Conclusions: OpenWrt Firewall blocking client pptp

rossb · July 13, 2018, 3:05pm

Hi;

Having problems with pptp clients behind openwrt. Did research and installed kmod-nf-nathelper-extra on router.

Clients getting:

sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x97866db9>]
LCP: timeout sending Config-Requests

# eth1 is wan, two pptp clients on wan
 tcpdump -i eth1 proto gre
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:00:05.121616 IP 192.168.6.254 > 192.253.245.254: GREv1, call 36852, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
11:00:05.597879 IP 192.168.6.254 > 104.143.74.129: GREv1, call 30468, seq 4, length 32: LCP, Conf-Request (0x01), id 1, length 18
# so, the conf requests are going out

#enabled logging on wan, IP address is one of the pptp servers:
logread | grep 192.253.245.254
Fri Jul 13 11:02:49 2018 kern.warn kernel: [ 4080.723507] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=42254 DF PROTO=TCP SPT=46372 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 11:02:50 2018 kern.warn kernel: [ 4082.254408] REJECT(src wan)IN=eth1 OUT= MAC=00:e0:4c:68:00:37:f0:b4:29:8c:24:d6:08:00 SRC=192.253.245.254 DST=192.168.6.254 LEN=84 TOS=0x00 PREC=0x00 TTL=113 ID=30172 DF PROTO=TCP SPT=1723 DPT=46372 WINDOW=259 RES=0x00 ACK PSH URGP=0

#so, responses being dropped
lsmod | grep conntrack
nf_conntrack           59794 31 nf_nat_pptp,nf_nat_amanda,nf_conntrack_pptp,nf_conntrack_ipv6,nf_conntrack_amanda,xt_state,xt_helper,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_CT,nf_nat_tftp,nf_nat_snmp_basic,nf_nat_sip,nf_nat_masquerade_ipv4,nf_nat_irc,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat_h323,nf_nat,nf_conntrack_tftp,nf_conntrack_snmp,nf_conntrack_sip,nf_conntrack_rtcache,nf_conntrack_proto_gre,nf_conntrack_irc,nf_conntrack_h323,nf_conntrack_broadcast,sch_cake,act_connmark
nf_conntrack_amanda     2304  1 nf_nat_amanda
nf_conntrack_broadcast    1229  1 nf_conntrack_snmp
nf_conntrack_h323      39911  1 nf_nat_h323
nf_conntrack_ipv4       5696 19
nf_conntrack_ipv6       6080  8
nf_conntrack_irc        3648  1 nf_nat_irc
nf_conntrack_pptp       3720  1 nf_nat_pptp
nf_conntrack_proto_gre    3038  1 nf_conntrack_pptp
nf_conntrack_rtcache    2624  0
nf_conntrack_sip       18877  1 nf_nat_sip
nf_conntrack_snmp       1224  1 nf_nat_snmp_basic
nf_conntrack_tftp       3872  1 nf_nat_tftp
nf_defrag_ipv4          1390  1 nf_conntrack_ipv4
nf_defrag_ipv6         22087  1 nf_conntrack_ipv6
x_tables               11247 40 ipt_REJECT,ipt_MASQUERADE,xt_time,xt_tcpudp,xt_tcpmss,xt_statistic,xt_state,xt_recent,xt_nat,xt_multiport,xt_mark,xt_mac,xt_limit,xt_length,xt_hl,xt_helper,xt_ecn,xt_dscp,xt_conntrack,xt_connmark,xt_connlimit,xt_connbytes,xt_comment,xt_TCPMSS,xt_REDIRECT,xt_LOG,xt_HL,xt_DSCP,xt_CT,xt_CLASSIFY,iptable_raw,iptable_mangle,iptable_filter,ipt_ECN,ip_tables,ip6t_REJECT,ip6table_raw,ip6table_mangle,ip6table_filter,ip6_tables
xt_conntrack            2880 26

any idea what I am missing?

Thanks;
Bill

jow · July 13, 2018, 3:23pm

Can you provide the full output of iptables-save ?

rossb · July 13, 2018, 3:50pm

Thanks Jow; here it is...

