Project

General

Profile

Bug #1336

PPTP VPN NAT on WAN or other external interface

Added by Zeev Zalessky about 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
PPTP
Target version:
Start date:
03/07/2011
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.0
Affected Architecture:
amd64

Description

I have PPTP server on 2.0-RC1 latest build. i have multiple internal and external interfaces.
I have following problems:
1. PPTP Client not receive gateway IP, MASK is 255.255.255.255
2. NAT is not working.
3. tcpdump show wrong checksum errors, for example received checksum is 12AC calculated checksum AC12

NAT.png (5.36 KB) NAT.png Zeev Zalessky, 03/07/2011 06:35 PM
Page01.JPG (8.25 KB) Page01.JPG Shadow Hwang, 03/31/2011 11:26 PM
Page02.JPG (10.5 KB) Page02.JPG Shadow Hwang, 03/31/2011 11:26 PM

History

#1 Updated by Chris Buechler about 8 years ago

  • Priority changed from High to Normal

probably not a legit bug there (item 1 is how PPTP works, item 2 is not true and looks like a config problem in your case, item 3 is probably a consequence of how you're capturing traffic). but will leave this here for now until it can be tested.

#2 Updated by Zeev Zalessky about 8 years ago

i tested. NAT is working but some thing wrong with checksum calculation. as i see traffic is dropped by first WAN router because of wrong checksum. checksum calculation not done by NIC (Disable hardware checksum offload
is checked).

#3 Updated by Zeev Zalessky about 8 years ago

Hi,

Just installed second server with same version but i386 and not amd64 and this problem not exists. so, need to check the problem with PPTP VPN client (Windows 7 32bit),PPTP server on pfSense 2.0 RC1 amd64 and multi-wan NAT. according to packet capture all packets that come from pptp to wan are with bad checksum. i'll add packet capture later.

#4 Updated by Shadow Hwang about 8 years ago

Yes,I also encountered the same problem.
My Test environment Attachment Page1.jpg

1. Wan2 Rules: Open WAN2 Port GRE and PPTP Service port.
2. 1:1 NAT mapping 1 public ip to PPTP server ip(192.168.1.200)
3. Lan and Lan2 Rules: proto(any),source/port(any),destination/port(any),gateway(default)

Test Results(Page02.jpg)
A. 1.2.3 release: Ok!!, User vpn to pptp server is OK and More networks at the same time possible.
B. 2.0 RC1: Error, User vpn to pptp server is ok but when use till 30 to 180 seconds after the Internet will not and can not ping to the pptp server and Lan2 gateway. If the Test User move Lan2, it can connet the normal Internet.

#5 Updated by Zeev Zalessky about 8 years ago

Any news with this bug?

#6 Updated by David Prinzing about 8 years ago

I am unable to get the most modern 2.0 RC1 amd64 build to route PPTP VPN traffic to the web. Version 1.2.3 works fine. I assume this is part of this issue. I did not test 2.0 RC1 i386 but I assume it has the same issue.

#7 Updated by David Prinzing about 8 years ago

I should also mention, I do not have multi-WAN setup. So this issue does not appear to be limited to multi-WAN setups.

#8 Updated by Zeev Zalessky about 8 years ago

The problem is related to 64 bit only.

#9 Updated by Shadow Hwang about 8 years ago

I use pfSense 2.0 RC1 i386 with multi-WAN in my production environment, I meet the same issue. Is there any solution for this issue? Any suggestion will be appreciated

#10 Updated by Zeev Zalessky about 8 years ago

the problem caused by removing pptp patch by Eric at 16/3. you cansolve route problem at 32 bit version by using version before 16/3 or by building private build with pptp patch. 64 bit version has problem with checksum calculation

#11 Updated by Jim Pingle about 8 years ago

I have setup multiple PPTP servers on i386 within the last week, and it worked fine, including NAT out to the Internet.

On amd64 however I can confirm that the checksums are bad, they appear to be byte swapped.
Wireshark shows:

Header checksum: 0x6181 [incorrect, should be 0x8161]

#12 Updated by R W almost 8 years ago

I can confirm Jim P's analysis. On VMWare, i386 works fine, amd64 does not.

#13 Updated by Jim Pingle almost 8 years ago

  • Status changed from New to Feedback

It works for me with Ermal's patch directly applied. Once snapshots with this fix are uploaded, others can test.

#14 Updated by Jim Pingle almost 8 years ago

  • Status changed from Feedback to New

Switching this back to New since the patch had to be backed out for now - it appears to have been negatively impacting pppoe on amd64.

#15 Updated by Chris Buechler almost 8 years ago

  • Status changed from New to Closed

this is the same as #1107, closing in favor of that one.

#16 Updated by Shadow Hwang over 7 years ago

Test 2.0-Release This problem has been resolved.
Thank you pfsense team effort.

Also available in: Atom PDF