# MPD5 connection always fail



## kelunyang (Aug 5, 2012)

Hi,
I try to set up my MPD5 with PPTP, but it still fail after whole weekend, does anyone can give me some adives?(pptp client is windows 7, and error 806)
I use pppoe dialup to internet, the tun0 IP is 220.135.92.208 and re0 also got 192.168.1.2 from ADSL modem

mpd5.conf


```
startup:
        set user foo bar admin
        set web self 220.135.92.208 5006
        set web open
default:
        load pptp_server
pptp_server:
# Define dynamic IP address pool.
        set ippool add pool_pptp 192.168.1.50 192.168.1.90

# Create clonable bundle template named B_pptp
        create bundle template B_pptp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.1.1/24 ippool pool_pptp
        set ipcp dns 168.95.1.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L_pptp
        create link template L_pptp pptp
# Set bundle template to use
        set link action bundle B_pptp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap eap
        set link enable chap
        set link keep-alive 0 0
        set link fsm-timeout 5
        set auth enable internal
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1448
# Configure PPTP
        set pptp self 220.135.92.208
        set pptp enable always-ack
# Allow to accept calls
        set link enable incoming
```

As Windows point out this problem might be occur due to firewall configuration, I put these line in ipfw.rules

#VPN GRE

```
$cmd 50000 allow tcp from any to me dst-port 1723
$cmd 51000 allow GRE from any to me
$cmd 52000 allow tcp from me to any dst-port 1723
$cmd 53000 allow GRE from me to any
$cmd 54000 allow tcp from any to me dst-port 47
$cmd 56000 allow tcp from me to any dst-port 47
$cmd 58000 allow udp from any to me dst-port 1723
$cmd 59100 allow udp from me to any dst-port 1723
$cmd 59300 allow udp from any to me dst-port 47
$cmd 59500 allow udp from me to any dst-port 47
```

Thanks!


----------



## kelunyang (Aug 5, 2012)

--update
I can connect to VPN after windows machine reboot, I also receive IP from VPN, but it still unable to connect to the internet through VPN, any ideas?


----------



## icer (Aug 6, 2012)

if you can connect, what ip setting you get? Show me ipconfig /all


----------



## kelunyang (Aug 6, 2012)

Hi, the ifconfig(8) on VPN server is here

```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:1f:d0:5e:db:18
        inet 169.254.100.1 netmask 0xffffff00 broadcast 169.254.100.255
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 220.135.92.208 --> 168.95.98.254 netmask 0xffffff00
        Opened by PID 436
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1396
        inet 169.254.100.1 --> 169.254.100.56 netmask 0xffffffff
```
And *ipconfig /all* on my machine is (some string are written in Chinese because my OS language is Chinese)

```
PPP adapter Nyko:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Nyko
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 169.254.100.56(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 168.95.1.1
   Primary WINS Server . . . . . . . : 169.254.100.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : WORKGROUP
   Description . . . . . . . . . . . : D-Link DWA-131 Wireless N Nano USB Adapte
r
   Physical Address. . . . . . . . . : 1C-AF-F7-EF-CF-D0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::cd51:9ae:696a:9acc%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.181(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 2012å¹´8æœˆ4æ—¥ ä¸Šåˆ 10:49:25
   Lease Expires . . . . . . . . . . : 2012å¹´8æœˆ13æ—¥ ä¸Šåˆ 09:51:42
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 320647159
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-5B-94-1A-00-23-54-04-2C-2F

   DNS Servers . . . . . . . . . . . : 168.95.192.1
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
```
I believed the problem should be cause by my configuration in ipfw.rules, are there any suggestion...