# Generated by iptables-save v1.4.21 on Fri Jul 13 11:45:09 2018
*nat
:PREROUTING ACCEPT [736:138398]
:INPUT ACCEPT [311:87490]
:OUTPUT ACCEPT [152:11786]
:POSTROUTING ACCEPT [131:9752]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_remote_vpn_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_tun0_rule - [0:0]
:postrouting_tun1_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_remote_vpn_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_tun0_rule - [0:0]
:prerouting_tun1_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_remote_vpn_postrouting - [0:0]
:zone_remote_vpn_prerouting - [0:0]
:zone_tun0_postrouting - [0:0]
:zone_tun0_prerouting - [0:0]
:zone_tun1_postrouting - [0:0]
:zone_tun1_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i eth1 -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_tun0_prerouting
-A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o eth1 -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_tun0_postrouting
-A MINIUPNPD -p udp -m udp --dport 5080 -j DNAT --to-destination 192.168.1.1:5080
-A MINIUPNPD -p udp -m udp --dport 5060 -j DNAT --to-destination 192.168.1.1:5060
-A MINIUPNPD -p tcp -m tcp --dport 5080 -j DNAT --to-destination 192.168.1.1:5080
-A MINIUPNPD -p tcp -m tcp --dport 5060 -j DNAT --to-destination 192.168.1.1:5060
-A MINIUPNPD -p tcp -m tcp --dport 5081 -j DNAT --to-destination 192.168.1.1:5081
-A MINIUPNPD -p tcp -m tcp --dport 5061 -j DNAT --to-destination 192.168.1.1:5061
-A MINIUPNPD -p udp -m udp --dport 4730 -j DNAT --to-destination 192.168.1.27:4730
-A MINIUPNPD -p tcp -m tcp --dport 21044 -j DNAT --to-destination 192.168.1.27:4000
-A MINIUPNPD-POSTROUTING -s 192.168.1.27/32 -p tcp -m tcp --sport 4000 -j MASQUERADE --to-ports 21044
-A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Forward-http (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-https (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Forward-ftp (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p udp -m udp --dport 21 -m comment --comment "!fw3: Forward-ftp (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: Mailhop (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p udp -m udp --dport 25 -m comment --comment "!fw3: Mailhop (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 465 -m comment --comment "!fw3: MailhopS (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p udp -m udp --dport 465 -m comment --comment "!fw3: MailhopS (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: Forward-smtp (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: Forward-imaps (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.3/32 -p tcp -m tcp --dport 9696 -m comment --comment "!fw3: Websockets (reflection)" -j SNAT --to-source 192.168.1.1
-A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Forward-http (reflection)" -j DNAT --to-destination 192.168.1.3:80
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-https (reflection)" -j DNAT --to-destination 192.168.1.3:443
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Forward-ftp (reflection)" -j DNAT --to-destination 192.168.1.3:21
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p udp -m udp --dport 21 -m comment --comment "!fw3: Forward-ftp (reflection)" -j DNAT --to-destination 192.168.1.3:21
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 2525 -m comment --comment "!fw3: Mailhop (reflection)" -j DNAT --to-destination 192.168.1.3:25
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p udp -m udp --dport 2525 -m comment --comment "!fw3: Mailhop (reflection)" -j DNAT --to-destination 192.168.1.3:25
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 465 -m comment --comment "!fw3: MailhopS (reflection)" -j DNAT --to-destination 192.168.1.3:465
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p udp -m udp --dport 465 -m comment --comment "!fw3: MailhopS (reflection)" -j DNAT --to-destination 192.168.1.3:465
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 25 -m comment --comment "!fw3: Forward-smtp (reflection)" -j DNAT --to-destination 192.168.1.3:25
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 993 -m comment --comment "!fw3: Forward-imaps (reflection)" -j DNAT --to-destination 192.168.1.3:993
-A zone_lan_prerouting -s 192.168.1.0/24 -d 192.168.6.254/32 -p tcp -m tcp --dport 9696 -m comment --comment "!fw3: Websockets (reflection)" -j DNAT --to-destination 192.168.1.3:9696
