[pptp-server] Shouldn't I be able to see WIndows servers in Network Neighborhood?

Jeff Wiegley, Ph.D. jeff at inetb.com
Tue Jan 8 18:58:57 CST 2002 

I don't think this is it.

I didn't copy the rules from the masq howto. I use SNAT instead of
MASQUERADE anyways since the IP is static. (according to the Netfilter
howto this is the correct method.)

The line from my script for this is:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to $EXTERNALIP

Yes. I can ping all the machines in the office from the remote machine
ping 192.168.0.2 works as well (the IP of the "goofy" file server)

I don't think I'm dropping any packets at all in anyway regarding
this. At any point where I have a --jump DROP on my filter rules
I have preceeded it with a --jump LOG target.  I should be seeing
any and all packets that are dropped regardless of their destination
or source or other filter criteria.

The only thoughts I have going are:

The remote machine has an ethernet local area network that it is on
and this network has had a WINS server assigned by DHCP; this WINS
server is also on the same physical ethernet network as the remote
VPN client. The VPN service also has assigned a different WINS
server to the client.  Does the client just do the stupid thing
and only query the first assigned, local WINS server?

I can't tell if its querying goofy for netbios name resolution or
not. I can't even tell if goofy is properly acting as a WINS server
either so I don't know if goofy's list is correct and available.

Microsoft really needs to chuck netbios. Its a horrible, horrible
system mapping computers.

But even if netbios is all screwed up and regardless of whether the
WINS servers are responding I still I thought I should be able to
just type in \\192.168.0.2 into the network neighborhood address
and get to the machine without having to rely on WINS resolution.