----------



## kelunyang (Aug 6, 2012)

And I've change the mpd.conf into this:


```
startup:
        set user foo bar admin
        set web self 220.135.92.208 5006
        set web open

default:
        load pptp_server

pptp_server:
# Define dynamic IP address pool.
        set ippool add pool_pptp 169.254.100.50 169.254.100.90

# Create clonable bundle template named B_pptp
        create bundle template B_pptp
        set iface enable proxy-arp
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 169.254.100.1/32 169.254.100.56/32
        set ipcp dns 168.95.1.1
        set ipcp nbns 169.254.100.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L_pptp
        create link template L_pptp pptp
# Set bundle template to use
        set link action bundle B_pptp
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link no pap chap
        set link eap accept
        set link enable chap-msv2
        set link enable chap
        set link keep-alive 10 60
        set link fsm-timeout 5
        set link max-redial 0
        set auth enable internal
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1448
# Configure PPTP
        set pptp self 220.135.92.208
# Allow to accept calls
        set link enable incoming
```

ipfw.rule is here

#!/bin/sh -

# Set defaults

```
oif="tun0"                       # out interface
vif="re0"
dns1="168.95.1.1"                  # ISP's DNS server IP address
dns2="168.95.192.1"
cmd="/sbin/ipfw -q add "        # build rule prefix
ks="keep-state"                 # just too lazy to key this each time

#FLUSH all rules first
/sbin/ipfw -q -f flush        # Delete all rules

$cmd allow tcp from me to any dst-port 1723
$cmd allow tcp from any to me dst-port 1723
$cmd allow gre from me to any
$cmd allow gre from any to me
$cmd divert natd ip from any to any via ng*
```

rc.conf also:

```
ifconfig_re0="DHCP"
ifconfig_re0_alias0="inet 169.254.100.1  netmask 255.255.255.0"
#PPP 2012/08/02
ppp_enable="YES"
ppp_mode="ddial"
ppp_user="root"
ppp_profile="papchap"
arpproxy_all="YES"
#Enable PPTP VPN 2012/08/02 (mpd and natd)
mpd_enable="YES"
mpd_flags="-b"
devfs_system_ruleset="system"
natd_enable="YES"
natd_interface="re0"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
```


----------



## icer (Aug 6, 2012)

i don't see default gateway in ppp 
[CMD=]"Default Gateway . . . . . . . . . : 0.0.0.0"[/CMD]


----------



## kelunyang (Aug 6, 2012)

yap...
I've already put

```
gateway_enable="YES"
```
before firewall settings in rc.conf, but no matter how I try, default still appears unset, are there any other setting should be add?


----------



## icer (Aug 6, 2012)

That is a settings of your router(freebsd). You need to put gateway settings to client, and of course, if all correct, you can ping any host in 169.254.100.0/24
Read this: http://forums.freebsd.org/showthread.php?t=30108


----------



## kelunyang (Aug 6, 2012)

so the gateway won't be retrieve from VPN server? should I set the gateway on client to 169.254.100.1?


----------



## icer (Aug 6, 2012)

You should set it in mpd


----------



## kpa (Aug 6, 2012)

I would advice not using 169.254.0.0/16 addresses for VPN address pool, they are considered link-local addresses and may not be usable on VPN connections. Use something like 10.x.y.0/24 where x and y are random numbers of your choise  from 0 to 255.


----------



## kelunyang (Aug 6, 2012)

@icer
where can I put the default gateway command in mpd's configuration?
BTW, I disable "Use default gateway on remote network" in TCP/IP tab of VPN setting on my windows client, and use

```
route add 169.254.100.56 mask 255.255.255.255 169.254.100.1
```
on windows. Therefore I reach other host in 169.254.100.0/24, but it's still unable to connect to internet through this VPN, are there any settings I missed?


----------



## icer (Aug 6, 2012)

Do you see this topic 





			
				icer said:
			
		

> Read this: http://forums.freebsd.org/showthread.php?t=30108


that's what I'm having found 
	
	



```
Seems to work now after adding
Code:

set iface route default

to the mpd.conf file.
```
And i agree with KPA, you should change ip network from 169.xxx to something else, for example 10.xx


----------



## kelunyang (Aug 6, 2012)

@icer
I've put

```
set iface route default
```
in mpd.conf, but it still not work

But after I change IP from 169.254.x.x to 10.x.x.1, and put

```
set iface route 10.x.x.1
```
EVERYTHING works!

