netbsd-users: Re: pptp client behind NAT

Subject: Re: pptp client behind NAT - transfer hangs up
To: Egervary Gergely <egervary@expertlan.hu>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-users
Date: 01/08/2005 16:29:11
--R9baxdNnpTjJ7oIU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 08, 2005 at 11:14:42AM +0100, Egervary Gergely wrote:
> (sorry for my bad english)
>=20
> scenario: NetBSD nat box, PPTP server at some ISP w/public IP,
> PPTP clients on my private network behind the NetBSD nat.

You mean you have several PPTP clients running from behind the NAT box?

> first of all: this setup works with NetBSD 1.6.2 flawlessly, the problem
> was triggered by the upgrade to NetBSD 2.0
>=20
> related NAT configuration is unchanged, probably this is a bug/feature
> in the new IPFILTER/IPNAT code.
>=20
> the problem:
>=20
> PPTP client can connect to the PPTP server, but the link hangs up if
> there's no data transer from the PPTP client to the PPTP server for 2-3
> seconds.
>=20
> If I start a simple ``ping'' on the client, the connection stays up and
> running, and everyting is okay. If I stop pinging the server, the the
> connection hangs, I can't even ping the client from the server. If I
> start any data transfer from the client again, the link is back and
> working again.
>=20
> Of course, if there's no traffic from the client for several minutes,
> the link not only hangs, but server disconnects, as LCP echo queries
> cannot reach the client.
>=20
> this is 100% reproduceable on my box.
>=20
> my ipnat rules:
>=20
> map ex0 10.0.0.0/8 -> my.external.ip.addr/32 proxy port ftp ftp/tcp
> map ex0 10.0.0.0/8 -> my.external.ip.addr/32 portmap tcp/udp 20000:40000
> map ex0 10.0.0.0/8 -> my.external.ip.addr/32

And what does your ipf ruleset look like?

What does ipnat -l say right after a successfully transmitted packet from
the client to the server?

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"Commala-come-five! / Even when the shadows rise!
To see the world and walk the world / Makes ya glad to be alive."
Susannah's Song, The Dark Tower VI, Stephen King, 2004.

--R9baxdNnpTjJ7oIU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQd/8R9goQloHrPnoAQIuIQgAvgIHw1TmAvQ0c5KCJHumgEfqydy5fQh0
psWnThRGo6oc8vM1wFTrSpf2x5K0/s7zg5ldN1FvmECrcHE9XpunXoTKe9vONGMV
lNari1yyOEpAuZ0xvEoIpNkgjyTv2ra8R7HTq3ofUHKQcgZ8OuLqwQT+3Xo5OyqA
MxoMp7xTTRTt8ycFT44rkI6KvLjxnwmzUxBD/zwDJeP7lZ3+vMRocdD5sUuvwJFj
A3MzJxTGRm+KhmAJimik2Ro+Tj6tvKShFtLbJ/HGrFjlCXag6ufBB3RQueP141UX
A6pz4uBzANPChsnWWW1AG3UIFgnql1ZNNUIpnVtAsM2CzqNSl8g2sw==
=MpjR
-----END PGP SIGNATURE-----

--R9baxdNnpTjJ7oIU--