I did test both of them Clearos 6 and Clearos 7 and the bug and problem it is like this :
If you will conect to VPN PPTP and try to browse some certain websites like: mail.yahoo.com , speedtest.net and a couple of more websites , The websites does not load , simply do not load at all .
I can ping and tracert successfully to the websites but the browser does not load them or produce an error. Ping work , tracert work and even trafic i see it work but page still does not load
.
I did try to use the YAHOO DNS , the GOOGLE DNS , and even the provider DNS , still nothing work ... I did change the network ip's to many diferent configurations still nothing fixed this
After a couple of testing i have seen an strage setting about the mtu value wich it is 1400 ...
Does anybody have seen the bug , and did fix it somehow ? I am very shure it is something from the MTU of server side , since witout VPN work all pages and load , and wit the VPN connected does not load , but ping and tracert work ...
So the problem and bug it is the value MTU , but i do not know how to change inside the VPN this setting . It is required : Put that before exit 0 in IPUP. /etc/ppp/ip-up for me.
If you will conect to VPN PPTP and try to browse some certain websites like: mail.yahoo.com , speedtest.net and a couple of more websites , The websites does not load , simply do not load at all .
I can ping and tracert successfully to the websites but the browser does not load them or produce an error. Ping work , tracert work and even trafic i see it work but page still does not load
.I did try to use the YAHOO DNS , the GOOGLE DNS , and even the provider DNS , still nothing work ... I did change the network ip's to many diferent configurations still nothing fixed this
After a couple of testing i have seen an strage setting about the mtu value wich it is 1400 ...
Does anybody have seen the bug , and did fix it somehow ? I am very shure it is something from the MTU of server side , since witout VPN work all pages and load , and wit the VPN connected does not load , but ping and tracert work ...
So the problem and bug it is the value MTU , but i do not know how to change inside the VPN this setting . It is required : Put that before exit 0 in IPUP. /etc/ppp/ip-up for me.
In Support
Share this post:
Accepted Answer
You could have a look at this. I'd also add the "-i ppp+" from one of the comments so it does not affect normal connections.
Responses (6)
-
Accepted Answer
The DNS issue sounds a bit like a variant of the MultiWAN DNS issue which goes as follows:
Many ISP's only allow you to use their DNS servers from inside their network. In a MultiWAN environment if your system is configured to use the DNS servers of ISP1, but the load balancing pushes out your DNS lookup via the interface connected to ISP2, they will fail. Generally, is this situation it is better to configure your system to use public DNS servers such as GoogleDNS and OpenDNS.
The corollary with PPTP is that your PPTP client PC may be set up to use a particular ISP's DNS servers. By default a PPTP VPN tunnels all traffic through the VPN (probably including DNS lookups) so DNS lookups could be trying to use one ISP server's DNS servers, but is routing the traffic via another ISP's network which is failing similarly to the MultiWAN case.
There are a number of possible solutions.
- In 6.x you can configure the DNS server in the PPTP settings. I hope you can do the same in 7.x. Here set it to something like your ClearOS LAN IP. If not, use a public DNS or the ClearOS ISP's server. I think the ClearOS LAN is preferable because then you can resolve names of other devices on your LAN.
- Do what you have done and configure your PPTP client with a public DNS server as well. I'm not so keen on this.
- Try the following iptables rules:
iptables -t nat -I PREROUTING -p tcp --dport 53 ! -d your_ClearOS_LAN_IP -i ppp+ -j DNAT --to-destination your_ClearOS_LAN_IP
iptables -t nat -I PREROUTING -p udp --dport 53 ! -d your_ClearOS_LAN_IP -i ppp+ -j DNAT --to-destination your_ClearOS_LAN_IPThese rules redirect any DNS lookup traffic coming from a PPTP client to use your ClearOS server as a DNS server and override any DNS server they are trying to use through the VPN. - Turn on split tunnelling on the PPTP client - google "split tunnel pptp windows" to see how. It is a simple check-box but I can't remember which. Note with split tunnel turned on only traffic for your ClearOS LAN will go through the tunnel. All the rest will go through the PPTP client's LAN gateway.
- In 6.x you can configure the DNS server in the PPTP settings. I hope you can do the same in 7.x. Here set it to something like your ClearOS LAN IP. If not, use a public DNS or the ClearOS ISP's server. I think the ClearOS LAN is preferable because then you can resolve names of other devices on your LAN.
-
Accepted Answer
I did fixed like this ...
are 2 things need to be done :
1) to add 3 DNS - 2 of your local provider and another one of Google DNS : 8.8.8.8
2) On the server side : /etc/ppp/ edit the file named : ip-up - example nano /etc/ppp/ip-up and
You add after [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" the /sbin/ifconfig $REALDEVICE mtu 1500 like this down below :
********************************************************************************
[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@"
/sbin/ifconfig $REALDEVICE mtu 1500
exit 0
******************************************************************************** -
Accepted Answer
-
Accepted Answer
I see you've accepted the answer, but I'm not sure if you found where to put the rule. Initially try it at the command line. If it works copy and paste it into the custom firewall module or /etc/clearos/firewall.d/local.
I'm also not sure why it works without the rule on 6.x and not 7.x, but I don't have a proper 7.x environment to test.
FWIW even Micro$oft recommend you not to to use PPTP (which they created) any more for security reasons. OpenVPN is preferable. -
Accepted Answer
-
Accepted Answer
. 
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »