PPTPD cannot access shares or use remote gateway

rcrosoer · September 25, 2012, 3:59pm

I’ve googled and hacked till I’m blue in the face, even upgraded the machine from 11.3 to 12.1 but I can’t get it to work.
The machine is also a samba server.
Samba is accessible to all local machines (linux, winXP and win7)
I can connect to the VPN from a remote client (XP or 7) and can map shares on the VPN server using ip address but cannot map shares on other servers using netbios name or ip address. I can only ping the VPN server but not other machines or the router/gateway.

The setup is:
openSUSE 21.1
local network 192.168.10.0/24
gateway: 192.168.10.1
public range: xxx.xxx.xxx.136-143
router: xxx.xxx.xxx.142
VPN Server: xxx.xxx.xxx.138
VPN Nat: 192.168.10.96-101

remote network: 192.168.30.0/24
gateway: 192.168.30.1
public ip : fixed

pptpd.conf:


localip 192.168.10.1
remoteip 192.168.10.96-101

option.ppp0:


lock
noauth
nobsdcomp
nodeflate
noipx
require-mppe-128
require-mschap-v2
mtu 1463
mru 1463
lcp-echo-failure 10
lcp-echo-interval 10
ms-dns 208.67.222.222
ms-dns 208.67.220.220

Port 1723 and protocol 47 are open on firewall
Chap-secrets has username and password set
‘Enable ip forwarding’ is checked in yast/network device
‘Use default gateway on remote network’ is checked in client properties

sysctl.conf:


net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
kernel.sysrq = 0
net.ipv4.tcp_syncookies = 1

I have added this to /etc/sysconfig/scripts/SUSEfirewall2-custom:

fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
    # these are the rules to be loaded after IP forwarding and masquerading
    # but before the logging and deny all section is set by SuSEfirewall2.
    # You can use this hook to prevent the logging of annoying packets.

#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
#    iptables -A $chain -j DROP -p udp --dport 517:518
#done
    iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.10.96/29 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A POSTROUTING -t nat -j MASQUERADE

    true
}

Now I’ve run out of ideas! Please help

rcrosoer · September 28, 2012, 6:02pm

rcrosoer:

I’ve googled and hacked till I’m blue in the face, even upgraded the machine from 11.3 to 12.1 but I can’t get it to work.
The machine is also a samba server.
Samba is accessible to all local machines (linux, winXP and win7)
I can connect to the VPN from a remote client (XP or 7) and can map shares on the VPN server using ip address but cannot map shares on other servers using netbios name or ip address. I can only ping the VPN server but not other machines or the router/gateway.

The setup is:
openSUSE 21.1
local network 192.168.10.0/24
gateway: 192.168.10.1
public range: xxx.xxx.xxx.136-143
router: xxx.xxx.xxx.142
VPN Server: xxx.xxx.xxx.138
VPN Nat: 192.168.10.96-101

remote network: 192.168.30.0/24
gateway: 192.168.30.1
public ip : fixed

pptpd.conf:
localip 192.168.10.1
remoteip 192.168.10.96-101
option.ppp0:
lock
noauth
nobsdcomp
nodeflate
noipx
require-mppe-128
require-mschap-v2
mtu 1463
mru 1463
lcp-echo-failure 10
lcp-echo-interval 10
ms-dns 208.67.222.222
ms-dns 208.67.220.220
Port 1723 and protocol 47 are open on firewall
Chap-secrets has username and password set
‘Enable ip forwarding’ is checked in yast/network device
‘Use default gateway on remote network’ is checked in client properties

sysctl.conf:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 0
kernel.sysrq = 0
net.ipv4.tcp_syncookies = 1
I have added this to /etc/sysconfig/scripts/SUSEfirewall2-custom:
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
    # these are the rules to be loaded after IP forwarding and masquerading
    # but before the logging and deny all section is set by SuSEfirewall2.
    # You can use this hook to prevent the logging of annoying packets.

#example: prevent logging of talk requests from anywhere
#for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do
#    iptables -A $chain -j DROP -p udp --dport 517:518
#done
    iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.10.96/29 -m state --state NEW -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A POSTROUTING -t nat -j MASQUERADE

    true
}
Now I’ve run out of ideas! Please help

A few more days googling and I have got it working!
Disregard the last section above about iptables.
In /etc/sysconfig/SUSEfirewall2 and change the following parameters:
FW-ALLOW_CLASS_ROUTING = “int”
FW_ROUTE = “yes”
FW_MASQUERADE = “yes”
FW_DEV_INT = “ppp0 ppp1 ppp2 … pppn”
You need a pppx entry for each tunnel.
make sure the "yes"s are lower case.

It works for me!