% )
queue qGames on vr0_vlan2 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qOthersHigh on vr0_vlan2 bandwidth 9.968% hfsc ( ecn , linkshare 9.968% )
queue qOthersLow on vr0_vlan2 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% )

altq on vr0 hfsc bandwidth 10Mb queue { qInternet }
queue qInternet on vr0 bandwidth 10Mb hfsc ( ecn , linkshare 10Mb , upperlimit 10Mb ) { qACK, qDefault, qP2P, qVoIP, qGames, qOthersHigh, qOthersLow }
queue qACK on vr0 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qDefault on vr0 bandwidth 9.968% hfsc ( ecn , default )
queue qP2P on vr0 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% , upperlimit 4.984% )
queue qVoIP on vr0 bandwidth 32Kb hfsc ( ecn , realtime 19.936% )
queue qGames on vr0 bandwidth 19.936% hfsc ( ecn , linkshare 19.936% )
queue qOthersHigh on vr0 bandwidth 9.968% hfsc ( ecn , linkshare 9.968% )
queue qOthersLow on vr0 bandwidth 4.984% hfsc ( ecn , linkshare 4.984% )

altq on vr1 hfsc bandwidth 1.8Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qOthersHigh, qOthersLow }
queue qACK on vr1 bandwidth 19.644% hfsc ( ecn , linkshare 19.644% )
queue qDefault on vr1 bandwidth 9.822% hfsc ( ecn , default )
queue qP2P on vr1 bandwidth 4.911% hfsc ( ecn , linkshare 4.911% , upperlimit 4.911% )
queue qVoIP on vr1 bandwidth 32Kb hfsc ( ecn , realtime 19.644% )
queue qGames on vr1 bandwidth 19.644% hfsc ( ecn , linkshare 19.644% )
queue qOthersHigh on vr1 bandwidth 9.822% hfsc ( ecn , linkshare 9.822% )
queue qOthersLow on vr1 bandwidth 4.911% hfsc ( ecn , linkshare 4.911% )

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

nat on $WAN from 192.168.1.0/24 to any -> X.X.X.X/32 port 1024:65535
nat on $WAN from 192.168.2.0/24 to any -> X.X.X.X/32 port 1024:65535
nat on $WAN from 192.168.3.0/24 to any -> X.X.X.X/32 port 1024:65535
nat on $WAN from 192.168.4.0/24 to any -> X.X.X.X/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <direct_networks>{ 192.168.1.0/24 71.61.184.0/21 192.168.2.0/24 192.168.3.0/24 192.168.4.208/32 }

NAT Inbound Redirects

rdr on vr1 proto tcp from any to X.X.X.X port 80:81 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 443 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 22 -> 192.168.1.5
rdr on vr1 proto udp from any to X.X.X.X port 22 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 21 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 25 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 26 -> 192.168.1.5 port 25
rdr on vr1 proto tcp from any to X.X.X.X port 143 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 993 -> 192.168.1.5
rdr on vr1 proto tcp from any to X.X.X.X port 83 -> 192.168.2.21 port 80

UPnPd rdr anchor

rdr-anchor "miniupnpd"

pass in quick on { vr2 } proto tcp from any to { 192.168.2.1 } port { 8000 8001 } keep state(sloppy)
pass out quick on { vr2 } proto tcp from { 192.168.2.1 } port { 8000 8001 } to any keep state(sloppy)
anchor "relayd/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

snort2c

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
antispoof for vr0

allow access to DHCP server on LAN

pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for vr1

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

Not installing DHCP server firewall rules for WAN which is configured for DHCP.

antispoof for vr2

allow access to DHCP server on WIRELESS

pass in on $WIRELESS proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $WIRELESS proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out on $WIRELESS proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for vr0_vlan2

allow access to DHCP server on GUEST_VLAN2

pass in on $GUEST_VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $GUEST_VLAN2 proto udp from any port = 68 to 192.168.3.1 port = 67 label "allow access to DHCP server"
pass out on $GUEST_VLAN2 proto udp from 192.168.3.1 port = 67 to any port = 68 label "allow access to DHCP server"

loopback

pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( vr1 X.X.X.X ) from X.X.X.X to !71.61.184.0/21 keep state allow-opts label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

pass in quick on vr0 proto tcp from any to (vr0) port { 80 22 } keep state label "anti-lockout rule"

