Hello,
I'm still struggling to get PPTP VPN working on my pro router with 1.8.5...
My config is as follows:
LAN 1 by default going to WAN 1
LAN 2 by default going to WAN 2
If a WAN fails, its associated LAN goes to the other one
This works fine.
I am trying to setup a PPTP server on that router. I'm ok to have it working only when connecting through WAN 1 (I'll look at making it work via any WAN, but later on). And I'm only interested in getting access to LAN 1.
Today's situation is that PPTP server is working fine but only when I disable WAN 2. When I keep WAN 2 enabled, the connection gets established but I can't reach any device from my phone.
Is there someone out there who has a PPTP server working on a configs with 2LANs, 2WANs and PBR setup (not load balancing)? I think I probably miss "something" that allows to channel the VPN on the WAN 1, systematically. As a consequence, it could be that the messages back to the PPTP clients are going over WAN 2...
I hope I make sense. Thanks in advance for your help.
My config is posted below. Note that there are elements of the config which are there for a site to site IPSEC connection between this site and another, that does not work either yet, probably blocked by the same issue that the PPTP server thing.
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify SOURCE_ROUTE {
rule 5 {
action modify
description "make traffic to site 2 go to VPN kernel route"
destination {
address 10.1.1.0/24
}
modify {
table main
}
}
rule 10 {
action modify
description "traffic from LAN 1 to WAN 1"
modify {
table 1
}
source {
address 192.168.101.0/24
}
}
rule 20 {
action modify
description "traffic from LAN 2 to WAN 2"
modify {
table 2
}
source {
address 172.16.101.0/24
}
}
}
modify balance {
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
established disable
invalid enable
new disable
related disable
}
}
rule 21 {
action accept
description "Allow VPN traffic from site 2"
destination {
address 192.168.101.0/24
}
ipsec {
match-ipsec
}
log enable
protocol all
source {
address 10.1.1.1-10.1.1.3
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
new disable
related disable
}
}
rule 30 {
action accept
description "Allow VPN traffic from site 2 to the router"
destination {
address 192.168.101.1
}
ipsec {
match-ipsec
}
log disable
protocol all
source {
address 10.1.1.1-10.1.1.3
}
}
rule 40 {
action accept
description "Allow IKE-UDP-500"
destination {
port 500
}
log disable
protocol udp
}
rule 50 {
action accept
description "Allow ESP-50"
log disable
protocol esp
}
rule 60 {
action accept
description "Allow NAT-T-UDP-4500"
destination {
port 4500
}
log disable
protocol udp
}
rule 70 {
action accept
description "Allow PPTP"
destination {
port 1723
}
log disable
protocol tcp
state {
established enable
invalid disable
new enable
related enable
}
}
rule 80 {
action accept
description "GRE for PPTP"
log disable
protocol gre
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description Numericable
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description OVH
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 192.168.101.1/24
description "LAN 1"
duplex auto
firewall {
in {
modify SOURCE_ROUTE
}
}
speed auto
vif 10 {
address 172.16.101.1/24
description "VLAN 2"
firewall {
in {
modify SOURCE_ROUTE
}
}
}
}
[snip...snip]
loopback lo {
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop gateway_IP_for_ISP_1 {
}
next-hop gateway_IP_for_ISP_2 {
}
}
route 10.1.1.0/24 {
next-hop IP_site_2 {
}
}
table 1 {
route 0.0.0.0/0 {
next-hop gateway_IP_for_ISP_1 {
}
}
}
table 2 {
route 0.0.0.0/0 {
next-hop gateway_IP_for_ISP_2 {
}
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN 1 {
authoritative enable
subnet 192.168.101.0/24 {
default-router 192.168.101.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 192.168.101.100 {
stop 192.168.101.199
}
unifi-controller 192.168.101.9
}
}
shared-network-name LAN 2 {
authoritative disable
subnet 172.16.101.0/24 {
default-router 172.16.101.1
dns-server 8.8.8.8
dns-server 8.8.4.4
lease 86400
start 172.16.101.100 {
stop 172.16.101.130
}
}
}
}
dns {
dynamic {
interface eth0 {
service dyndns {
[snip...snip]
}
web dyndns
}
}
forwarding {
cache-size 150
listen-on eth2
listen-on eth2.10
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5000 {
description "Exclude IPsec from local to remote from NAT"
destination {
address 10.1.1.0/24
}
exclude
log enable
outbound-interface eth0
protocol all
source {
address 192.168.101.0/24
}
type masquerade
}
rule 5001 {
description "masquerade for WAN"
log disable
outbound-interface eth0
protocol all
type masquerade
}
rule 5002 {
description "masquerade for WAN 2"
log disable
outbound-interface eth1
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
}
system {
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
host-name EdgeRouterPro8
login {
[snip...snip]
}
}
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Paris
}
vpn {
ipsec {
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer IP_site_2 {
authentication {
mode pre-shared-secret
pre-shared-secret testing123
}
connection-type initiate
description Site 2
ike-group FOO0
ikev2-reauth inherit
local-address IP_site_1_WAN_1
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.101.0/24
}
remote {
prefix 10.1.1.0/24
}
}
}
}
}
pptp {
remote-access {
authentication {
local-users {
[snip...snip]
}
mode local
}
client-ip-pool {
start 192.168.101.200
stop 192.168.101.210
}
dns-servers {
server-1 8.8.8.8
server-2 8.8.8.9
}
mtu 1024
}
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.8.5.4884695.160608.1104 */