[Gllug] Fun with PPTP and Proxy-ARP bridging firewalls
Rob Andrews
rob at impure.org.uk
Thu Oct 4 09:01:09 UTC 2001
Hi folks (& hopefully network bods),
A few inconclusive googles have showed me that, since I can't get a PPTP VPN
link to a remote host, that my problem is that GRE tunnels can't pass
through Proxy-ARP bridge firewalls. My network looks like this[0]:
Hosts Bridge
.-----.
| |--.
`-----' | .-----. adsl
.-----. |_______|proxy|______.-----._____//___\ to demon...
| |--| eth1|fwall|eth0 `-----' // /
`-----' | `-----' router
.-----. |
| |--`
`-----'
..etc
The bridge is setup thus...
ip route del my.sub.net/27 dev eth0
ip route del my.sub.net/27 dev eth1
ip route add adsl.router.address dev eth0
ip route add my.sub.net/27 dev eth1
(all hosts have world-facing IPs, no NAT anywhere to be seen)
+ ip_forward=1 and proxy_arp=1 on eth0 and eth1 in /proc/sys/net/ipv4/...
Now, everything's been fine. All ipv4 traffic is getting from A to B without
hassle. The firewall rules work fine. But when one of the host boxes tries
to connect to a PPTP server somewhere in the Outside World, it fails.
tcpdump is inconclusive - says that GRE packets are going out on eth0 (the
world-facing interface of the proxy firewall), but no GRE packets appear to
be coming in.
I tried disabling the firewall rules completely, and it still didn't work.
The last time this worked was when the bridge wasn't using proxy arp - it
was acting as a proper full ethernet bridge (802.1b).
If anyone has any ideas on why this isn't working, suggestions would be
gratefully received ;)
Regards,
Rob.
[0] whee, aren't text diagrams fun?
--
nine <e> rob at impure.org.uk <pgp> 0x8bb5c71e <w> http://impure.org.uk/
* only the good die young. the rest are forced to code perl for eternity *
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list