PPTP WAN (still) issue (MTU and fragmentation) going from 1.2.3 to 2.0RC3



  • Hello,

    When I take my working 1.2.3 config (using PPTP on the WAN side) and upgrade to 2.0RC3, things (most notably, my browser; both firefox & IE) are broken. Only after I change the MTU of the tunnel (under the WAN interface's advanced settings) to 1436 do things start to work again.

    Also, in 1.2.3, I could do a ping with a payload > the MTU (i.e. fragmentation would work properly).
    e.g. ping -l 5000 ping.xs4all.nl would work just fine.

    In 2.0RC3 (regardless of leaving the MTU default or setting it to 1436) the same ping command fails and I cannot ping a single byte beyond the above mentioned 1436.

    (BTW, all of this is using windows XP; I've also tried ubuntu 10.10 with similar results)

    Would seem there is some MTU / fragmentation issue in the PPTP WAN implementation on 2.0RC3. Anything I can do to troubleshoot this any further?

    rgds,
    A.



  • Can yo please post the generated /tmp/rules.debug?



  • Here you go (I did scrub some of the IP addresses by resetting the last two octets to 1)

    $ cat /tmp/rules.debug
    #System aliases

    loopback = "{ lo0 }"
    LAN = "{ em0 }"
    WAN = "{ pptp0 }"
    LAN_V = "{ em0_vlan10 }"
    WIFI_V = "{ em0_vlan20 }"
    DMZ_V = "{ em0_vlan30 }"
    HOMEPLUG_V = "{ em0_vlan40 }"
    INTERNAL_V = "{ em0_vlan50 }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #pfSnortSam tables
    table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases
    table <privatehost_dmz>{  172.18.30.1 }
    PrivateHost_DMZ = "<privatehost_dmz>"
    table <privatenet>{  172.18.0.0/16 }
    PrivateNet = "<privatenet>"
    table <publichosta>{  80.101.1.1 }
    PublicHostA = "<publichosta>"
    table <publichostleg>{  86.95.1.1 }
    PublicHostLeG = "<publichostleg>"
    table <publichostpef>{  87.210.1.1 }
    PublicHostPeF = "<publichostpef>"
    table <publichostz>{  81.205.1.1 }
    PublicHostZ = "<publichostz>"

    Gateways

    GWWAN = " route-to ( pptp0 194.109.5.219 ) "

    set loginterface em0
    set optimization normal
    set limit states 299000
    set limit src-nodes 299000

    set skip on pfsync0

    scrub in on $LAN all    fragment reassemble
    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN_V all    fragment reassemble
    scrub in on $WIFI_V all    fragment reassemble
    scrub in on $DMZ_V all    fragment reassemble
    scrub in on $HOMEPLUG_V all    fragment reassemble
    scrub in on $INTERNAL_V all    fragment reassemble

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    table <tonatsubnets>{ 192.168.254.0/24 172.18.10.0/24 172.18.20.0/24 172.18.30.0/24 172.18.40.0/24 172.18.50.0/24 127.0.0.0/8  }
    nat on $WAN  from <tonatsubnets>port 500 to any port 500 -> 80.101.1.1/32 port 500 
    nat on $WAN  from <tonatsubnets>to any -> 80.101.1.1/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ 192.168.254.0/24 80.101.1.1/32 172.18.10.0/24 172.18.20.0/24 172.18.30.0/24 172.18.40.0/24 172.18.50.0/24 }

    NAT Inbound Redirects

    rdr on pptp0 proto { tcp udp } from any to 80.101.1.1 port 61799 -> $PrivateHost_DMZ
    rdr on pptp0 proto { tcp udp } from any to 80.101.1.1 port 21 -> $PrivateHost_DMZ
    rdr on pptp0 proto { tcp udp } from any to 80.101.1.1 port 990 -> $PrivateHost_DMZ

