[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    RE: Delay changing the dynamic address in a VPN NAT rule
From:       "Paul Collis" <tdirect () yahoo ! com>
Date:       2007-07-24 5:55:04
Message-ID: 000401c7cdb7$2fb7c370$0b0ba8c0 () mulberry ! local
[Download RAW message or body]

Stuart,

I was only using the pings as an example. In reality it was an SVN client
that was failing but it was harder to see why. However, thanks to your
advice about the VPN address being picked up when the state changes I have
added the following two lines to my ppp.linkup script:

!bg /sbin/pfctl -k 0.0.0.0/0 -k 192.168.0.0/24
!bg /sbin/pfctl -k 0.0.0.0/0 -k 192.168.3.0/24

This seems to have cured the problem I was experiencing. Now the SVN client,
and pings for that matter, dial the VPN and can access the corporate server
immediately.

Paul

-----Original Message-----
From: Stuart Henderson [mailto:stu@spacehopper.org] 
Sent: 22 July 2007 11:41
To: Paul Collis
Cc: pf@benzedrine.cx
Subject: Re: Delay changing the dynamic address in a VPN NAT rule

On 2007/07/20 17:39, Paul Collis wrote:
> I have a firewall running OpenBSD 4.1-STABLE with pptp-1.7.1 to access a
> corporate VPN from a Windows XP machine on the internal LAN. The VPN uses
> dial on demand. Running ping on the Windows machine to access the
corporate
> server (192.168.0.143) does connect the VPN but the pings timeout. After
> some time, it varies from a few seconds to a minute or so the pings
suddenly
> start working. Meanwhile I can ping the same server directly from the
> firewall over the VPN without any problem. 

The address is picked up when state is created; this will be used
until it times-out, so a single run of 'ping' will usually match the
existing state. You could drop the state timeout values for ICMP
(at least for the pings you use to establish the connection),
you would do this in the 'pass' rule that permits these packets,
not in the nat rule. You may also need to use a larger delay
between ping packets. (or, just ignore the ping output :-)
[prev in list] [next in list] [prev in thread] [next in thread]