Subject: Re: pptp client behind NAT - transfer hangs up
To: Egervary Gergely <egervary@expertlan.hu>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-users
Date: 01/08/2005 19:26:06
--nDtE8k2pYjsRXajv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 08, 2005 at 05:21:05PM +0100, Egervary Gergely wrote:
> >>scenario: NetBSD nat box, PPTP server at some ISP w/public IP,
> >>PPTP clients on my private network behind the NetBSD nat.
> >
> >You mean you have several PPTP clients running from behind the NAT box?
>=20
> no, not simultaneously.

Good, because it can't work with the same PPTP server.

> >And what does your ipf ruleset look like?
>=20
> I've tried with ``pass-everything'' and it's the same. :(

You mean 'pass in all / pass out all'?

Specificly, PPTP needs the GRE protocol (IP proto 47).  It's not related to
either UDP or TCP, it is very specific.

> >What does ipnat -l say right after a successfully transmitted packet from
> >the client to the server?
>=20
> when the PPTP connection is established, ipnat -l reports this:
>=20
> MAP 10.0.1.1    2145  <- -> 193.224.190.1   29981 [195.70.36.136 1723]
>=20
> where 10.0.1.1 is the PPTP client, 193.224.190.1 is the external address
> of the natbox, 195.70.36.136 is the address of the PPTP server. this
> looks okay.

There should be a line for the GRE protocol that would look like this:

MAP 10.0.1.1  <- -> 193.224.190.1  [195.70.36.136]

Also, add -v to have a bit more of information.

> I can't see anything unusual on the nat box. When the connection hangs,
> (IE there's no traffic from the client for 2-3 seconds) the PPTP server
> cannot ping the client anymore, cannot get replies to the LCP echo
> requests anymore, so - depending on the PPTP server's configuration -
> it times out with LCP echo failures, and disconnects the client.

Yes, that probably is the sign that GRE packets get blocked.  You can
check that incoming GRE packets arrive with 'tcpdump -i <outbound iface>
proto gre'.

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"Commala-come-five! / Even when the shadows rise!
To see the world and walk the world / Makes ya glad to be alive."
Susannah's Song, The Dark Tower VI, Stephen King, 2004.

--nDtE8k2pYjsRXajv
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQeAlvtgoQloHrPnoAQKyCAgAlX6A/b53o9F4axTQkNCW6JIlVsWETY6I
TOO92g6lWoda1iAt7C0W/6in8NDgP49ikwcKxeZgSH2AStAjmTei8HURQJsoGQ24
NDXQvjiC9lCkLLMJZT5+fm5bcyLfkfoH7h59J4srW1BpdT1pJ2hWG0KSu8bcZefV
zFrGbspxkSvudVSllDT5F2JUsw66iRurltt08LFu4Z2uI3Wn6AvFyBYibwUyPB6V
np5jxk5DMCSbFfP0ti9wDjp+uPjJSgsAPHXH9kf87ozmFXiUv3cKEDTXxkmT7qyx
vR+C8fEj1tetCydvFCEYBNY5xsaG/BHFrIfYvKx6dl9qSQmSiakBkQ==
=1PCh
-----END PGP SIGNATURE-----

--nDtE8k2pYjsRXajv--