PPTP clients in local (inside nat) net can't connect to PPTP server.
I can solve this problem only for ONE client by adding rule to destination nat like this:
sh nat destination rule 1
inbound-interface eth0
protocol gre
translation {address a.b.c.d}
But this is not solution, because client address is not fixed and there can be many clients.
I tried enable/disable conntrack modules pptp and gre, but unsuccesfully.
On versions 1.1.7 and 1.1.8 all work fine. Problem there is on version 1.2.0.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | BUG | c-po | T1141 Conntrack helpers are no longer active by default | ||
| Resolved | BUG | dmbaturin | T1011 FTP connection tracking slightly broken |
I suppose problem in conntrack modules. Not only PPTP doesn't work. Publishing of FTP server after upgrade to version 1.2.0 from 1.1.8 also stop working. Disabling/Enabling ftp conntrack do not solve problem too.
I can confirm, that problem with connection tracking is exist. Reason in this change in Linux kernel. Now, by default, all connection helpers is disabled. You may try to search in your log files something like:
kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
If you want, you may read more about this here.
So, we need to add all helpers by hand. You may try next workaround. Add this to /config/scripts/vyatta-postconfig-bootup.script:
sleep 10 iptables -t raw -I VYATTA_CT_HELPER 1 -p tcp --dport 1723 -j CT --helper pptp iptables -t raw -I VYATTA_CT_HELPER 2 -p tcp --dport 21 -j CT --helper ftp
Then reboot or, if you want tot apply it without rebooting, just execute all commands in root shell.
And wait for fix in furthers builds, of course. :)
@zsdc The fix for T1011 should have fixed this, but there's a crucial and annoying detail: apparently when the nf_conntrack module is (re)loaded without nf_conntrack_helper=1 option, the sysctl value gets overwritten.
I've adjusted modprobe options everywhere to make sure it's always loaded with helper option enabled. Let's keep the old behaviour in 1.2.0, cleaning it up is a task for firewall/conntrack scripts rewrite in a future release.
Today I maked new ISOs. Now FTP and PPTP conntrack modules work as expected!
Problem resolved for me.
OK. So, for now, anyone can use workarounds provided in T1011 or here. And wait for permanent fix in further builds.