-A zone_remote_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_remote_vpn_rule
-A zone_remote_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_remote_vpn_rule
-A zone_tun0_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_tun0_rule
-A zone_tun0_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_tun0_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_tun0_rule
-A zone_tun1_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_tun1_rule
-A zone_tun1_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_tun1_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_tun1_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -j MINIUPNPD
-A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp --dport 80 -m comment --comment "!fw3: Forward-http" -j DNAT --to-destination 192.168.1.3:80
-A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment "!fw3: Forward-https" -j DNAT --to-destination 192.168.1.3:443
-A zone_wan_prerouting -p tcp -m tcp --dport 21 -m comment --comment "!fw3: Forward-ftp" -j DNAT --to-destination 192.168.1.3:21
-A zone_wan_prerouting -p udp -m udp --dport 21 -m comment --comment "!fw3: Forward-ftp" -j DNAT --to-destination 192.168.1.3:21
-A zone_wan_prerouting -p tcp -m tcp --dport 2525 -m comment --comment "!fw3: Mailhop" -j DNAT --to-destination 192.168.1.3:25
-A zone_wan_prerouting -p udp -m udp --dport 2525 -m comment --comment "!fw3: Mailhop" -j DNAT --to-destination 192.168.1.3:25
-A zone_wan_prerouting -p tcp -m tcp --dport 465 -m comment --comment "!fw3: MailhopS" -j DNAT --to-destination 192.168.1.3:465
-A zone_wan_prerouting -p udp -m udp --dport 465 -m comment --comment "!fw3: MailhopS" -j DNAT --to-destination 192.168.1.3:465
-A zone_wan_prerouting -p tcp -m tcp --dport 25 -m comment --comment "!fw3: Forward-smtp" -j DNAT --to-destination 192.168.1.3:25
-A zone_wan_prerouting -p tcp -m tcp --dport 993 -m comment --comment "!fw3: Forward-imaps" -j DNAT --to-destination 192.168.1.3:993
-A zone_wan_prerouting -p tcp -m tcp --dport 9696 -m comment --comment "!fw3: Websockets" -j DNAT --to-destination 192.168.1.3:9696
COMMIT
# Completed on Fri Jul 13 11:45:09 2018
# Generated by iptables-save v1.4.21 on Fri Jul 13 11:45:09 2018
*raw
:PREROUTING ACCEPT [17362:8160957]
:OUTPUT ACCEPT [5777:1769382]
COMMIT
# Completed on Fri Jul 13 11:45:09 2018
# Generated by iptables-save v1.4.21 on Fri Jul 13 11:45:09 2018
*mangle
:PREROUTING ACCEPT [16226:7718929]
:INPUT ACCEPT [4770:1374265]
:FORWARD ACCEPT [10907:6251766]
:OUTPUT ACCEPT [4775:1321872]
:POSTROUTING ACCEPT [15699:7577410]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 10/sec -m comment --comment "!fw3: wan (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(wan): "
-A FORWARD -o eth1 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o tun0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: tun0 (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Fri Jul 13 11:45:09 2018
# Generated by iptables-save v1.4.21 on Fri Jul 13 11:45:09 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21:840]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_remote_vpn_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_tun0_rule - [0:0]
:forwarding_tun1_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_remote_vpn_rule - [0:0]
:input_rule - [0:0]
:input_tun0_rule - [0:0]
:input_tun1_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_remote_vpn_rule - [0:0]
:output_rule - [0:0]
:output_tun0_rule - [0:0]
:output_tun1_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_remote_vpn_dest_ACCEPT - [0:0]
:zone_remote_vpn_dest_REJECT - [0:0]
:zone_remote_vpn_forward - [0:0]
:zone_remote_vpn_input - [0:0]
:zone_remote_vpn_output - [0:0]
:zone_remote_vpn_src_ACCEPT - [0:0]
:zone_tun0_dest_ACCEPT - [0:0]
:zone_tun0_dest_REJECT - [0:0]
:zone_tun0_forward - [0:0]
:zone_tun0_input - [0:0]
:zone_tun0_output - [0:0]
:zone_tun0_src_ACCEPT - [0:0]
:zone_tun1_dest_ACCEPT - [0:0]
:zone_tun1_dest_REJECT - [0:0]
:zone_tun1_forward - [0:0]
:zone_tun1_input - [0:0]
:zone_tun1_output - [0:0]
:zone_tun1_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -s 209.160.120.12/32 -j DROP
-A INPUT -s 151.80.235.241/32 -j DROP
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i eth1 -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i tun0 -m comment --comment "!fw3" -j zone_tun0_input