Thanks everyone


----------



## kelunyang (Aug 6, 2012)

Hello again, I have another problem when I connect my mobile phone(Moto Milestone XT701 on CM 7.2) to this VPN server. It can connect to VPN server and get IP as well, but can not access the internet through the VPN connection, are there any configuration should be add? (All Windows machines can access the VPN, but Linux machines, such as an Android phone still can't....)
My ifconfig after android connected:

```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:1f:d0:5e:db:18
        inet 10.10.100.1 netmask 0xffffff00 broadcast 10.10.100.255
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 220.135.92.208 --> 168.95.98.254 netmask 0xffffff00
        Opened by PID 436
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1394
        inet 10.10.100.253 --> 10.10.100.50 netmask 0xffffffff
```
The mpd.conf is:

```
default:
        load pptp_server
##
pptp_server:
## The pptp server section has two parts, Bundle Layer and Link Layer
# Setup the PPTP bundle
        create bundle template MYVPN
# Range of addresses for PPTP DHCP clients (first IP - Last IP in DHCP pool)
        set ippool add pool1 10.10.100.50 10.10.100.90
# Enable proxy-arp for routing
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set iface route 10.10.100.1
# IP Control Protocol options
# Van Jacobson compression see note 1
        set ipcp yes vjcomp
# This is your PPTP server's IP plus a CIDR mask - See note 2
        set ipcp ranges 10.10.100.253/32 ippool pool1
# DNS server the clients will use
        set ipcp dns 168.95.1.1
# Set the WINS server address
        set ipcp nbns 10.10.100.1
# enables tunnel compression
        set bundle enable compression
# See note 3
        set bundle enable encryption
# enables microsoft point-to-point compression
        set ccp yes mppc
#40-bit MPP encryption
        set mppc yes e40
        set mppc yes e128
# Faster recovery, less secure option
        set mppc yes stateless
##
# Setup The Link Layer
        create link template MYVPN pptp
        set link action bundle MYVPN
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link eap accept
        set link enable chap-msv2
        set link enable chap
        set link fsm-timeout 5
        set auth enable internal
        set link keep-alive 10 60
        set link mtu 1460
# Set the actual IP address used by the PPTP server
        set pptp self 220.135.92.208
        set link enable incoming
```
ipfw.rules is:

```
#!/bin/sh -

# Set defaults
oif="tun0"                       # out interface
vif="re0"
dns1="168.95.1.1"                  # ISP's DNS server IP address
dns2="168.95.192.1"
cmd="/sbin/ipfw -q add "        # build rule prefix
ks="keep-state"                 # just too lazy to key this each time

#FLUSH all rules first
/sbin/ipfw -q -f flush        # Delete all rules

$cmd allow tcp from me to any dst-port 1723
$cmd allow tcp from any to me dst-port 1723
$cmd allow udp from any to me dst-port 1723
$cmd allow udp from me to any dst-port 1723
$cmd allow gre from me to any
$cmd allow gre from any to me
$cmd allow ip from 10.10.100.0/24 to any $ks setup
$cmd divert natd ip from any to any via ng*
```


Any suggestions?


----------



## ecazamir (Aug 8, 2012)

AFAIK, PPTP VPN uses TCP/1723 and GRE. So, your current firewall looks like:

```
$cmd allow tcp from me to any dst-port 1723
$cmd allow tcp from any to me dst-port 1723
$cmd allow udp from any to me dst-port 1723
$cmd allow udp from me to any dst-port 1723
```
And I think you should change it to:

```
$cmd allow tcp from any to me 1723
$cmd allow tcp from me 1723 to any
$cmd allow gre from me to any
$cmd allow gre from any to me
```
This may not fix your Android client problem, but will make the rules clear.


----------

