VPN clients cannot connect (on an ADSL bridged modem WAN)



  • Hello,

    I have a following configuration based on pfSense 2.1 RC0:

    WAN1 connects and logs in directly to ISP1 with PPPoE
    WAN2 connects to an ADSL-modem (set up in bridge mode) and logs in through that modem to ISP2 with PPPoE

    Both WANs are up, get their IPs from ISPs and those IPs get correctly updated by pfSense over at NoIP.

    Clients connect through PPTP with each WAN.

    More precise: With WAN2 they should connect, but they don’t.

    And that is the problem: pfSense is online on both WANs but, when connecting from the outside through WAN2, clients (no matter if it’s an XP/Win7/Android machine) are trying for a while (30 to 60 seconds) and afterwards show a message that they’re unable to connect (no other meaningful message).

    To summarize:

    • Domain resolution is OK: I can ping the NoIP domain name for ISP2 from the outside and it gets resolved to the right IP address (the same which is shown in pfSense for WAN2)
    • Modem/ISP2 Connection is OK: ADSL-Modem works with a Linksys-based DD-WRT router (which I want to replace with pfSense).
    • PPTP clients are OK: Using NoIP, PPTP clients can connect through the same before mentioned bridged ADSL-Modem (and ISP2) with Linksys DD-WRT router. They can connect through pfSense, but only when they use ISP1/WAN1.
    • pfSense on WAN1 is OK: And the "only" difference between WAN1 and WAN2 is that there is that ADSL bridged modem in the chain.

    Obviously (at least to me ;)), the only thing that seems faulty is my configuration of the WAN2 connection.

    Can you please help me configure it the right way?

    PS - Can you suggest, which logging option to use to help you with more meaningful info of what is going on in pfSense while PPTP clients try to log in? Status > System Logs > VPN > PPTP Logins is not verbose enough while PPTP Raw is to verbose for me?


  • Netgate Administrator

    I doubt it's anything to do with the ADSL modem. One of those WAN connections will be the default route in pfSense and I suspect it's WAN1. If you go to System: Routes: Gateways: is the default gateway on WAN1? If you change it to WAN2 does that affect the VPN behaviour?

    Steve



  • Steve, thank you very much for replying :) Here are my findings:

    WAN1 set to default:

    • on ISP1: lightning fast logon, everything works as it should. More PPTP clients at once are not a problem.
    • on ISP2: Windows 7 VPN it trying to connect but this time it's getting further than earlier (prior to posting my original post).  This is the "sequence" of Windows 7 dialogs:

    Connecting to x using 'WAN Miniport (SSTP)'… (this was - prior to my original post - the only dialog that was shown.)

    Verfying user name and password...

    Connecting to x using 'WAN Miniport (SSTP)'...

    Error 800: The remote connection was not made because the attempted VPN tunnels failed.

    Each dialog is shown for 30 to 60 seconds before the next one gets shown. So, it's sloooow. Like it's searching for something and not finding it.

    WAN2 set to default:

    • on ISP1: same "sequence" as above.
    • on ISP2: same "sequence" as above.

  • Netgate Administrator

    So there was no change setting WAN2 as default? Or neither connection could be made with WAN2 as default?

    I am slightly confused. I think I assumed you were using pfSense as the VPN server, is that the case? I mention that because you first list PPTP as your VPN type but the log shows it's trying to setup an SSTP tunnel. pfSense does not support SSTP.

    Steve



  • 1. There was no change when setting WAN2 as default. And I could change both of them to default (not at the same time, but interchangeably).

    2. Win7 client (the machine from the outside that I using to solve this problem) has chosen SSTP due to the fact that Network connection > Properties > Security > Type of VPN was set to Automatic. Now that I've changed it to PPTP it behaves as follows (again, the "sequence" of dialogs):

    Connecting to X using 'WAN Miniport (PPTP)'…

    Error 807: The network connection between your computer and the VPN server was interrupted.

    So, the sequence is different… and Win7 client isn't reaching the point where it can try to log in.

    As I have clients working with the ERP server right now (and using ISP1/WAN1 on pfSense - as I've said, works like a charm) I cannot interrupt them and test how both ISPs/WANs would behave when I'd set WAN2 as default.