-A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i eth1 -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_tun0_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o eth1 -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_tun0_output
-A MINIUPNPD -d 192.168.1.1/32 -p udp -m udp --dport 5080 -j ACCEPT
-A MINIUPNPD -d 192.168.1.1/32 -p udp -m udp --dport 5060 -j ACCEPT
-A MINIUPNPD -d 192.168.1.1/32 -p tcp -m tcp --dport 5080 -j ACCEPT
-A MINIUPNPD -d 192.168.1.1/32 -p tcp -m tcp --dport 5060 -j ACCEPT
-A MINIUPNPD -d 192.168.1.1/32 -p tcp -m tcp --dport 5081 -j ACCEPT
-A MINIUPNPD -d 192.168.1.1/32 -p tcp -m tcp --dport 5061 -j ACCEPT
-A MINIUPNPD -d 192.168.1.27/32 -p udp -m udp --dport 4730 -j ACCEPT
-A MINIUPNPD -d 192.168.1.27/32 -p tcp -m tcp --dport 4000 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_remote_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_remote_vpn_rule
-A zone_remote_vpn_forward -m comment --comment "!fw3: forwarding remote_vpn -> tun1" -j zone_tun1_dest_ACCEPT
-A zone_remote_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_remote_vpn_forward -m comment --comment "!fw3" -j zone_remote_vpn_dest_REJECT
-A zone_remote_vpn_input -m comment --comment "!fw3: user chain for input" -j input_remote_vpn_rule
-A zone_remote_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_remote_vpn_input -m comment --comment "!fw3" -j zone_remote_vpn_src_ACCEPT
-A zone_remote_vpn_output -m comment --comment "!fw3: user chain for output" -j output_remote_vpn_rule
-A zone_remote_vpn_output -m comment --comment "!fw3" -j zone_remote_vpn_dest_ACCEPT
-A zone_tun0_dest_ACCEPT -o tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun0_dest_REJECT -o tun0 -m comment --comment "!fw3" -j reject
-A zone_tun0_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun0_rule
-A zone_tun0_forward -m comment --comment "!fw3: forwarding tun0 -> lan" -j zone_lan_dest_ACCEPT
-A zone_tun0_forward -m comment --comment "!fw3: forwarding tun0 -> wan" -j zone_wan_dest_ACCEPT
-A zone_tun0_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tun0_forward -m comment --comment "!fw3" -j zone_tun0_dest_REJECT
-A zone_tun0_input -m comment --comment "!fw3: user chain for input" -j input_tun0_rule
-A zone_tun0_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tun0_input -m comment --comment "!fw3" -j zone_tun0_src_ACCEPT
-A zone_tun0_output -m comment --comment "!fw3: user chain for output" -j output_tun0_rule
-A zone_tun0_output -m comment --comment "!fw3" -j zone_tun0_dest_ACCEPT
-A zone_tun0_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_tun1_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_tun1_rule
-A zone_tun1_forward -m comment --comment "!fw3: forwarding tun1 -> remote_vpn" -j zone_remote_vpn_dest_ACCEPT
-A zone_tun1_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_tun1_forward -m comment --comment "!fw3" -j zone_tun1_dest_REJECT
-A zone_tun1_input -m comment --comment "!fw3: user chain for input" -j input_tun1_rule
-A zone_tun1_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_tun1_input -m comment --comment "!fw3" -j zone_tun1_src_ACCEPT
-A zone_tun1_output -m comment --comment "!fw3: user chain for output" -j output_tun1_rule
-A zone_tun1_output -m comment --comment "!fw3" -j zone_tun1_dest_ACCEPT
-A zone_wan_dest_ACCEPT -o eth1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(dest wan)"
-A zone_wan_dest_REJECT -o eth1 -m comment --comment "!fw3" -j reject
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: @rule[7]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: @rule[8]" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p tcp -m tcp --sport 1723 -m comment --comment "!fw3: gre" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3: forwarding wan -> tun0" -j zone_tun0_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -p gre -m comment --comment "!fw3: Allow-gre" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 16384:32768 -m comment --comment "!fw3: RTP" -j ACCEPT
-A zone_wan_input -p tcp -m tcp --dport 1190:1194 -m comment --comment "!fw3: Allow-OpenVpn" -j ACCEPT
-A zone_wan_input -p udp -m udp --dport 1190:1194 -m comment --comment "!fw3: Allow-OpenVpn" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(src wan)"
-A zone_wan_src_REJECT -i eth1 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Fri Jul 13 11:45:09 2018

