pfSense Support Subscription

Author Topic: PPTP Client ARP addresses advertised/answered from the VIP/LAN interface  (Read 1754 times)

0 Members and 1 Guest are viewing this topic.

Offline shon

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +1/-0
    • View Profile
I'm running 2.2.5(x64)

The firewall VIP/LAN is not responding to ARP queries/requests made from the LAN clients for any of the PPTP clients registered to the FW.

I'm using the same subnet (192.168.1.0/24)  for my VPN clients as I am for my LAN. 

I can pass traffic between the endpoints (PPTP<=> LAN) as long as I add a static route to on my LAN clients to send their traffic back to the FW for any of the PPTP client addresses.

 
« Last Edit: December 21, 2015, 01:19:35 pm by shon »

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: PPTP Client ARP addresses advertised/answered from the VIP/LAN interface
« Reply #1 on: December 21, 2015, 03:08:20 pm »
The mpd config for the PPTP server sets 'set iface enable proxy-arp', which handles that automatically.
http://mpd.sourceforge.net/doc5/mpd28.html

and it works generally, though most have moved on from PPTP at this point (and you should too).

From the mpd docs, "When this option is enabled, if after link negotiation the peer's IP address is determined to lie on a local subnet, then mpd will arrange for the local machine to install a proxy ARP entry for the remote machine's IP address."

Only thing I can think of is if your config's such that it doesn't actually lie on a local subnet (mask not what you intended maybe).

If nothing else, you can add a proxy ARP VIP range on LAN for the PPTP subnet to accomplish the same thing.

Offline shon

  • Jr. Member
  • **
  • Posts: 32
  • Karma: +1/-0
    • View Profile
Re: PPTP Client ARP addresses advertised/answered from the VIP/LAN interface
« Reply #2 on: December 21, 2015, 03:42:14 pm »
Thanks for replying Chris!

here is there output from my /var/etc/pptp-vpn/mpd.conf file:

pts:
   set iface disable on-demand
   set iface enable proxy-arp
   set iface enable tcpmssfix
   set iface idle 1800
   set iface up-script /usr/local/sbin/vpn-linkup
   set iface down-script /usr/local/sbin/vpn-linkdown
   set bundle enable multilink
   set bundle enable crypt-reqd
   set link yes acfcomp protocomp
   set link no pap chap
   set link enable chap-msv2
   set link mtu 1460
   set link keep-alive 10 60
   set ipcp yes vjcomp
   set bundle enable compression
   set ccp yes mppc
   set ccp yes mpp-e128
   set ccp yes mpp-stateless
   set ccp yes mpp-e40
   set ccp yes mpp-e56
   set ipcp dns 192.168.1.10
   set radius server 192.168.1.10 "secret" 1812 1813
   set radius retries 3
   set radius timeout 10
   set auth enable radius-auth

pptps:
        load pt0
        load pt1
        load pt2
        load pt3
        load pt4
   load pt5
   load pt6
   load pt7
   load pt8
   load pt9
   load pt10
   load pt11
   load pt12
   load pt13
   load pt14
   load pt15

pt0:
   new -i pptpd0 pt0 pt0
   set ipcp ranges 192.168.1.190/32 192.168.1.191/32
   load pts

pt1:
   new -i pptpd1 pt1 pt1
   set ipcp ranges 192.168.1.190/32 192.168.1.192/32
   load pts

Sorry, I'm using a CARP/VIP for the LAN inteface.  Are you saying that I need to remove the current CARP/VIP interface and add a Proxy ARP one?

On a troubleshooting note I'm trying to log mpd activity by editing /var/etc/syslog.conf adding the following to the file:

!mpd
*.*                     %/var/log/mpd.log

However, when I restart the syslog server, that entry is then removed


**UPDATE**


I gave the remote PPTP range something different e.g. 192.168.2.0 from my LAN network, and everything works as expected. 

My guess is the mpd proxy-arp didn't kick in because of being within the same subnet.


« Last Edit: December 22, 2015, 08:25:02 pm by shon »