# mpd5 pptp issues



## bibi (Dec 10, 2012)

Hello,

I am trying to set up a vpn pptp via mpd5. I am currently running FreeBSD 9.1 RELENG with a custom built kernel to include netgraph/tun/gif/altq/pf/pflog/pfsync/enc/gre. This machine has only one physical interface with a public IP.

Here is my mpd.conf file:


```
[root@bsd ~]# cat /usr/local/etc/mpd5/mpd.conf
startup:
        # configure mpd users
        set user bibi admin
        set user bibi bibitest
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self PUBLIC_IP 5006
        set web open

default:
        load pptp_server

pptp_server:
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
# Define dynamic IP address pool.
	set ippool add pool1 192.168.0.2 192.168.0.13
# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
	set ipcp ranges 192.168.0.1/32 ippool pool1
	set ipcp dns 8.8.8.8

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L
        create link template L pptp

# Set bundle template to use
        set link action bundle B

# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap

# Enable utmp/wtmp logging
        set auth enable system-acct

# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460

# Configure PPTP
        set pptp self PUBLIC_IP

# Allow to accept calls
        set link enable incoming
```

I have in my /etc/rc.conf the following lines:

```
arpproxy_all="YES"
mpd_enable="YES"
gateway_enable="YES"
pf_enable="YES"
```
my /etc/sysctl.conf has this:

```
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.link.ether.inet.proxyall=1
```

I can connect from my iphone to my PUBLIC_IP and get to ping it from the server etc...but it doesn't want to leave the server, no connection to the outside world from the iphone.

Once connected my ifconfig is as follows:

```
[root@bsd ~]# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether xx:xx:xx:xx:xx:xx
	inet PUBLIC_IP netmask 0xffffff00 broadcast PUBLIC_BROADCAST
	inet6 PUBLIC_IPv6%re0 prefixlen 64 scopeid 0x1 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
pflog0: flags=0<> metric 0 mtu 33152
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
pfsync0: flags=0<> metric 0 mtu 1500
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	syncpeer: 0.0.0.0 maxupd: 128
enc0: flags=0<> metric 0 mtu 1536
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1456
	inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffffff 
	nd6 options=9<PERFORMNUD,IFDISABLED>
```

but i also see the following error line from /var/log/mpd5.log:

```
Dec 10 20:27:28 bsd mpd: [B-1] IPCP: LayerUp
Dec 10 20:27:28 bsd mpd: [B-1]   192.168.0.1 -> 192.168.0.2
Dec 10 20:27:28 bsd mpd: [B-1] IFACE: No interface to proxy arp on for 192.168.0.2
```

Don't know where i've gone wrong...any ideas welcome ! thanks


----------



## SirDice (Dec 11, 2012)

bibi said:
			
		

> ```
> net.inet.ip.forwarding=1
> ```


gateway_enable="YES" already sets this.


> ```
> net.inet6.ip6.forwarding=1
> ```


Use ipv6_gateway_enable="YES".


----------



## bibi (Dec 11, 2012)

Hello, thanks in the meantime i figured what was wrong...my /etc/pf.conf

It's now perfectly working with:

```
[root@bsd ~]# cat /etc/pf.conf 
ext_if="re0"
 
internal_net="192.168.0.0/16"
external_addr="PUBLIC_IP"
 
nat on $ext_if from $internal_net to any -> $external_addr

pass in all
pass out all
```

I still have the proxy arp error line in /var/log/mpd.log though but clients can go to the external world.


----------



## SirDice (Dec 11, 2012)

bibi said:
			
		

> ```
> nat on $ext_if from $internal_net to any -> $external_addr
> ```


Instead use this:

```
nat on $ext_if from $internal_net to any -> ($ext_if)
```

If your external address changes you won't have to change your config.


----------



## bibi (Dec 11, 2012)

even better indeed. thanks


----------



## Anonymous (Dec 11, 2012)

bibi said:
			
		

> ...
> 
> ```
> ...
> ...



With respect to the error in the mpd5.log, I guess, that mpd5 needs a physical interface (one that got a real MAC address) that can serve as the arp proxy. You might want give your setup a try with proxy arp disabled.


----------



## bibi (Dec 11, 2012)

yes thanks...i ve removed it, all fine now.

I have a second public IP on that interface now, alias0 on the interface re0 from before in /etc/rc.conf

I have changed again my /etc/pf.conf to -> $external_ip as otherwise it would randomly use any of the 2 public IPs i have

Now my question is is it possible via mpd5 either per username/password or any other idea to give a different local IP and therefore i would be able to use the following outgoing IP from /etc/pf.conf:


```
ext_if="re0"

# VPN pool FR
internal_fr_net="192.168.0.0/16"
# VPN pool UK
internal_uk_net="172.16.0.0/16"

# FR
external_fr_addr="public_ip"
# UK
external_uk_addr="public_ip_alias"

nat on $ext_if from $internal_fr_net to any -> $external_fr_addr
nat on $ext_if from $internal_uk_net to any -> $external_uk_addr
```

So basically i'd like to have some people coming out of the vpn with the public_ip and some others with the public_ip_alias. Thanks


----------



## Anonymous (Dec 11, 2012)

bibi said:
			
		

> ... So basically i'd like to have some people coming out of the vpn with the public_ip and some others with the public_ip_alias. Thanks



You can force different local IP addresses or IP ranges for different users in /usr/local/etc/mpd5/mpd.secret. Have a look at /usr/local/etc/mpd5/mpd.secret.sample.


```
uk_user1       "uk-pw1"       192.168.0.0/28
uk_user2       "uk-pw2"       192.168.0.0/28
uk_user3       "uk-pw3"       192.168.0.0/28
fr_user1       "fr-pw1"       192.168.0.16/28
fr_user2       "fr-pw2"       192.168.0.16/28
fr_user3       "fr-pw3"       192.168.0.16/28
```

Then with the firewall/NAT, you would route the one or the other local IP-range via either external interface.


----------



## bibi (Dec 11, 2012)

thanks perfect, works just as needed


----------