    I have also just tried what was suggested in this post. Here is my configuration:

    • Action: PASS

    • Interface: LAN

    • TCP/IP Version: IPv4

    • Protocol: GRE

    • Source: any

    • Destination: any

    • Action: PASS

    • Interface: WAN2

    • TCP/IP Version: IPv4

    • Protocol: GRE

    • Source: any

    • Destination: any

    • Action: PASS

    • Interface: LAN

    • TCP/IP Version: IPv4

    • Protocol: TCP/UDP

    • Source: any

    • Source port range: from (other) 1723 to (other) 1723

    • Destination: any

    • Destination port range: from (other) 1723 to (other) 1723

    • Action: PASS

    • Interface: WAN2

    • TCP/IP Version: IPv4

    • Protocol: TCP/UDP

    • Source: any

    • Source port range: from (other) 1723 to (other) 1723

    • Destination: any

    • Destination port range: from (other) 1723 to (other) 1723

    I've cleared the firewall states (Diagnostics > States > Reset States) as suggested in the linked post.


  • Netgate Administrator

    Hmm, that surprises me. I would be almost certain this is to do with traffic leaving via the wrong interface however I'm unsure of exactly how the PPTP server works since I don't use it. Mostly because it relies on MS-CHAPv2 which is no longer secure.

    To be sure of this I would try disabling the WAN1 connection completely such that the ADSL connection is the only WAN and then see if PPTP works. I guess it could concievably be the modem limiting packet size or it's bridge mode being not as 'bridgy' as you'd hope.

    Steve



  • I am still to disable the WAN1 and try using WAN2 when it's the only connection. But, if I'd do that now remotely I would maybe (if WAN2 is exclusive and still doesn't work) not be able to connect again and reverse the action. And the office is a bit far from my home.

    Regarding ADSL modem: I'd say that it works well because (as I've written in my first post), DD-WRT works with the same ADSL modem in bridge mode on WAN2. That's why this whole thing bothers me.



  • ADDENDUM:

    I've just tried connecting to WAN2 WHILE being already connected to WAN1. Here is the protocol:

    Connecting to x using 'WAN Miniport (PPTP)'

    (it goes through in a split of a second…)

    Verfying user name and password…

    (Tries for about 30 seconds and then:)

    Error 619: A connection to the remote computer could not be established, so the port used for this connection was closed.

    So, yet another response.

    Steve, after these two last posts I hope you're still with me :)

    PS - Would it help if I'd post the log here? Just tell me which one. Thank you a lot for trying to help me.


  • Netgate Administrator

    I'm still with you but PPTP is outside my experience. It has some particular quirks that are not present with OpenVPN, all of which are related to multiple PPTP connections over the same internet connection.
    I would still be looking for a routing problem, I agree it seems very unlikely the ADSL modem is causing this.

    Trying to connect to WAN2 while already connected to WAN1 is a special case. It's likely that all your traffic is routed via the WAN1 PPTP connection and hence the new connection to WAN2 appears to be from inside the pfSense box. The routing is completely different and you can see it connects successfully to the authentication stage.

    Anyone with more PPTP experience?

    Steve



  • I've come to try this one last thing:

    I've disabled WAN1. Couldn't go to the Internet (link to ISP2 was UP). Set WAN2 on default. Yep, Internet works now. Try to connect using PPTP from an outside machine. FAIL :(

    Connecting to x using 'WAN Miniport (PPTP)'

    Rumbles for 30-60 sec.

    Error 807: The network connection between your computer and the VPN server was interrupted.

    Yet another message.

    I'm still with you but PPTP is outside my experience. It has some particular quirks that are not present with OpenVPN, all of which are related to multiple PPTP connections over the same internet connection.
    I would still be looking for a routing problem, I agree it seems very unlikely the ADSL modem is causing this.

    I don't believe it's the problem related to "multiple PPTP connections over the same internet connection". As I've said… WAN1 works with multiple connections without a hitch. I also susspect a routing problem... the only thing is: I've watched the logs and it seems like there is nothing in them what would help me (strange).

    Thanks again :)