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    pfSnortSam

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
    block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for em0

    allow access to DHCP server on LAN

    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.254.254 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.254.254 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for pptp0

    allow PPTP client

    pass in on $WAN proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on WAN"
    pass in on $WAN proto gre from any to any keep state label "allow PPTP client on WAN"
    antispoof for em0_vlan10

    allow access to DHCP server on LAN_V

    pass in on $LAN_V proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN_V proto udp from any port = 68 to 172.18.10.254 port = 67 label "allow access to DHCP server"
    pass out on $LAN_V proto udp from 172.18.10.254 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for em0_vlan20
    antispoof for em0_vlan30

    allow access to DHCP server on DMZ_V

    pass in on $DMZ_V proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $DMZ_V proto udp from any port = 68 to 172.18.30.254 port = 67 label "allow access to DHCP server"
    pass out on $DMZ_V proto udp from 172.18.30.254 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for em0_vlan40
    antispoof for em0_vlan50

    loopback

    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pptp0 194.109.5.219 ) from 80.101.1.1 to !80.101.1.1/32 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on em0 proto tcp from any to (em0) port { 80 22 } keep state label "anti-lockout rule"

    User-defined rules follow

    pass  in  quick  on $WAN reply-to ( pptp0 194.109.5.219 )  proto { tcp udp }  from any to  $PrivateHost_DMZ port 61799  keep state  label "USER_RULE: NAT bittorrent"
    pass  in  quick  on $WAN reply-to ( pptp0 194.109.5.219 )  proto { tcp udp }  from  $PublicHostPeF to  $PrivateHost_DMZ port 990  keep state  label "USER_RULE: NAT SFTP"
    pass  in  quick  on $WAN reply-to ( pptp0 194.109.5.219 )  proto { tcp udp }  from  $PublicHostLeG to  $PrivateHost_DMZ port 990  keep state  label "USER_RULE: NAT SFTP"
    pass  in  quick  on $WAN reply-to ( pptp0 194.109.5.219 )  proto { tcp udp }  from  $PublicHostZ to  $PrivateHost_DMZ port 990  keep state  label "USER_RULE: NAT SFTP"
    pass  in  quick  on $LAN  from 192.168.254.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
    pass  in  quick  on $LAN_V  from any to any keep state  label "USER_RULE: pass LAN_V to ANY"
    pass  in  quick  on $DMZ_V  from any to any keep state  label "USER_RULE: pass any.."
    pass  in  quick  on $DMZ_V  proto { tcp udp }  from any to  172.18.30.254 port 53  keep state  label "USER_RULE: pass DNS"
    pass  in  quick  on $DMZ_V  from any to  ! $PrivateNet keep state  label "USER_RULE: pass ANY to OUTSIDE local network"

    VPN Rules

    anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></tonatsubnets></tonatsubnets></tonatsubnets></publichostz></publichostz></publichostpef></publichostpef></publichostleg></publichostleg></publichosta></publichosta></privatenet></privatenet></privatehost_dmz></privatehost_dmz></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>



  • Here is a me to.

    on 2.0RC3 of today, no or limited traffic is passed through.
    I can do normal pings, but can not browse most sites, but some sites do work.

    www.freshports.org, www.freebsd.org works, the site distrowatch.com for example does not work.

    If i replace the 2.0RC3 firewall with the old 1.2.3 firewall, all is fine again.

    My modem has ip 10.0.0.138, the WAN (vr1) interface has 10.0.0.100
    In the logs there are a lot of drops on vr1

    block
            Jul 14 13:51:17 vr1 10.0.0.138 10.0.0.100 GRE
    block
    Jul 14 13:51:17 vr1 10.0.0.138 10.0.0.100 GRE
    block
    Jul 14 13:51:17 vr1 10.0.0.138 10.0.0.100 GRE

    Even after setting allow rules on the WAN interface from 10.0.0.100 protocol any to 10.0.0.138 and visa versa.

    Also with the mtu on 1436 no go.

    This is on two of the tested sites i have.

    regards,
    Johan



  • There is a mss-clamp under system advanced. Does that help here?



  • Actually some 'clever' guy enabled multilink by default on pptp links.
    Can you please confirm that removing multilink from interfaces->ppp, on your connection, fixes the issue?



  • Just tried both the MSS clamping (setting it to e.g. 1400) and removing the multilink (didn't seem to be on by default b.t.w. - only em1, which is my wan, was highlighted).

    Unfortunately this didn't seem to work. I'll try again over the weekend with a fresh(er) install



  • @ermal:

    Actually some 'clever' guy enabled multilink by default on pptp links.
    Can you please confirm that removing multilink from interfaces->ppp, on your connection, fixes the issue?

