Hi!
I have ClearOS 6.7.0 set up in Gateway Mode and Transparent Proxy is Enabled...
eth0 External DHCP 192.168.1.68
eth1 LAN Static 10.1.1.1
Everything works fine on the LAN client machines, but when I connect to my gateway via the PPTP Server, the PPTP clients cannot browse the web, everything else Internet connection wise (including https:// sites) works fine.
The PPTP Server is configured as follows:
Local IP Range 10.1.1.230-239
Remote IP Range 10.1.1.240-249
DNS Server 10.1.1.1
WINS Server
I am using the same IP range as on the LAN, but the ranges do not overlap with the DHCP server ranges or any LAN machine IPs.
I think the problem is somewhere in the firewall rules...
I have added a custom firewall rule for the PPTP Server clients to be able to browse the web via the Transparent Proxy in the Custom Firewall web interface module:
My questions are:
1. Whether this is the correct approach to the PPTP Server configuration or should I use different IP ranges, for example 10.1.2.230-239 and 10.1.2.240-249 that would not overlap with my LAN IP range?
2. Is the firewall configured correctly? Or is there anything else needed besides this one Custom Firewall rule?
3. What would the Custom Firewall rule(s) be for the PPTP Server clients to bypass the Transparent Proxy instead of using it?
Thanks in advance!
I have ClearOS 6.7.0 set up in Gateway Mode and Transparent Proxy is Enabled...
eth0 External DHCP 192.168.1.68
eth1 LAN Static 10.1.1.1
Everything works fine on the LAN client machines, but when I connect to my gateway via the PPTP Server, the PPTP clients cannot browse the web, everything else Internet connection wise (including https:// sites) works fine.
The PPTP Server is configured as follows:
Local IP Range 10.1.1.230-239
Remote IP Range 10.1.1.240-249
DNS Server 10.1.1.1
WINS Server
I am using the same IP range as on the LAN, but the ranges do not overlap with the DHCP server ranges or any LAN machine IPs.
I think the problem is somewhere in the firewall rules...
# iptables --list-rules
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-N DROP-lan
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
-A INPUT -s 169.254.0.0/16 -i eth0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i pptp+ -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -d 192.168.1.68/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -d 192.168.1.68/32 -p tcp -m tcp --dport 81 -j ACCEPT
-A INPUT -d 192.168.1.68/32 -p gre -j ACCEPT
-A INPUT -d 192.168.1.68/32 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.1.1.160/32 -o eth1 -p tcp -m tcp --dport 9512 -j ACCEPT
-A FORWARD -d 10.1.1.160/32 -o eth1 -p udp -m udp --dport 9512 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i pptp+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o pptp+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -p icmp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -s 192.168.1.68/32 -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -s 192.168.1.68/32 -o eth0 -p tcp -m tcp --sport 81 -j ACCEPT
-A OUTPUT -s 192.168.1.68/32 -o eth0 -p gre -j ACCEPT
-A OUTPUT -s 192.168.1.68/32 -o eth0 -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A DROP-lan -j DROP# iptables -t nat --list-rules
-P PREROUTING ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -d 192.168.1.68/32 -p tcp -m tcp --dport 9512 -j DNAT --to-destination 10.1.1.160:9512
-A PREROUTING -d 192.168.1.68/32 -p udp -m udp --dport 9512 -j DNAT --to-destination 10.1.1.160:9512
-A PREROUTING -d 10.1.1.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -d 192.168.1.68/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -i pptp+ -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:3128
-A POSTROUTING -o tun+ -j ACCEPT
-A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.160/32 -p tcp -m tcp --dport 9512 -j SNAT --to-source 10.1.1.1
-A POSTROUTING -s 10.1.1.0/24 -d 10.1.1.160/32 -p udp -m udp --dport 9512 -j SNAT --to-source 10.1.1.1
-A POSTROUTING -o eth0 -j MASQUERADEI have added a custom firewall rule for the PPTP Server clients to be able to browse the web via the Transparent Proxy in the Custom Firewall web interface module:
iptables -t nat -A PREROUTING -i pptp+ -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.1.1.1:3128My questions are:
1. Whether this is the correct approach to the PPTP Server configuration or should I use different IP ranges, for example 10.1.2.230-239 and 10.1.2.240-249 that would not overlap with my LAN IP range?
