Bug #1336
closedPPTP VPN NAT on WAN or other external interface
0%
Description
I have PPTP server on 2.0-RC1 latest build. i have multiple internal and external interfaces.
I have following problems:
1. PPTP Client not receive gateway IP, MASK is 255.255.255.255
2. NAT is not working.
3. tcpdump show wrong checksum errors, for example received checksum is 12AC calculated checksum AC12
Files
Updated by Chris Buechler almost 14 years ago
- Priority changed from High to Normal
probably not a legit bug there (item 1 is how PPTP works, item 2 is not true and looks like a config problem in your case, item 3 is probably a consequence of how you're capturing traffic). but will leave this here for now until it can be tested.
Updated by Zeev Zalessky almost 14 years ago
i tested. NAT is working but some thing wrong with checksum calculation. as i see traffic is dropped by first WAN router because of wrong checksum. checksum calculation not done by NIC (Disable hardware checksum offload
is checked).
Updated by Zeev Zalessky almost 14 years ago
Hi,
Just installed second server with same version but i386 and not amd64 and this problem not exists. so, need to check the problem with PPTP VPN client (Windows 7 32bit),PPTP server on pfSense 2.0 RC1 amd64 and multi-wan NAT. according to packet capture all packets that come from pptp to wan are with bad checksum. i'll add packet capture later.
Updated by Shadow Hwang over 13 years ago
- File Page01.JPG Page01.JPG added
- File Page02.JPG Page02.JPG added
Yes,I also encountered the same problem.
My Test environment Attachment Page1.jpg
1. Wan2 Rules: Open WAN2 Port GRE and PPTP Service port.
2. 1:1 NAT mapping 1 public ip to PPTP server ip(192.168.1.200)
3. Lan and Lan2 Rules: proto(any),source/port(any),destination/port(any),gateway(default)
Test Results(Page02.jpg)
A. 1.2.3 release: Ok!!, User vpn to pptp server is OK and More networks at the same time possible.
B. 2.0 RC1: Error, User vpn to pptp server is ok but when use till 30 to 180 seconds after the Internet will not and can not ping to the pptp server and Lan2 gateway. If the Test User move Lan2, it can connet the normal Internet.
Updated by David Prinzing over 13 years ago
I am unable to get the most modern 2.0 RC1 amd64 build to route PPTP VPN traffic to the web. Version 1.2.3 works fine. I assume this is part of this issue. I did not test 2.0 RC1 i386 but I assume it has the same issue.
Updated by David Prinzing over 13 years ago
I should also mention, I do not have multi-WAN setup. So this issue does not appear to be limited to multi-WAN setups.
Updated by Zeev Zalessky over 13 years ago
The problem is related to 64 bit only.
Updated by Shadow Hwang over 13 years ago
I use pfSense 2.0 RC1 i386 with multi-WAN in my production environment, I meet the same issue. Is there any solution for this issue? Any suggestion will be appreciated
Updated by Zeev Zalessky over 13 years ago
the problem caused by removing pptp patch by Eric at 16/3. you cansolve route problem at 32 bit version by using version before 16/3 or by building private build with pptp patch. 64 bit version has problem with checksum calculation
Updated by Jim Pingle over 13 years ago
I have setup multiple PPTP servers on i386 within the last week, and it worked fine, including NAT out to the Internet.
On amd64 however I can confirm that the checksums are bad, they appear to be byte swapped.
Wireshark shows:
Header checksum: 0x6181 [incorrect, should be 0x8161]
Updated by R W over 13 years ago
I can confirm Jim P's analysis. On VMWare, i386 works fine, amd64 does not.
Updated by Jim Pingle over 13 years ago
- Status changed from New to Feedback
It works for me with Ermal's patch directly applied. Once snapshots with this fix are uploaded, others can test.
Updated by Jim Pingle over 13 years ago
- Status changed from Feedback to New
Switching this back to New since the patch had to be backed out for now - it appears to have been negatively impacting pppoe on amd64.
Updated by Chris Buechler over 13 years ago
- Status changed from New to Closed
this is the same as #1107, closing in favor of that one.
Updated by Shadow Hwang about 13 years ago
Test 2.0-Release This problem has been resolved.
Thank you pfsense team effort.