Can't ping through PPTP when Shorewall is active

Question

I have a pptpd server and Shorewall running on the same server. The server has two ethernet connections (eth0 -> WAN, eth1 -> LAN) and its IP on the LAN is 10.11.100.201

I can establish a VPN-tunnel from my home computer with no problems, but I can't access any computers on the office LAN, including the VPN-server. If I ping the other end of the VPN-tunnel (10.11.100.20) i get "Destination Host Unreachable".

But if I turn off Shorewall everything works!

Have I done something wrong with my shorewall configuration?

interfaces:

wan eth0 detect dhcp,routefilter,tcpflags
lan eth1 detect dhcp
vpn ppp+ 

zones:

fw firewall
wan ipv4
lan ipv4
vpn ipv4

masq:

eth0 eth1

policy:

vpn lan ACCEPT
lan vpn ACCEPT
wan all DROP
lan all REJECT
fw all ACCEPT
all all REJECT

tunnels:

pptpserver wan 0.0.0.0/0

Update

I have this solved by now, but I'm not sure why I have to do this. Anyway, the solution was to add another policy:

vpn all ACCEPT

I thought that to Shorewall the VPN ppp0 interface would be a networking interface as any other, but it seems to know that the ppp0 traffic goes through eth0, and won't let it unless I add this policy. Is this correct?

Answer 1

You did not mention your rules file. Have you added appropriate entries to the rules file to allow TCP port 1723 and GRE (IP protocol 47) traffic to your pptp server? See this page for details.

Response to Update

Try replacing vpn all ACCEPT with the equivalent set of policies

vpn fw  ACCEPT
vpn wan ACCEPT
vpn lan ACCEPT

and test whether everything still works. If so, next try removing each of those policies one by one, testing whether everything still works each time, to get down to the minimal set of policies required. Is it possible that the only policy you really need to add is vpn wan ACCEPT ?