2. Is the firewall configured correctly? Or is there anything else needed besides this one Custom Firewall rule?
3. What would the Custom Firewall rule(s) be for the PPTP Server clients to bypass the Transparent Proxy instead of using it?
Thanks in advance!
In PPTP Server
Share this post:
Responses (2)
-
Accepted Answer
Thank you for the reply, Nick!
Nick Howitt wrote:
Why not configure the pptp proxy rule to be the same as the normal proxy one next to it, i.e. "-j REDIRECT --to-ports 3128" instead of "-j DNAT --to-destination 10.1.1.1:3128"?
I tried it, it does not work like that. I think because of the REDIRECT only operates on the same interface, but there is no service running on the pptp0 interface on port 3128, it is on the eth1 interface, so I have to use the DNAT and IP + port instead.
Nick Howitt wrote:
Do you want to force your external users through your VPN when they browse the internet. It is generally much slower than browsing directly as it is limited by the server's upload speed. If you want them to use the local connection for the internet, google "pptp split tunnel windows" and you'll see how to fix it. It is a single check-box.
Yes I do, this is exactly what I want. They connect to the server via PPTP and browse the web via the server, does not matter whether using the proxy server or not. It is because of I need them to appear in my country as they are physically located in another country and some TV, etc services are restricted to my country only. I know it is slower, etc and I know how to make them browse directly (uncheck the "Use default gateway on remote network" under TCP -> Properties -> Advanced in Windows), but in this case it is intended this way.
Nick Howitt wrote:
It should be fine using the same subnet as your LAN as long as the addresses used for pptp will never clash which other addresses used by the LAN.
Good, they will not.
Nick Howitt wrote:
It is odd, but without the rule you added I would have expected the PPTP users to be able to browse the internet bypassing the proxy. Therefore, it follows, that I don't know how to bypass the proxy for the PPTP users. User by user would be impossible anyway as you never know which PPTP IP they will be using.
Yes, it is odd. And would have expected the browsing to work in the beginning whether via the transparent proxy or not. It must be the firewall blocking the direct connections to TCP destination port 80 somewhere as other traffic all works fine. No need for user by user, just want to select whether their traffic to port 80 flows via the transparent proxy or not. I should be able to bypass the PPTP Server clients' IP range in the proxy server's configuration as well, but I would like them not to touch the proxy service at all and go directly.
Nick Howitt wrote:
FWIW, for security reasons, even Micro$oft, who created PPTP, recommend you don't use PPTP unless there is no choice. I would say OpenVPN would be better.
I am aware of that, but security is not important in this case. Easy client software less installation without all the certificates, etc hassle is the reason I use PPTP over OpenVPN. -
Accepted Answer
Why not configure the pptp proxy rule to be the same as the normal proxy one next to it, i.e. "-j REDIRECT --to-ports 3128" instead of "-j DNAT --to-destination 10.1.1.1:3128"?
Do you want to force your external users through your VPN when they browse the internet. It is generally much slower than browsing directly as it is limited by the server's upload speed. If you want them to use the local connection for the internet, google "pptp split tunnel windows" and you'll see how to fix it. It is a single check-box.
It should be fine using the same subnet as your LAN as long as the addresses used for pptp will never clash which other addresses used by the LAN.
It is odd, but without the rule you added I would have expected the PPTP users to be able to browse the internet bypassing the proxy. Therefore, it follows, that I don't know how to bypass the proxy for the PPTP users. User by user would be impossible anyway as you never know which PPTP IP they will be using.
FWIW, for security reasons, even Micro$oft, who created PPTP, recommend you don't use PPTP unless there is no choice. I would say OpenVPN would be better.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »