State of PPTP in 2.0 RC1



  • I'm trying to setup pptp on 2.0 RC1 and I'm running into one issue after another.  Looking through the known issues http://redmine.pfsense.org/projects/pfsense/issues?query_id=5 there seem to be a large numbers of pptp issues currently.  Has anyone been able to get pptp to work correctly with a recent build of 2.0 RC1?

    Here's what I've found out so far in my attempts to get it to work.

    • In 1.2.3 when you enabled PPTP server rules to allow PPTP and GRE traffic for WAN interface were automatically added.  This currently doesn't seem to be the case as only after adding the rules manually to the WAN firewall rule set I was able to connect.

    • It doesn't seem to be working with the built in user manager.  Even when the user is in a group that has pptp dialup access.  I've had to add users and passwords directly to the pptp user tab.

    • Once connected traffic only seems to flow from the client to the LAN but not the other way around.  I'm not sure what firewall rule is blocking it as I don't see anything in the logs.  You can see this behavior in the packet capture below.

    Packet capture trying to ping a host over the vpn but results in 100% packet loss.  192.168.169.21 is the VPN client's local IP address and 192.168.169.59 is a host on the internal network.  And the arp lookup correctly has the pfSense box claiming the IP address.

    
    No.     Time        Source                Destination           Protocol Info
          1 0.000000    192.168.169.21        192.168.169.59        ICMP     Echo (ping) request
          2 0.003250    Dell_a5:89:52         Broadcast             ARP      Who has 192.168.169.21?  Tell 192.168.169.59
          3 0.003259    Supermic_8b:61:42     Dell_a5:89:52         ARP      192.168.169.21 is at 00:30:48:8b:61:42
          4 0.003371    192.168.169.59        192.168.169.21        ICMP     Echo (ping) reply
          5 1.299731    192.168.169.21        192.168.169.59        ICMP     Echo (ping) request
          6 1.299964    192.168.169.59        192.168.169.21        ICMP     Echo (ping) reply
          7 2.088019    192.168.169.21        192.168.169.59        ICMP     Echo (ping) request
          8 2.088218    192.168.169.59        192.168.169.21        ICMP     Echo (ping) reply
          9 3.000451    192.168.169.21        192.168.169.59        ICMP     Echo (ping) request
         10 3.000679    192.168.169.59        192.168.169.21        ICMP     Echo (ping) reply
    
    


  • Ok an update.  I decided that my pfsense install had been abused enough and decided to nuke my install and re-install a fresh build using the cd.

    After doing that I didn't have to create any rules on the WAN to allow pptp or GRE so the auto creation of rules is working when the pptp server is enabled.  Traffic however is still not making it back over the tunnel to the clients though.

    Any ideas on where to start looking to trouble shoot that one?
    Thanks,
    David



  • Another update.  After I had the initial connection stuff working I continued to reconfigure the system.  And once I configured the Opt WAN, which happens to be my default route, and setup a failover gateway group the automatic firewall rules appear to no longer be added to the WAN interface's rules.

    Manually adding a rule to allow pptp traffic to the WAN connection for connections to be made although it appears as though the GRE rule isn't required.  Outgoing traffic through the tunnel is still being dropped.

    I'm working on narrowing down what exactly it is that's causing this problem to file a bug.



  • Looks like I'm having my own thread here.

    The flow of outbound traffic is working from home on my laptop.  But not my Android phone via cell network or my home wireless.  I'm not sure what's going on there but I don't think it's a pfSense issue as I just tested our other pptp server and that has the same problem with my phone.  So I guess most of what I was chasing today was a ghost.

    However I'm still digging into why the pptp rule is required on the WAN connection and what part of my configuration causes that change in behavior.



  • Ok last post on this one from me unless anyone has any comments or questions.

    If your default route is a OPT WAN port the automatic PPTP rules do not work properly.  So you have to manually allow pptp traffic to the WAN address for PPTP to work properly.

    I've filed a bug here: http://redmine.pfsense.org/issues/1360

    I've also found that someone has already filed a bug (feature request) to have the user manager database (local or otherwise) be used as the source for authentication with pptp here: http://redmine.pfsense.org/issues/1099



  • I've been playing with PPTP and my Android (Droid 2 Global running 2.2 Fission ROM) over the last couple of days.  I have an allow any protocol/any source/any destination rule on the PPTP interface for now.  I also have rules on my LAN interface which permits traffic to/from PPTP clients.  I have the PPTP server/client addresses on the same subnet as my LAN.

    I successfully got PPTP working via my Macbook tethered to my Android; but the native PPTP client on the Android is giving me some heartburn.  It seems like I could some traffic working (very rarely through the Opera browser on the phone) but nothing consistent.  PPTP logs indicate a rejected protocol error with each packet and the firewall is blocking packets sourced from a 10.235.x.x or 10.245.x.x address on the PPTP interface (which is not used on any of my subnets).



  • I too feel your heartburn. I'm using epic 4g, prior I was on 2.1, it wouldn't connect because 2.1 is missing mppe. 2.2.1 fixed this issue, and I can now connect. I might get 1-2 minutes of connectivity, and then I get the same errors. If I try to go to a local webserver on the LAN side, or access pfsense directly, I instantly can no longer access anything.

    Mar 15 20:55:14	pptps: caught fatal signal term
    Mar 15 20:54:30	pptps: [pt0] LCP: protocol 0x00b9 was rejected
    Mar 15 20:54:30	pptps: [pt0] LCP: rec'd Protocol Reject #29 (Opened)
    

    I noticed in the firewall logs, my phone would sometimes show up as the assigned IP, and sometimes show up under the IP given by sprint (shown as the source).

    @vinsomething:

    I've been playing with PPTP and my Android (Droid 2 Global running 2.2 Fission ROM) over the last couple of days.  I have an allow any protocol/any source/any destination rule on the PPTP interface for now.  I also have rules on my LAN interface which permits traffic to/from PPTP clients.  I have the PPTP server/client addresses on the same subnet as my LAN.

    I successfully got PPTP working via my Macbook tethered to my Android; but the native PPTP client on the Android is giving me some heartburn.  It seems like I could some traffic working (very rarely through the Opera browser on the phone) but nothing consistent.  PPTP logs indicate a rejected protocol error with each packet and the firewall is blocking packets sourced from a 10.235.x.x or 10.245.x.x address on the PPTP interface (which is not used on any of my subnets).


Log in to reply