    I got the same problem connecting my Android to my LAN via PPTP but after I changed MTU to 1436 (WAN) it started to work. All data is routed from my Android via my LAN to Internet.

    I does not how ever any PPP under Interfaces (or PPTP). Should I really have that after I created a PPTP VPN server?



  • With the snapshot of today, still the same issue.

    I can not find the multilink option under interfaces ppp !

    regards,
    Johan



  • Downloaded the lataest 2.0 RC update file today.

    But still the same issue, MTU settings 1436, 1400  but no web page will load, or some partitialy and some do not.
    Ping to the sites work.

    these i see a lot in the firewall log file
    block
    Aug 16 14:28:50 vr1 10.0.0.138 10.0.0.100 GRE
    block
    Aug 16 14:28:50 vr1 10.0.0.138 10.0.0.100 GRE

    where 10.0.0.138 is the adsl modem, and 10.0.0.100 is the WAN interface.

    If i use the old 1.2.3 pfsense all is working well

    Thuersday i will reboot it to factory defaults and try if i can make it work from an fresh start.

    regards,
    Johan



  • Well using a new installed system does not work either.

    same logs 10.0.0.138 to 10.0.0.100 GRE dropped on vr1 (it is a soekriss 5501 running the i386 nanoimage).

    This is getting a little frustrating.

    I can use whatever verion of pfsense before2.0 and it works.
    I can use any version of monowall and it works.
    I can put my windows pc behind it install the nessasy pptp tools and it works
    But pfsense 2.0 does not cope with it.

    We have some branch offices who use this, all with pfsense 1.2.3
    Our fiber is is also on pfsense 1.2.3, but i am getting a little reluctent to use version 2.

    I hope someone will look at this, because for us this is a showstopper.

    regards
    Johan Hendriks



  • This is the output of /tmp/rules.debug
    It is set to factory defaults, just to try.

    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ pptp1 }"
    LAN = "{ vr0 }"
    
    #SSH Lockout Table
    table <sshlockout> persist
    table <webconfiguratorlockout> persist
    #pfSnortSam tables
    table <snort2c>
    
    table <virusprot>
    
    # User Aliases 
    
    # Gateways
    GWWAN = " route-to ( pptp1 195.190.242.11 ) "
    
    set loginterface vr0
    set optimization normal
    set limit states 48000
    set limit src-nodes 48000
    
    set skip on pfsync0
    
    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    
    # Subnets to NAT 
    tonatsubnets	= "{ 192.168.1.0/24 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 213.84.84.84/32 port 500  
    nat on $WAN  from $tonatsubnets to any -> 213.84.84.84/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <direct_networks> { 213.84.84.84/32 192.168.1.0/24 }
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    
    # pfSnortSam
    block quick from <snort2c> to any label "Block snort2c hosts"
    block quick from any to <snort2c> label "Block snort2c hosts"
    block quick from <pfsnortsamout> to any label "Block pfSnortSamOut hosts"
    block quick from any to <pfsnortsamin> label "Block pfSnortSamIn hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout> to any port 443 label "webConfiguratorlockout"
    block in quick from <virusprot> to any label "virusprot overload table"
    antispoof for pptp1
    # allow PPTP client
    pass in on $WAN proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on WAN"
    pass in on $WAN proto gre from any to any keep state label "allow PPTP client on WAN"
    antispoof for vr0
    
    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( pptp1 195.190.242.11 ) from 213.84.84.84 to !213.84.84.84/32 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on vr0 proto tcp from any to (vr0) port { 80 443  22 } keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $WAN reply-to ( pptp1 195.190.242.11 )  from any to any keep state  label "USER_RULE"
    pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    
    # VPN Rules
    anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>
    

    This is /tmp.rules.debug on the working 1.2.3 system (relevant part for as far i know)

    
    # System Aliases 
    loopback = "{ lo0 }"
    lan = "{ vr0  }"
    ng0 = "{ vr1 ng0 }" 
    wan = "{ vr1 ng0  }"
    enc0 = "{ enc0 }"
    pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 ng15 ng16 }" 
    WLAN = "{ vr2 }"
    # User Aliases 
    
    set loginterface vr1
    set loginterface vr0
    set loginterface vr2
    set optimization normal
    
    set skip on pfsync0
    scrub all random-id  fragment reassemble
    
    nat-anchor "pftpx/*"
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    # FTP proxy
    rdr-anchor "pftpx/*"
    
