[Gllug] Fun with PPTP and Proxy-ARP bridging firewalls

Rob Andrews rob at impure.org.uk
Thu Oct 4 09:01:09 UTC 2001


Hi folks (& hopefully network bods),

A few inconclusive googles have showed me that, since I can't get a PPTP VPN
link to a remote host, that my problem is that GRE tunnels can't pass
through Proxy-ARP bridge firewalls. My network looks like this[0]:

  Hosts            Bridge

 .-----.
 |     |--.
 `-----'  |       .-----.        adsl
 .-----.  |_______|proxy|______.-----._____//___\ to demon...
 |     |--|   eth1|fwall|eth0  `-----'    //    /
 `-----'  |       `-----'       router 
 .-----.  |
 |     |--`
 `-----'
  ..etc

The bridge is setup thus...

ip route del my.sub.net/27 dev eth0
ip route del my.sub.net/27 dev eth1
ip route add adsl.router.address dev eth0
ip route add my.sub.net/27 dev eth1
(all hosts have world-facing IPs, no NAT anywhere to be seen)

+ ip_forward=1 and proxy_arp=1 on eth0 and eth1 in /proc/sys/net/ipv4/...

Now, everything's been fine. All ipv4 traffic is getting from A to B without
hassle. The firewall rules work fine. But when one of the host boxes tries
to connect to a PPTP server somewhere in the Outside World, it fails.

tcpdump is inconclusive - says that GRE packets are going out on eth0 (the
world-facing interface of the proxy firewall), but no GRE packets appear to
be coming in.

I tried disabling the firewall rules completely, and it still didn't work.

The last time this worked was when the bridge wasn't using proxy arp - it
was acting as a proper full ethernet bridge (802.1b).

If anyone has any ideas on why this isn't working, suggestions would be
gratefully received ;)

Regards,
Rob.

[0] whee, aren't text diagrams fun?

-- 
nine      <e> rob at impure.org.uk <pgp> 0x8bb5c71e <w> http://impure.org.uk/
* only the good die young. the rest are forced to code perl for eternity *

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list