[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Routing

"Mark Maas" <mark@menem.mine.nu> writes:
> 
> When I use the MS pptp client and login to the pptpd server on this machine
> i can ping all networks from the client, but cannot reach the internet.
> Pinging google.nl results in the name beeing resolved to the ip adress of
> google.nl but the request don't ever reach google.nl...

Oh boy...

We're getting to the stage where you may have to explain what it is
you're trying to accomplish and give a lot more detail about your
network topology.

Why are you setting up this PPTP tunnel?  Are you using it as an
(expensive) way to connect a single machine on the intranet to the
Internet through the ADSL (??) on the Linux box?  Or are you
eventually aiming to have a Windows machine out on the big, bad
Internet connect to your intranet through the secure PPTP tunnel and
have access to all intranet machines and also the rest of the
Internet?

Besides the ADSL on your Linux box, are there any other connections
from the intranet to the Internet?  Are other machines forwarding
traffic through your Linux box right now?  Or are they even able to
connect to the Internet?  Do you have a single external IP address or
a block of them?

In a nutshell, what's probably going wrong is that your Windows
machine, whatever its original IP address was, reconfigured itself
when you started up its PPTP client.  It's now using its original IP
address only to shuttle packets across the PPTP tunnel to and from the
Linux box.  For all other purposes, it's using the IP address assigned
by the copy of "pppd" running on the Linux box (in the "remote IP
address" line in your log).  This is presumably some address on the
192.168.8.x network, say 192.168.8.123.

When you ping, say, the intranet gateway "192.168.8.4", from the
Windows box, the packet goes out with source IP 192.168.8.123 and
destination 192.168.8.4 across the PPTP tunnel.  The Linux box
forwards the packet out to the "eth0" interface where 192.168.8.4
picks it up and generates a reply.  The reply needs to go to
192.168.8.123, and that's fine---the Linux box has configured itself
to do proxy ARP for 192.168.8.123, so packets destined for that
address go to your Linux box which recognizes that it's destined for
the Windows machine and shuttles the packet back across the PPTP
tunnel and you get your reply.

Unfortunately, when you ping "google.nl", the packet goes out with
source IP 192.168.8.123 across the PPTP tunnel.  The Linux box
forwards the packet out to the "eth1" interface (becaause its
destination matches the default route), and it goes out to "google.nl"
with an internal source IP.  It either gets filtered at your or
"google.nl"'s ISP perimeter (when the firewalls notice that its source
IP is an unroutable address) or "google.nl" actually gets the packet,
formulates a reply, and discovers it can't deliver it.

If you really want things to work this way, you need to do source NAT
on behalf of the Windows machine (or any other internal machine that's
trying to send packets to the Internet through your Linux machine) so
packets that hit the Internet can find there way back to your Linux
machine through its public (ADSL) IP address.

-- 
Kevin <buhr@telus.net>
Reply to: