0

This is my first post and will try my best to add all the info.

I am trying to accomplish something that i am not sure if it is supported, basically

  1. I have a firewall that is configure to allow everything for now.

  2. I have a Linux machine that acts as a firewall with multiple NICs.

test@service:~# ip a
1: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:7d:f4:df brd ff:ff:ff:ff:ff:ff
    inet 10.5.54.100/23 scope global eth1
       valid_lft forever preferred_lft forever

1: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:67:a9:2f brd ff:ff:ff:ff:ff:ff
    inet 192.168.159.1/24 brd 192.168.159.255 scope global eth4
       valid_lft forever preferred_lft forever

eth1 is connected to the firewall and it has internet access. This Linux machine is setting behind main firewall.

eth4 is connected to a VLAN which has multiple computers virtualized.

Main reason for this kind of design is that, every virtual environment that I spin up will have a service VM that will act as firewall or default gateway.

iptables info
# Generated by xtables-save v1.8.2 on Tue Feb 16 23:48:29 2021
*filter
:INPUT ACCEPT [4650:396449]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3139:748166]
:vncforward - [0:0]
:vpn_auth_forward - [0:0]
:pf_forward - [0:0]
:s2svpnL3 - [0:0]
:vncforward65400 - [0:0]
-A INPUT -p gre -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 1194 -j s2svpnL3
-A INPUT -i eth2 -p udp -m udp --dport 1194 -j s2svpnL3
-A INPUT -i eth3 -p udp -m udp --dport 1194 -j s2svpnL3
-A FORWARD -i eth1 -j pf_forward
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth4 -o eth1 -j ACCEPT
-A FORWARD -p gre -j ACCEPT

  1. I have a Windows machine that is connected to 192.168.159.1/24, it can ping internet and access everything no problems. So NAT on the Linux machine is working just fine.

  2. I cannot connect the Windows builtin VPN that uses PPTP TCP port 1723 & GRE port 47. VPN Error in the Windows is 619.

Do you guys think it is doable, like PPTP & GRE while behind source NAT? Any hints or clues.

Thank you Arsi

berndbausch
  • 973
  • 7
  • 11
Arsi
  • 1
  • 1
    Warning: PPTP is fundamentally insecure and should not be used if confidentiality is required. – Michael Hampton Feb 17 '21 at 00:03
  • @MichaelHampton, thank you for your response, i know but i am told to use that. Main problem for me is the NAT and GRE not working – Arsi Feb 17 '21 at 18:42
  • You mean IP protocol type 47. Not the same as port :) Where is the VPN server? Could it have something to do with routing? Did you attempt tracing traffic with a tool like `tcpdump`? – berndbausch Feb 26 '21 at 03:33

0 Answers0