Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 1622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PPTP from router WAN to internal interface is failing

JimmyM

I'm running UTM 9.702-1.

I want to connect a guest WiFi network using an old DLink DIR655 as the access point. I'm trying to segregate that traffic from seeing any of my internal network.

Ideally I'd just connect it to an other interface. My switches do not support VLANs. But the DIR-655 does allow PPTP connection on the WAN. So I figured I'd connect to DIR-655 to my internal network (where cabling is accessible) via its WAN port and have it connect to the UTM via its built in PPTP WAN.

However, searching through the forums hasn't left me with any luck

I've tried changing the MTU on the router to 1300 from 1400 No effect.

Tried 40-bit vs 128-bit config in UTM. No effect.

Added an FW rule Any->Any for GRE. No effect

Below is a connection attempt from the log.

Any help would be appreciated.

 
2020:05:26-13:13:35 firewall pptpd[20095]: MGR: Launching /usr/sbin/pptpctrl to handle client
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: local address = 10.10.80.1
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: remote address = 10.10.80.2
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Client 10.10.20.10 control connection started
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Received PPTP Control Message (type: 1)
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Made a START CTRL CONN RPLY packet
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: I wrote 156 bytes to the client.
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Sent packet to client
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Received PPTP Control Message (type: 7)
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Set parameters to 1000000000 maxbps, 50 window size
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Made a OUT CALL RPLY packet
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Starting call (launching pppd, opening GRE)
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: pty_fd = 6
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: tty_fd = 7
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: I wrote 32 bytes to the client.
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Sent packet to client
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): local address = 10.10.80.1
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): remote address = 10.10.80.2
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Plugin aua.so loaded.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: AUA plugin initialized.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: pppd 2.4.7 started by (unknown), uid 0
2020:05:26-13:13:36 firewall pppd-pptp[20096]: using channel 82
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Starting negotiation on /dev/pts/0
2020:05:26-13:13:36 firewall pppd-pptp[20096]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x526a14a0> <pcomp> <accomp> <mrru 1400> <endpoint [MAC:6c:fa:a7:2a:0f:4c]>]
2020:05:26-13:13:36 firewall pptpd[20095]: GRE: Bad checksum from pppd.
2020:05:26-13:13:36 firewall pptpd[20095]: GRE: xmit failed from decaps_hdlc: Operation not permitted
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Modem hangup
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Connection terminated.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Exit.
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Reaping child PPP[20096]
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Client 10.10.20.10 control connection finished
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Exiting now
2020:05:26-13:13:36 firewall pptpd[20013]: MGR: Reaped child 20095


This thread was automatically locked due to age.
  • 0

    "So I figured I'd connect to DIR-655 to my internal network (where cabling is accessible) via its WAN port and have it connect to the UTM via its built in PPTP WAN."

    You may be able to get what you want without using PPTP...

    Doesn't the DLink's WAN port have a default gateway and doesn't it do masquerading?  Say the router's IP in your LAN is 172.21.1.221 and the UTM's Internal interface is 172.21.1.1.  Add a firewall rule at the top in the UTM '172.21.1.221 -> Any -> Internal (Network) : Drop'.  Won't that do what you want?

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob, damn. I should have expected you'd reply. You've been around here since my early days with Astaro.

    Yes, it does have a default gateway and does MASQ.

    That firewall rule would stop the FW from sending traffic from the Router to other hosts on the LAN. But wouldn't it still allow them to be reached through the switches?

    I'll certainly give it a shot though.

  • 0 in reply to BAlfson

    OK. I've set up the router with a static WAN address and created a new FW rule to Drop traffic from that IP to the LAN Network.

    I can still ping addresses on the LAN from a client connected to the routers WiFi and I can log into my LAN file server.

  • 0 in reply to JimmyM

    See #2 in Rulz (last updated 2019-04-17), Jimmy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Rule #2 Item 3

    "then the 'ICMP' tab in 'Firewall': Traceroute and Ping are regulated on the 'ICMP' tab.  The "All" service only includes TCP and UDP - none of the other IP protocols are included."

    explains the ping getting through. But what about logging into the file server's admin web interface on TCP port 443?

    I can also access a shared folder using //<file server IP>/<share name>

  • 0 in reply to JimmyM

    The HTTP Proxy captures port 443 before firewall rules are considered.  I mentioned "Configure HTTP Proxy for a Network of Guests" above and that will tell you how to configure Web Filtering to avoid having the "Guest" network access internal IPs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I don't have the HTTP proxy running. That wouldn't handle the network share traffic though.

    I want ALL traffic from this router to be isolated from the rest of the Internal Netowrk.

     

    That's why I thought that connecting the WAN port of the router to the UTM via PPTP would allow that.

     

    Thanks, Bob.

  • 0 in reply to JimmyM

    Thanks for all of your help, Bob.

    I've tried all of the suggestions above. But my internal LAN is still visible and resources are still available when connected to the wifi router as a "guest"

    Ping file server- Explained

    HTTPS connection to file server UI - No Web Proxy is running. This shouldn't connect.

    Shared folders on file server are still visible. - The FW rule suggested above doesn't stop this traffic.

    So I'm still trying the VPN idea...

    PPTP is simply broken.

    I've tried 2 different routers (DIR-655 & WRT54G). Both get the same errors then a disconnect

    2020:05:28-07:42:44 firewall pppd-pptp[6596]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x8e1a43cb> <pcomp> <accomp> <mrru 1400> <endpoint [MAC:6c:fa:a7:2a:0f:4c]>]
    2020:05:28-07:42:44 firewall pptpd[6594]: GRE: Bad checksum from pppd.
    2020:05:28-07:42:44 firewall pptpd[6594]: GRE: xmit failed from decaps_hdlc: Operation not permitted
    2020:05:28-07:42:44 firewall pptpd[6594]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)

     

    This is frustrating. A VPN as old as PPTP just doesn't work in V9.

    The router also supports L2TP. But not L2TP over IPSec. So that's not going to work.

  • 0 in reply to Dead Sailor

    After trying everything I could think of and everything Bob suggested. I bought a powerline adapter and connected it to another interface on my UTM and plugged in the other end in near the guest WiFi router. It's not speedy by any stretch of the imagination (Maybe 25Mbit). But it works well enough.

Unfiltered HTML