[pptp-server] clients can see only some machines.... why?

[E. Jay Berkenbilt]

I have some clients running various combinations of Windows 95 and NT
4.0.  They are able to connect and authenticate, but they are only
able to see some hosts.  Here's my setup in detail:

I have a firewall running Linux with a 2.2.16 kernel patched with PPTP
masquerading support and ipfwd.  I have TCP port 1723 and IP protocol
47 forwarding to an internal machine which is running a PPTP server.
This seems to work flawlessly.

On the internal network, I have a RedHat 6.0 box with a 2.2.10 kernel,
a patched ppp-2.3.10 that includes the MS-CHAP and MS-style
encryption.  This machine is running an unmodified PoPToP 1.0.0.

My /etc/ppp/options is:

  lock
  auth
  require-chap
  ms-dns 192.168.0.1
  ms-wins 192.168.0.101
  require-chapms     
  require-chapms-v2     
  mppe-40     
  mppe-128     
  mppe-stateless     

where 192.168.0.101 is the IP address of our NT primary domain
controller and 192.168.0.1 is the IP address of our primary DNS
server.

My /etc/pptpd.conf is

  localip 192.168.254.1
  remoteip 192.168.255.1-8

Also, on the Linux box running pptp, I have

  ipchains -A forward -p all 192.168.255.0/24 -j MASQ

IP masquerading, including ICMP masquerading are compiled as modules
and are loaded automatically.

The NT clients are all running Service pack 5.  The 95 clients are
running with the dialup network 1.3 patch, the VPN patch, and some
dialup networking y2k patch from Microsoft.

Clients have IP Header compression off, default gateway over
connection on, TCP enabled, NetBEUI and IPX disabled.  They connect
using a login and password in /etc/ppp/chap-secrets on the pptp
server.  The login is not necessarily the same as the login on the
domain, and no domain authentication is happening here to my
knowledge.

Here's what works:

 * Authentication and connection to the network.

 * ping, telnet, DNS resolutions to our internal network (works via
   masquerading)

 * START -> Run... \\ads-svr-1   -- ads-svr-1 is our primary domain
   controller.  It is on the same subnet as the pptp server, but it is
   not itself the pptp server.  Connecting to some machines like this
   works.

 * Outlook-2000 to access exchange server which is also on the same
   subnet as the pptp sever.

Here's what does not work:

 * Browsing via network neighborhood (no surprise here, and I don't
   need to fix it).

 * Access to some other machines in the network.

Attempts to access other machines fail with a message indicating that
no service recognizes the name.  It appears that name resolution must
not be working well.

I have yet to find a convincing pattern to which machines work and
which don't.  Our PDC works, as does one of our development file
servers.  These are both running NT Server with service pack 4 or
higher.  Another file server does not work.  I think it's also running
NT server, but there's some chances it is running NT workstation.  I
do not administratively control that server.  All three servers have
static IP addresses which are registered with DNS and are also
available via NMB.

I can't access any of the samba servers in this way.  The samba
servers all have domain authentication.

Does anyone have any ideas on what I might try to track down the
differences between the machines that work and those that don't?

Also, I would like my clients to keep their default route going over
the Internet and to have only 192.168.0.0/24 routed over the PPP
connection, but I don't see any way to do that under Windows.  For
what it's worth, I have several years of network and UNIX admin
experience, but not much in the way of Windows -- survival sysadmin
skills, basically.

Any tips would be most helpful.

--
E. Jay Berkenbilt (ejb at ql.org)  |  http://www.ql.org/q/