- Jeff

On Tue, 2002-01-08 at 16:36, ACEAlex wrote:
> Hi, i think i know what your problem is. You linux "gw computer" had a nat
> masqrade setup? Am I right? Whats the firewall rules of that. If you are
> using iptables and have copied the script from the masq howto all trafic
> from the ppp0 device that you are using are droped. You need to specify some
> rules for that.
> 
> Here is my solotion that i added to the firewall script
> <snip>
> IPTABLES=/usr/local/sbin/iptables
> EXTIF=eth1
> INTIF=eth0
> PPPIF=ppp0
> $IPTABLES -A FORWARD -i $EXTIF -o $PPPIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $PPPIF -o $EXTIF -j ACCEPT
> 
> $IPTABLES -A FORWARD -i $INTIF -o $PPPIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $PPPIF -o $INTIF -j ACCEPT
> </snip>
> 
> I dont know if this is the best way of doing it. But it is worth a try. I
> dont even know if it solves your problem. By the way. Can you ping the
> computer.
> 
> I think you are right about the kernel and ppp merge thing. Wounder what
> linus tovard thinks of that?
> 
> /Alexander
> 
> ----- Original Message -----
> From: "Jeff Wiegley, Ph.D." <jeff at inetb.com>
> To: "PoPToP list" <pptp-server at lists.schulte.org>
> Sent: Wednesday, January 09, 2002 1:09 AM
> Subject: [pptp-server] Shouldn't I be able to see WIndows servers in Network
> Neighborhood?
> 
> 
> > I *finally* got PPTP/VPN working.  Some suggestions...
> >
> >   1) The kernel people need to add the MPPE stuff into at least
> >      the 2.5 kernels. I would also suggest incorporating the
> >      FreeSwan items as well. Having a kernel that does not
> >      provide for VPN services at this point in time only
> >      prevents linux from being accepted in enterprise environments.
> >      This is of particular concern because this is the exact market
> >      that linux should be dominating.
> >
> >   2) PPP maintainers should include the openssl and MPPE support items.
> >
> >   3) PoPToP documentation needs to focus more on troubleshooting
> >      procedures and general configuration. All of this per distribution
> >      hints/tricks/traps/howtos and FAQs makes this project look
> >      incredibly disorganized and unfocused.
> >
> >      Though I will say that a lot of this is due to the lack of 1) and
> >      2).
> >
> >      Assuming 1) and 2) existed the documentation would only have to
> >      be limited to discussing /etc/pptp.conf and /etc/ppp/options.pptp.
> >
> >      A very helpful documentation toppic would be examples of various
> >      network topologies, how VPN connections relate to the topologies
> >      and what the VPN offers (or what you can expect from a VPN
> >      connection) that the topologies cannot provide without the VPN.
> >
> > It took me all week to get PoPToP to a point where a Windows Me VPN
> > dial-up connection could connect to the server and get established.
> >
> > Now I'm stuck. I guess I figured the VPN connection would provide
> > me some functionality that it doesn't seem to.
> >
> > I have an office of 10 windows workstations, 1 WindowsNT server
> > (for file sharing) and 1 linux server with two NICs for providing
> > NATted internet connections to all the windows machines through a DSL
> > line. (The internet side IP for the linux box is static.) For
> > illustration lets say that all of these machines are on the
> > SOMEWORKGROUP as far as Microsoft Clients are concerned.
> >
> > I would think this to be an incredibly ubiquitous topology.
> >
> > The whole reason I embarked on this project is that I have machines
> > at external locations that need access to files on the WindowsNT
> > box back at the main office. These remote computers are in other
> > offices, on other physical networks and already belong to some
> > OTHERWORKGROUP.
> >
> > I assumed that by establishing PoPToP VPN connection from one of
> > these remote servers to the main office linux box I would be able
> > to accomplish this.
> >
> > However it doesn't work and I was hoping somebody has some insight
> > as to why.
> >
> > After Connecting the VPN I only see OTHERWORKGROUPS under network
> > neighborhood and I do not see SOMEWORKGROUP at all. The PPTP
> > connection specifies a ms-wins server but as far as can tell no
> > WINS resolution is happening because I can't even manually type
> > into network neighborhood an machinename such as
> > \\goofy which is the name of the windows NT machine.
> >
> > further more, I can't even type in the direct ip to network
> > neightborhood.  \\192.168.0.2 doesn't show goofy's shares either.
> >
> > but the VPN is connected and working. ping 192.168.0.2 works fine.
> > The linux box is a firewall but forwarding is on and all packets
> > between machines on the 192.168.0.6 network are allowed. The
> > firewall also logs all dropped packets but nothing is logged from
> > the time I connect and test my setups.
> >
> > I mean if this doesn't work then I'd consider Microsoft VPN
> > connections to be a useless waste of time.
> >
> > Does anybody have any ideas about this? Am I off base about this
> > whole topic and VPNs are used for some other, completely different,
> > task?
> >
> > For the purposes of helping to debug this all heres some
> > configuration information:
> >
> > /etc/pptp.copnf
> > -------------------------------------
> > option /etc/ppp/options.pptp
> > debug
> > localip 192.168.0.1
> > remoteip 192.168.0.3-9
> >
> > /etc/ppp/options.pptp
> > -------------------------------------
> > lock
> > debug
> > dump
> > proxyarp
> > +chap
> > +chapms
> > +chapms-v2
> > mppe-40
> > mppe-128
> > mppe-stateless
> > # Uncomment to use
> > ms-wins 192.168.10.2
> >
> > The VPN connection item properties are as follows:
> >
> > General Tab:
> >    VPN Server
> >        Host name or IP address:     <static DSL IP of linux server>
> >    Connect using
> >        "Microsoft VPN Adapter" is the only option available.
> > Networking Tab:
> >    Type of Dial-up Server:
> >        PPP: Internet, Windows 2000/NT, Windows ME
> >    Advanced Option
> >       Enable Software compression is checked
> >       Record a log file for this connection is NOT checked
> >    Allowed Network Protocols
> >       NetBEUI            is NOT checked
> >       IPX/SPX compatible is NOT checked
> >       TCP/IP             is checked
> >            Anvanced TCP/IP settings:
> >              Sever assigned IP address             is selected
> >              Server assigned name server address   is selected
> >              use IP header compression             is checked
> >              use default gateway on remote network is checked
> > Security Tab:
> >    Authentication:
> >       Username:               <general username>
> >       password:               *******
> >       domain:                 SOMEWORKGROUP
> >       connect automatically   is not checked
> >    Advanced Security Options:
> >       log on to network            is checked
> >       Require encrypted password   is checked
> >       Require data encryption      is checked
> > Dialing Tab:
> >    This is the default Internet connection is not checked
> >    Redial settings:
> >       Try to connect to 10 times
> >       wait 5 seconds between attempts
> >    Disconnect when connection may not be needed is checked
> >
> > Anybody have some hints?
> >
> > - Jeff
> >
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > --- To unsubscribe, go to the url just above this line. --
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --

More information about the pptp-server mailing list