I’ve searched high and low, and for the life of me can’t figure out why this is not working.
I have a windows client (Windows 8 and Windows 10 both), behind VyOS 1.1.6 in a NAT configuration. I see nf_conntrack_pptp and nf_conntrack_gre loaded in the kernel module list, but it appears that the firewall is not properly reverse-NAT’ing the PPTP connection. I get an error code 619 from Windows PPTP when it attempts to create the tunnel.
Here’s my configuration (non-relevant items like NTP removed to reduce noise). What am I missing?
firewall {
all-ping disable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name EXTERNAL-IN {
default-action drop
rule 1 {
action accept
source {
address x.x.x.x/xx
}
}
rule 3 {
action accept
destination {
address 0.0.0.0/0
}
source {
address x.x.x.x/xx (my internal ip block)
}
}
rule 999 {
action accept
log disable
state {
established enable
related enable
}
}
}
name INTERNAL {
default-action drop
rule 1 {
action accept
destination {
address 0.0.0.0/0
}
protocol tcp
source {
address x.x.x.x/xx (my internal ip block)
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address x.x.x.x/xx
description "External Internet"
duplex auto
firewall {
local {
name EXTERNAL-IN
}
out {
name EXTERNAL-IN
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
vif 0 {
address x.x.x.x/xx
}
vif 1 {
address x.x.x.x/xx
}
vif 2 {
address x.x.x.x/xx
}
vif 3 {
address x.x.x.x/xx
firewall {
out {
name EXTERNAL-IN
}
}
}
}
ethernet eth1 {
address x.x.x.x/xx
description DMZ
duplex auto
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
ethernet eth2 {
address x.x.x.x/xx
description "Internal Network"
duplex auto
firewall {
in {
name INTERNAL
}
}
hw-id xx:xx:xx:xx:xx:xx
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
source {
rule 90 {
outbound-interface eth0
source {
address x.x.x.x/xx
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop x.x.x.x {
distance 1
}
}
}
}
system {
name-server 8.8.8.8
}