[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

can't get pptp clients to work behind a obsd nat/firewall setup

I've had this working before under 3.4 but can't seem to make this 
work under 3.5.

Box is 3.5 running generic, not tracking stable.

I just need a single win xp pro box to connect to my company's vpn 
using the built in xp pro vpn client.  

Here's my current pf setup:

ext_if="xl0"    # replace with actual external interface name i.e., dc0
int_if="xl1"    # replace with actual internal interface name i.e., dc1
priv_nets = "{,,, }"
tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"
blocked_list = "{ }"

set loginterface $ext_if
set block-policy return

scrub in all

# NAT Rules
nat on $ext_if from $internal_net to any -> ($ext_if)
rdr on $int_if proto tcp from $internal_net to ! $internal_net port ftp 
-> 127.0
.0.1 port 8021

# Filters

# Default Deny Rule
block all

# Allow loopback traffic to pass
pass quick on lo0 all

# Process Blocked List
block drop in quick on $ext_if from $blocked_list to any
block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# Traffic Rules

# Inbound
pass in on $ext_if inet proto tcp from any to ($ext_if) port tcp_services flags S/SA keep state
pass in inet proto gre all keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $internal_net to any keep state

# Outbound
pass out inet proto gre all keep state
pass out on $int_if from any to $internal_net keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

I can make the connection to the vpn but no data is passed after that.  
I'm sure it's something simple that I'm missing but I'm stumped right 
now.  Google and the misc archives haven't turned up anything for me.

Would a kernel recompile with GRE enabled make this work?


Visit your host, monkey.org