    # Outbound NAT rules
    nat on $ng0 from 192.168.1.0/24 port 500 to any port 500 -> (ng0) port 500
    nat on $ng0 from 192.168.1.0/24 port 5060 to any port 5060 -> (ng0) port 5060
    nat on $ng0 from 192.168.1.0/24 to any -> (ng0) port 1024:65535
    nat on $ng0 from 192.168.1.208/28 port 500 to any port 500 -> (ng0) port 500
    nat on $ng0 from 192.168.1.208/28 port 5060 to any port 5060 -> (ng0) port 5060
    nat on $ng0 from 192.168.1.208/28 to any -> (ng0) port 1024:65535
    
    #SSH Lockout Table
    table <sshlockout>persist
    
    # Load balancing anchor - slbd updates
    rdr-anchor "slb"
    
    # FTP Proxy/helper
    table <vpns>{   }
    no rdr on vr0 proto tcp from any to <vpns>port 21
    rdr on vr0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
    no rdr on vr2 proto tcp from any to <vpns>port 21
    rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
    
    # NAT Inbound Redirects
    
    # IMSpector rdr anchor
    rdr-anchor "imspector"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "ftpsesame/*" 
    anchor "firewallrules"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # snort2c
    table <snort2c>persist
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    # loopback
    anchor "loopback"
    pass in quick on $loopback all label "pass loopback"
    pass out quick on $loopback all label "pass loopback"
    
    # package manager early specific hook
    anchor "packageearly"
    
    # carp
    anchor "carp"
    
    # permit wan interface to ping out (ping_hosts.sh)
    pass quick proto icmp from 213.84.84.84 to any keep state
    
    # NAT Reflection rules
    
    # allow PPTP client
    anchor "pptpclient"
    pass in quick on $wan proto gre from any to any modulate state label "allow PPTP client"
    pass in quick on $wan proto gre from any to any modulate state label "allow PPTP client"
    pass in quick on $wan proto tcp from any port = 1723 to any flags S/SA modulate state label "allow PPTP client"
    pass in quick on $wan proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client"
    block in log quick on $wan proto udp from any port = 67 to 192.168.1.0/24 port = 68 label "block dhcp client out wan"
    
    # LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
    antispoof for vr0
    antispoof for vr2
    
    anchor "spoofing"
    # Support for allow limiting of TCP connections by establishment rate
    anchor "limitingesr"
    table <virusprot>block in quick from <virusprot>to any label "virusprot overload table"
    
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    anchor "wanbogons"
    table <bogons>persist file "/etc/bogons"
    block in log quick on $wan from <bogons>to any label "block bogon networks from wan"
    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out quick on $lan proto icmp keep state label "let out anything from firewall host itself"
    pass out quick on $wan proto icmp keep state label "let out anything from firewall host itself"
    
    # tcp.closed 5 is a workaround for load balancing, squid and a few other issues.
    # ticket (FEN-857512) in centipede tracker.
    pass out quick on ng0 all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    # pass traffic from firewall -> out
    anchor "firewallout"
    pass out quick on vr1 all keep state label "let out anything from firewall host itself"
    pass out quick on vr0 all keep state label "let out anything from firewall host itself"
    pass out quick on vr2 all keep state label "let out anything from firewall host itself"
    pass out quick on $pptp all keep state label "let out anything from firewall host itself pptp"
    pass out quick on $enc0 keep state label "IPSEC internal host to host"
    
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out quick on vr2 proto icmp keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    pass out quick on $WLAN all keep state ( tcp.closed 5 ) label "let out anything from firewall host itself"
    
    # make sure the user cannot lock himself out of the webGUI or SSH
    anchor "anti-lockout"
    pass in quick on vr0 from any to 192.168.1.250 keep state label "anti-lockout web rule"
    