PPTPd rules

pass in on $WAN proto tcp from any to X.X.X.X port = 1723 modulate state label "allow pptpd X.X.X.X"

User-defined rules follow

pass out proto udp from any to any port 5059 >< 5070 queue (qVoIP) label "USER_RULE: m_voip outbound"
pass out proto udp from any to any port 9999 >< 20001 queue (qVoIP) label "USER_RULE: m_voip outbound"
pass out proto tcp from any to any port 7668 queue (qP2P) label "USER_RULE: m_P2P Aimster outbound"
pass out proto tcp from any to any port 6880 >< 7000 queue (qP2P) label "USER_RULE: m_P2P BitTorrent outbound"
pass out proto udp from any to any port 6880 >< 7000 queue (qP2P) label "USER_RULE: m_P2P BitTorrent outbound"
pass out proto tcp from any to any port 7788 queue (qP2P) label "USER_RULE: m_P2P BuddyShare outbound"
pass out proto tcp from any to any port 2340 queue (qP2P) label "USER_RULE: m_P2P CuteMX outbound"
pass out proto tcp from any to any port 6665 >< 6669 queue (qP2P) label "USER_RULE: m_P2P dcc outbound"
pass out proto tcp from any to any port 412 queue (qP2P) label "USER_RULE: m_P2P DirectConnect outbound"
pass out proto tcp from any to any port 1043 >< 1046 queue (qP2P) label "USER_RULE: m_P2P DirectFileExpress outbound"
pass out proto tcp from any to any port 4660 >< 4666 queue (qP2P) label "USER_RULE: m_P2P EDonkey2000 outbound"
pass out proto tcp from any to any port 6346 queue (qP2P) label "USER_RULE: m_P2P Gnutella-TCP outbound"
pass out proto udp from any to any port 6346 queue (qP2P) label "USER_RULE: m_P2P Gnutella-UDP outbound"
pass out proto tcp from any to any port 8037 >< 8040 queue (qP2P) label "USER_RULE: m_P2P grouper outbound"
pass out proto tcp from any to any port 28863 >< 28866 queue (qP2P) label "USER_RULE: m_P2P hotComm outbound"
pass out proto tcp from any to any port 5499 >< 5504 queue (qP2P) label "USER_RULE: m_P2P HotlineConnect outbound"
pass out proto tcp from any to any port 4329 queue (qP2P) label "USER_RULE: m_P2P iMesh outbound"
pass out proto tcp from any to any port 6698 >< 6702 queue (qP2P) label "USER_RULE: m_P2P Napster outbound"
pass out proto tcp from any to any port 8887 >< 8890 queue (qP2P) label "USER_RULE: m_P2P OpenNap outbound"
pass out proto tcp from any to any port 8311 queue (qP2P) label "USER_RULE: m_P2P Scour outbound"
pass out proto tcp from any to any port 6346 queue (qP2P) label "USER_RULE: m_P2P Shareaza outbound"
pass out proto tcp from any to any port 5190 queue (qP2P) label "USER_RULE: m_P2P SongSpy outbound"
pass out proto tcp from any to any port 6699 queue (qP2P) label "USER_RULE: m_P2P WinMX outbound"
pass out proto udp from any to any port 27650 queue (qGames) label "USER_RULE: m_Game DOOM3-1 outbound"
pass out proto udp from any to any port 27666 queue (qGames) label "USER_RULE: m_Game DOOM3-2 outbound"
pass out proto tcp from any to any port 27015 queue (qGames,qACK) label "USER_RULE: m_Game HL-1 outbound"
pass out proto udp from any to any port 27650 queue (qGames) label "USER_RULE: m_Game HL-2 outbound"
pass out proto udp from any to any port 27666 queue (qGames) label "USER_RULE: m_Game HL-3 outbound"
pass out proto tcp from any to any port 27019 >< 27051 queue (qGames,qACK) label "USER_RULE: m_Game HL2-1 outbound"
pass out proto udp from any to any port 1200 queue (qGames) label "USER_RULE: m_Game HL2-2 outbound"
pass out proto udp from any to any port 26999 >< 27016 queue (qGames) label "USER_RULE: m_Game HL2-3 outbound"
pass out proto udp from any to any port 27909 >< 27920 queue (qGames) label "USER_RULE: m_Game quakeiii outbound"
pass out proto udp from any to any port 7776 >< 7788 queue (qGames) label "USER_RULE: m_Game ur1 outbound"
pass out proto tcp from any to any port 7776 >< 7788 queue (qGames,qACK) label "USER_RULE: m_Game ur2 outbound"
pass out proto tcp from any to any port 27960 queue (qGames,qACK) label "USER_RULE: m_Game WolfET-1 outbound"
pass out proto udp from any to any port 88 queue (qGames) label "USER_RULE: m_Game xbox360-1 outbound"
pass out proto udp from any to any port 3074 queue (qGames) label "USER_RULE: m_Game xbox360-2 outbound"
pass out proto tcp from any to any port 3074 queue (qGames,qACK) label "USER_RULE: m_Game xbox360-3 outbound"
pass out proto tcp from any to any port 3389 queue (qOthersHigh,qACK) label "USER_RULE: m_Other MSRDP outbound"
