This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PPTP from router WAN to internal interface is failing

I'm running UTM 9.702-1.

I want to connect a guest WiFi network using an old DLink DIR655 as the access point. I'm trying to segregate that traffic from seeing any of my internal network.

Ideally I'd just connect it to an other interface. My switches do not support VLANs. But the DIR-655 does allow PPTP connection on the WAN. So I figured I'd connect to DIR-655 to my internal network (where cabling is accessible) via its WAN port and have it connect to the UTM via its built in PPTP WAN.

However, searching through the forums hasn't left me with any luck

I've tried changing the MTU on the router to 1300 from 1400 No effect.

Tried 40-bit vs 128-bit config in UTM. No effect.

Added an FW rule Any->Any for GRE. No effect

Below is a connection attempt from the log.

Any help would be appreciated.

 
2020:05:26-13:13:35 firewall pptpd[20095]: MGR: Launching /usr/sbin/pptpctrl to handle client
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: local address = 10.10.80.1
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: remote address = 10.10.80.2
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Client 10.10.20.10 control connection started
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Received PPTP Control Message (type: 1)
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Made a START CTRL CONN RPLY packet
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: I wrote 156 bytes to the client.
2020:05:26-13:13:35 firewall pptpd[20095]: CTRL: Sent packet to client
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Received PPTP Control Message (type: 7)
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Set parameters to 1000000000 maxbps, 50 window size
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Made a OUT CALL RPLY packet
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Starting call (launching pppd, opening GRE)
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: pty_fd = 6
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: tty_fd = 7
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: I wrote 32 bytes to the client.
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Sent packet to client
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): program binary = /usr/sbin/pppd
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): local address = 10.10.80.1
2020:05:26-13:13:36 firewall pptpd[20096]: CTRL (PPPD Launcher): remote address = 10.10.80.2
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Plugin aua.so loaded.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: AUA plugin initialized.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: pppd 2.4.7 started by (unknown), uid 0
2020:05:26-13:13:36 firewall pppd-pptp[20096]: using channel 82
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Starting negotiation on /dev/pts/0
2020:05:26-13:13:36 firewall pppd-pptp[20096]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <auth chap MS-v2> <magic 0x526a14a0> <pcomp> <accomp> <mrru 1400> <endpoint [MAC:6c:fa:a7:2a:0f:4c]>]
2020:05:26-13:13:36 firewall pptpd[20095]: GRE: Bad checksum from pppd.
2020:05:26-13:13:36 firewall pptpd[20095]: GRE: xmit failed from decaps_hdlc: Operation not permitted
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: PTY read or GRE write failed (pty,gre)=(6,7)
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Modem hangup
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Connection terminated.
2020:05:26-13:13:36 firewall pppd-pptp[20096]: Exit.
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Reaping child PPP[20096]
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Client 10.10.20.10 control connection finished
2020:05:26-13:13:36 firewall pptpd[20095]: CTRL: Exiting now
2020:05:26-13:13:36 firewall pptpd[20013]: MGR: Reaped child 20095


This thread was automatically locked due to age.
Parents
  • "So I figured I'd connect to DIR-655 to my internal network (where cabling is accessible) via its WAN port and have it connect to the UTM via its built in PPTP WAN."

    You may be able to get what you want without using PPTP...

    Doesn't the DLink's WAN port have a default gateway and doesn't it do masquerading?  Say the router's IP in your LAN is 172.21.1.221 and the UTM's Internal interface is 172.21.1.1.  Add a firewall rule at the top in the UTM '172.21.1.221 -> Any -> Internal (Network) : Drop'.  Won't that do what you want?

    You might be interested in a document I maintain that I make available to members of the UTM Community, "Configure HTTP Proxy for a Network of Guests."  If you would like me to send you this document, PM me your email address. For our German-speaking members, I also maintain a version auf Deutsch initially translated by fellow member hallowach when he and I did a major revision in 2013.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob, damn. I should have expected you'd reply. You've been around here since my early days with Astaro.

    Yes, it does have a default gateway and does MASQ.

    That firewall rule would stop the FW from sending traffic from the Router to other hosts on the LAN. But wouldn't it still allow them to be reached through the switches?

    I'll certainly give it a shot though.

Reply
  • Bob, damn. I should have expected you'd reply. You've been around here since my early days with Astaro.

    Yes, it does have a default gateway and does MASQ.

    That firewall rule would stop the FW from sending traffic from the Router to other hosts on the LAN. But wouldn't it still allow them to be reached through the switches?

    I'll certainly give it a shot though.

Children
No Data