    # PPTPd rules
    anchor "pptp"
    pass in quick on $wan proto gre from any to 213.84.84.84 keep state label "allow gre pptpd"
    pass in quick on $wan proto tcp from any to 213.84.84.84 port = 1723 modulate state label "allow pptpd 213.84.84.186"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    anchor "ftpproxy"
    anchor "pftpx/*"
    
    # IMSpector
    anchor "imspector"
    
    # uPnPd
    anchor "miniupnpd"
    
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log quick all label "Default deny rule"
    block out log quick all label "Default deny rule"</sshlockout></bogons></bogons></virusprot></virusprot></snort2c></snort2c></snort2c></vpns></vpns></vpns></sshlockout> 
    

    In both files i see the GRE protocol pass on the interface vr1. port 1723   (it is an soekriss 5501 board)
    In my logs on the 2.0 i see that they are dropped from the vr1 interface.

    The vr1 interface is not shown in my rules.debug file on the 2.0 machine but is on the 1.2.3 machine

    On the working machine i have wan = "{ vr1 nr0}"
    On the 2.0 i only have wan = "{ pptp0 }"

    So the pass rules as far as i understand for the GRE protocol do not get set for the vr1 interface where i see all the drops in my log file.

    
    # allow PPTP client
    pass in on $WAN proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on WAN"
    pass in on $WAN proto gre from any to any keep state label "allow PPTP client on WAN"
    
    

    Could it be that i need to set wan = "{ vr1 pptp1 }" ?

    regards
    Johan Hendriks



  • I have exactly the same problem with 2.0RC3. It seems that MSS Clamping is somehow broken with PPTP in 2.0.



  • Well i got it working, but it wil not survive a reboot.

    what i did was the following

    I did go to diagnostics, then edit file.
    I opened /tmp/rules.debug
    i put in the actual interface between the brackets of the wan interface.
    wan = { pptp1 } and i changed it to wan = { vr1 pptp1}
    Then i did go to diagnostics and then command
    In the command box i did do pfctl -f /tmp/rules.debug

    Then after hitting F5 in the browser which could not load any page, it all started to work, the pages were loaded.
    To make sure it was this, i opened the traffic box and started to download a iso image from an ftp server, and the graph did flew up.

    So the reason, it is not working in my case is that the vr1 interface does drop the GRE packages.
    And the pf rules actually do let them pass, but the interface is not added to the wan.

    regards,
    Johan



  • Works, thanks!

    edit:

    I would like to make this survive a reboot with this script:

    
    sed 's/{ pptp0 }/{ vr1 pptp0 }/g' /tmp/rules.debug > /tmp/rules.debug.new
    mv /tmp/rules.debug.new /tmp/rules.debug
    pfctl -f /tmp/rules.debug
    
    

    I put it under /usr/local/etc/rc.d/fix_pptp like suggested in this thread but it is not executed at startup. Also pfsense does not automatically establish the PPTP-connection at startup. (I don't have Dial-On-Demand enabled)

    Regards,

    Michael

    edit2:

    Due to the connection being to unstable (I even had the above script in a cronjob every minute) I have downgraded to 1.2.3.



  • Hi,

    Noticed 2.0-final was released yesterday so I couldn't resist trying it out to see if the pptp issue was resolved. Did a clean install just now but alas, the situation remains unchanged.

    After that, decided to give Sylhouette's fix a try (for me it was adding em1 to pptp0) and this fixed the problem for me on the 2.0-final release!

    Can't say anything yet about stability; I'll leave this running for a while and if it's stable, I'll try to get it reboot-proof.

    rgds,
    A.



  • I think a lot of people get bitten by this.

    Every firewall solution i tryed, work with the pptp solution.
    monowall, the older pfsense, smoothwall, and sonicwall are the once i tried.
    All without problem.

    i need it to survive a reboot, we have a very poor power grid  on one location, and power fails sometimes for more than 4 to 5 hours.
    And this happens more than once per month.

    Well we should see what we can do.
    For now i leave these boxes at 1.2.3 because it works and works well.

    regards.
    Johan Hendriks



  • Hi,

    Agree that it's a bit peculiar that something like pptp would be broken. Maybe pptp isn't all that popular anymore, don't know.

