next »

[aniblade]

Hi guys,
I have configured the PPTP VPN on my pfSense, with RADIUS (IAS). All my clients authenticate and get an IP address from 192.168.1.240/28. My File server which the PPTP clients need to access is at 192.168.1.199/24 which is the only server in the DMZ (LAN has a different IP scheme). My problem is that my PPTP clients cannot ping the file server, nor can the file server ping the vpn clients. I really don't care which range of IP addresses my vpn clients get, and Im thinking the default /28 mask imposed by pfsense may be the problem??
My PPTP firewall rule permits any to any.
any suggestions?
Thanks in advance.   

[aldo]

Hi guys,
I have configured the PPTP VPN on my pfSense, with RADIUS (IAS). All my clients authenticate and get an IP address from 192.168.1.240/28. My File server which the PPTP clients need to access is at 192.168.1.199/24 which is the only server in the DMZ (LAN has a different IP scheme). My problem is that my PPTP clients cannot ping the file server, nor can the file server ping the vpn clients. I really don't care which range of IP addresses my vpn clients get, and Im thinking the default /28 mask imposed by pfsense may be the problem??
My PPTP firewall rule permits any to any.
any suggestions?
Thanks in advance.   

did you add firewall rules to allow your pptp clients access to your file server

[aniblade]

PPTP any to any should be enough right?

[cmb]

Yeah, PPTP any to any is fine (as long as it's really any, and not just TCP).

What about the network the clients are on, what's its subnet? Yours is 192.168.1.0/24, which is extremely common. If the client is also on 192.168.1.0/24, traffic that should traverse the PPTP connection never will.

[aniblade]

Exactly, my file server is in the default subnet 192.168.1.199/24.  My PPTP clients are just defaulted to 192.168.1.240/28 also. 

[monideth]

aniblade,

The 192.168.1.240 /28 subnet has valid IPs from .241 to .254. Thus, when your PPTP clients need to access .199 it is considered outside of its own subnet (because it is not within subnet range) - so it will send to the host's configured default gateway.

However, from the server since it is /24 subnet this also includes .241 to .254 - thus the server will not send traffic destined to .241 to .254 to a default gateway (because it consider these hosts to be on same subnet).

I think you should try sorting the overlapping subnet issue out first.

I hope this helps.

Regards,

Mon

[cmb]

Exactly, my file server is in the default subnet 192.168.1.199/24.  My PPTP clients are just defaulted to 192.168.1.240/28 also. 

That's fine, as long as the PPTP clients only have the 192.168.1.x IP's after connecting to PPTP. If they're behind a Linksys or something like that where they have 192.168.1.x IP's before connecting to PPTP, it won't work.

In this case, the routing is different and doesn't behave like monideth described. Normally that would be absolutely true, but when PPTP is configured like this it just drops you right into the LAN IP space. The /28 isn't actually the subnet mask (PPTP clients get /32 masks), it's the range of IP's used.

[aniblade]

Yeah, my clients are just comming with public valid addresses through their DSL or Cable connections. I understood that the clients can't see the 192.168.1.199/24 server cuz it's out of their subnet range, so if I make the PPTP clients range a 192.168.1.190/28 for example, would that work?

[cmb]

Yeah, my clients are just comming with public valid addresses through their DSL or Cable connections.

But maybe after they get NAT'ed. If they're behind a router or firewall and using a 192.168.1.0/24 subnet, the VPN won't work because the machine thinks your VPN network is its local network.

I understood that the clients can't see the 192.168.1.199/24 server cuz it's out of their subnet range, so if I make the PPTP clients range a 192.168.1.190/28 for example, would that work?

Read my last post on subnet vs. address range, it's not an issue that it's a different subnet.

[monideth]

cmb,

Thanks for the clarification - I forgot the PPTP clients actually use the /32 subnet when they are connected.

However, from the server point of view it does not even know about this - all it knows about is it's own subnet mask.

Thus, if the PPTP client is considered by the server as being in the same subnet then it will not attempt to send the traffic to it's default gateway.

Maybe I'm wrong - but this is just my understanding of IP and subnets.

aniblade,

To check whether the ICMP REQUEST packets are actually getting to your server but the ICMP REPLY packets are not routed back properly, I suggest you run ethereal/wireshark on the server to capture this. If there are no PING packets getting to your server in the first place then there is routing/IP problems elsewhere.

Regards,

Mon

[cmb]

However, from the server point of view it does not even know about this - all it knows about is it's own subnet mask.

Thus, if the PPTP client is considered by the server as being in the same subnet then it will not attempt to send the traffic to it's default gateway.

Maybe I'm wrong - but this is just my understanding of IP and subnets.

Normally that's correct, but not with PPTP. With a /32 mask there is no default gateway, the only thing within that subnet is one IP, the IP the client has. The PPTP client knows what networks are accessible through the connection and sends traffic over the connection appropriately. pfsense then sends that off on the LAN subnet and does ARP on behalf of the client, the server sees it as an IP within its subnet and replies using the ARP answer from pfsense, and pfsense forwards it to the PPTP client.

Subnetting is absolutely not an issue here.

[aniblade]

Thanks guys, I read all your answers. I'll have to do some more testing and I'll get back at you

[aniblade]

Ok. The only way I could fix this was creating a Firewall rule in the PPTP Interface to allow PPTP clients to any. There my PPTP clients wehere able to access the resources in my server, but my server was never able to ping back at the PPTP clients. What exactly would be the rule to allow the server to ping? The server is in the DMZ.

[aldo]

Ok. The only way I could fix this was creating a Firewall rule in the PPTP Interface to allow PPTP clients to any. There my PPTP clients wehere able to access the resources in my server, but my server was never able to ping back at the PPTP clients. What exactly would be the rule to allow the server to ping? The server is in the DMZ.

you sure it is not a windows firewall issue or a client firewall issue.
in you dmz you will have pass server to ip_ofPtppclients.

[aniblade]

Yeah, I double checked that the firewall on all the windows machines is OFF. I created a rule for the server to be able to ping PPTP clients, but nothing happens. Must be the order in which the rules are applied?