pass out proto tcp from any to any port 5899 >< 5931 queue (qOthersHigh,qACK) label "USER_RULE: m_Other VNC outbound"
pass out proto tcp from any to any port 3283 queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop1 outbound"
pass out proto tcp from any to any port 5900 queue (qOthersHigh,qACK) label "USER_RULE: m_Other AppleRemoteDesktop2 outbound"
pass out proto udp from any to any port 3283 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop3 outbound"
pass out proto udp from any to any port 5900 queue (qOthersHigh) label "USER_RULE: m_Other AppleRemoteDesktop4 outbound"
pass out proto tcp from any to any port 5631 queue (qOthersHigh,qACK) label "USER_RULE: m_Other pcany1 outbound"
pass out proto udp from any to any port 5632 queue (qOthersHigh) label "USER_RULE: m_Other pcany2 outbound"
pass out proto tcp from any to any port 6666 >< 6671 queue (qOthersLow,qACK) label "USER_RULE: m_Other IRC outbound"
pass out proto tcp from any to any port 5222 queue (qOthersLow,qACK) label "USER_RULE: m_Other IRC outbound"
pass out proto tcp from any to any port 5223 queue (qOthersLow,qACK) label "USER_RULE: m_Other IRC outbound"
pass out proto tcp from any to any port 5269 queue (qOthersLow,qACK) label "USER_RULE: m_Other IRC outbound"
pass out proto tcp from any to any port 5190 queue (qOthersLow,qACK) label "USER_RULE: m_Other ICQ1 outbound"
pass out proto udp from any to any port 5190 queue (qOthersLow) label "USER_RULE: m_Other ICQ2 outbound"
pass out proto tcp from any to any port 5190 queue (qOthersLow,qACK) label "USER_RULE: m_Other AIM outbound"
pass out proto tcp from any to any port 1863 queue (qOthersLow,qACK) label "USER_RULE: m_Other MSN1 outbound"
pass out proto tcp from any to any port 6890 >< 6901 queue (qOthersLow,qACK) label "USER_RULE: m_Other MSN2 outbound"
pass out proto tcp from any to any port 6901 queue (qOthersLow,qACK) label "USER_RULE: m_Other MSN3 outbound"
pass out proto udp from any to any port 6901 queue (qOthersLow) label "USER_RULE: m_Other MSN4 outbound"
pass out proto tcp from any to any port 14534 queue (qOthersLow,qACK) label "USER_RULE: m_Other teamspeak1 outbound"
pass out proto tcp from any to any port 51234 queue (qOthersLow,qACK) label "USER_RULE: m_Other teamspeak2 outbound"
pass out proto udp from any to any port 8766 >< 8769 queue (qOthersLow) label "USER_RULE: m_Other teamspeak3 outbound"
pass out proto tcp from any to any port 1723 queue (qOthersHigh,qACK) label "USER_RULE: m_Other PPTP outbound"
pass out proto gre from any to any queue (qOthersHigh) label "USER_RULE: m_Other PPTPGRE outbound"
pass out proto udp from any to any port 500 queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound"
pass out proto ah from any to any queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound"
pass out proto esp from any to any queue (qOthersHigh) label "USER_RULE: m_Other IPSEC outbound"
pass out proto tcp from any to any port 7999 >< 8101 queue (qOthersHigh,qACK) label "USER_RULE: m_Other STREAMINGMP3 outbound"
pass out proto tcp from any to any port 554 queue (qOthersHigh,qACK) label "USER_RULE: m_Other RTSP1 outbound"
pass out proto tcp from any to any port 53 queue (qOthersHigh,qACK) label "USER_RULE: m_Other DNS1 outbound"
pass out proto udp from any to any port 53 queue (qOthersHigh) label "USER_RULE: m_Other DNS2 outbound"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 25 label "USER_RULE: NAT SMTP"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 79 >< 82 label "USER_RULE: NAT HTTP"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 22 label "USER_RULE: NAT SSH"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto udp from any to 192.168.1.5 port 22 label "USER_RULE: NAT SSH"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 21 label "USER_RULE: NAT FTP"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to X.X.X.X port 21 label "USER_RULE: NAT FTP"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 993 label "USER_RULE: NAT SSL"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 143 label "USER_RULE: NAT IMAP"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.1.5 port 443 label "USER_RULE: NAT HTTPs"
pass in quick on $WAN reply-to ( vr1 X.X.X.X ) proto tcp from any to 192.168.2.21 port 80 flags S/SA keep state label "USER_RULE: NAT Webcam"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE"