    Your fix remained stable since I applied it. It's most probably not that hard to make it reboot proof by using some <shellcmd>statements in the config.xml. However, I guess (but haven't verified) that pfctl gets called whenever the ruleset is changed which would basically undo the commands issued from the config.xml (and break the pptp again)

    The only reboot / filter-reload proof way to handle this seems to be to modify one (or multiple) scripts in the /etc (or /etc/rc.d) directories. Wouldn't want to do that on a production system since I don't know enough about the details of the inner workings of pfsense to feel confident that such hacking wouldn't result in undesirable behavior..

    So, I'm (unfortunately) staying with 1.2.3. as well. Hope somebody can pick this issue up and raise a bug against it so maybe it can get resolved in an upcoming release..

    b.r.
    A.</shellcmd>



  • Well i made it survive a reboot also, but this is an UGLY way.

    go to diagnostics then edit file
    open the file

    /etc/inc/filter.inc
    

    then around line 2221 you find the following.

    
    # allow PPTP client
    pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}"
    pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}"
    
    

    In my case my actual WAN interface is vr1 so i put a allow rule there on vr1.
    Then it shows the following.

    
    #allow PPTP client
    pass in on \${$oc['descr']} proto tcp from any to any port = 1723 flags S/SA modulate state label "allow PPTP client on {$oc['descr']}"
    pass in on \${$oc['descr']} proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}"
    pass in on vr1 proto gre from any to any keep state label "allow PPTP client on {$oc['descr']}"
    
    

    This way it stays active after a reboot.
    NOTE THIS IS NOT THE WAY TO DO IT..

    But it works this way ….
    And it seems we are the only one who have this.
    On the other hand, it is saver than to set the wan value to vr1 and pptp0, because this way only GRE is allowed and in the rest of the script wan is just pptp0 like before.

    It does not survive an upgrade however. :D

    Gr
    Johan Hendriks



  • Does anyone know if the developers are working on this issue or even are aware of it? Should someone (me?) create a ticket in redmine?



  • I opened a thread on the mailling list.

    When the 2.0 anouncement came, i repleyed on that by asking if this was resolved.

    The following anwer came

    That's not a general issue, and haven't heard that from anyone else,
    not sure what you're seeing.

    I replied on that by explaining what i saw and how in my case i got that fixed.
    I also reffered to this thread on the forum.

    Then to my surprise i almost got a ban from the mailing list, this was the answer i got on my relpy.

    Stop here, you're hijacking a thread. Bump your own thread if you want
    to continue.

    I replied again with a sorry that it was not my intention to hijajack a thread. ( i really was not )
    And that i already had a threat on the mailling list about this issue and gave the link to the thread on the mailling list.

    Never heard anything after that.
    I did not send an e-mail to the mailling list after that so maybe i am already banned :(, i hope not, because i like to help out sometimes, and i learn a lot about PFSense through the mailling list.

    So i really do not know the status.

    regards,
    Johan Hendriks



  • Hi,

    Opening a ticket is probably the best way forward since several people clearly have the same reproducible problem with PPTP (some might call that a bug  ;)) . I don't know how to get from a discussion on the forum to an actual ticket in pfsense's bugtracker - mseiwald, if you are capable of raising a ticket, yes please!

    Probably a good idea to include Sylhouette's two fixes in the bug description as well.

    rgds,
    A.



  • Hi all,

    Just noticed 2.0.1 is out! Before I give it a try, I was wondering if anyone knows if the PPTP WAN problem that existed since 2.0RC1 has been properly fixed yet. Doesn't seem to be (explicitly) in the list of changes in the release notes but who knows..

    br.
    A.



  • I'm seeing an MTU issue after upgrading from 1.2.3 to 2.0.  I 'fixed' this by editing

    /var/etc/pptp-vpn/mpd.conf

    and adding:

    set link mtu 1396

    Then, killing the mpd process and restarting it:

    /usr/local/sbin/mpd4 -b -d /var/etc/pptp-vpn -p /var/run/pptp-vpn.pid -s pptps pptps

    That's not a pfSense 'solution' but perhaps others here could try it to see if our problems are the same?

    This wasn't necessary before, so I'm wondering if defaults are different, path MTU discovery is somehow broken, etc.  BTW, I read that XP's pptp client requires 1396, so that's what I set for a compatibility floor.


Log in to reply