LANWANWIRELESSGUEST_VLAN2pptp enc0 array key does not exist for label "USER_RULE"

LANWANWIRELESSGUEST_VLAN2pptp l2tp array key does not exist for label "USER_RULE"

pass in quick on $WIRELESS from 192.168.2.1/24 to any keep state label "USER_RULE"
pass in quick on $GUEST_VLAN2 from 192.168.3.1/24 to X.X.X.X keep state dnpipe ( 2, 1) label "USER_RULE"
pass in quick on $pptp from $VPN_Net to any keep state label "USER_RULE"

VPN Rules

anchor "tftp-proxy/*"

uPnPd

anchor "miniupnpd"

Untitled.jpg_thumb </bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></direct_networks></vpn_net></vpn_net></virusprot></snort2c></webconfiguratorlockout></sshlockout>

winge

Just to confirm that this is an issue. I have the exact same behaviour I have with

2.0-BETA4 (amd64)
built on Wed Nov 17 05:45:58 UTC 2010

"PPTP clients" does not seem to be working for any firewall rules. Rules specifying the correct IP or IP range works fine.

yaw

Any word on a fix?

toomeek

I added following rules to firewall:

allow TCP PPTP on WAN1/WAN2 (2 rules)
allow source: PPTP Clients on LAN iface in/out (2 rules)
did some test, telnet to 1723 from outside (port is open)
state of connection: estabilished:estabilished
PPTP configured like.. screen attached.

But it isn't working.

pfsense_PPTP.png_thumb

yaw

ermal: Any update on this?

eri--

From what i can see it should work correctly!

Can you do a ifconfig -l group after one of your clients is connected?

yaw

I'm not sure that ifconfig -l group makes sense. Did you mean ifconfig -g group?

Here is the output from ifconfig -l
vr0 vr1 vr2 pfsync0 lo0 pflog0 enc0 vr0_vlan2 pptpd0 pptpd1 pptpd2 pptpd3 pptpd4 pptpd5 pptpd6 pptpd7 pptpd8 pptpd9 ipfw0

Here is the output from ifconfig -g pptp
pptpd0