mpa · July 13, 2018, 6:24pm

The OpenWrt firewall should autogenerate rules like the following in the raw table, but yours is empty.

-A zone_lan_helper -p tcp -m comment --comment "!fw3: PPTP VPN connection tracking" -m tcp --dport 1723 -j CT --helper pptp

Do you have the iptables-mod-conntrack-extra package installed?

rossb · July 13, 2018, 6:29pm

It is installed. Do I need something like kmod-ipt-raw?

~# opkg list-installed | grep iptables-mod-conntrack-extra
iptables-mod-conntrack-extra - 1.4.21-2

~# uname -a
Linux SecureOffice 4.4.14 #2 SMP Sat May 19 14:26:36 UTC 2018 x86_64 GNU/Linux

mpa · July 13, 2018, 7:07pm

Sorry, I was referring to OpenWrt 18.06.0-rc1, while you are using 17.01.x, right?

Older kernels still assigned the conntrack helpers automatically, so you shouldn't need the -j CT --helper pptp rules, and fw3 does not generate them.

Is your WAN IP address one of 192.168.1.5 or 192.168.6.254? Are you behind a carrier-grade NAT?

rossb · July 13, 2018, 7:16pm

The perps:

192.168.1.5 - pptp client (to pptp server in cloud) on openwrt lan
192.253.245.254 - pptp server in cloud
192.168.6.254 - wan address of openwrt (eth1)

openwrt is behind other routers (not carrier grade), BUT the reply packets are making it to openwrt wan / eth1. As a test, connected openwrt wan directly to modem. Same behavior, pptp reply packets being dropped by firewall.

mpa · July 13, 2018, 7:38pm

There is a mismatch in timestamps and protocols between your tcpdump and logread. tcpdump is GRE, logread is tcp port 1723 (pptp).

PPTP replies yes, but the GRE replies are missing. If those other routers do NAT, you need connection tracking for PPTP/GRE there as well.

That's a good idea. Do you still see outgoing GRE?
Next I would look at the connection tracking table, either with cat or with the conntrack tool, to see why the PPTP replies are dropped.

rossb · July 13, 2018, 8:16pm

Going to focus on direct modem connection. Still see outgoing gre.

Will have to research how to examine conntrack table

"
tcpdump -ni eth1 proto gre:
16:00:54.526610 IP 107.179.178.55 > 104.143.72.253: GREv1, call 5791, seq 7, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:00:54.582264 IP 107.179.178.55 > 192.253.245.254: GREv1, call 43223, seq 7, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:00:57.529684 IP 107.179.178.55 > 104.143.72.253: GREv1, call 5791, seq 8, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:00:57.585723 IP 107.179.178.55 > 192.253.245.254: GREv1, call 43223, seq 8, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:00.532680 IP 107.179.178.55 > 104.143.72.253: GREv1, call 5791, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:00.589253 IP 107.179.178.55 > 192.253.245.254: GREv1, call 43223, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:03.535669 IP 107.179.178.55 > 104.143.72.253: GREv1, call 5791, seq 10, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:03.592291 IP 107.179.178.55 > 192.253.245.254: GREv1, call 43223, seq 10, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:08.103019 IP 107.179.178.55 > 192.253.245.254: GREv1, call 3907, seq 1, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:08.176899 IP 192.253.245.254 > 107.179.178.55: GREv1, call 47050, seq 0, ack 1, length 72: LCP, Conf-Request (0x01), id 0, length 54
16:01:08.177168 IP 192.253.245.254 > 107.179.178.55: GREv1, call 47050, seq 1, length 32: LCP, Conf-Ack (0x02), id 1, length 18
16:01:08.797039 IP 107.179.178.55 > 104.143.75.2: GREv1, call 9843, seq 1, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:08.860383 IP 104.143.75.2 > 107.179.178.55: GREv1, call 50302, seq 1, length 32: LCP, Conf-Ack (0x02), id 1, length 18
16:01:08.861376 IP 104.143.75.2 > 107.179.178.55: GREv1, call 50302, seq 0, ack 1, length 72: LCP, Conf-Request (0x01), id 0, length 54
16:01:11.106503 IP 107.179.178.55 > 192.253.245.254: GREv1, call 3907, seq 2, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:11.799688 IP 107.179.178.55 > 104.143.75.2: GREv1, call 9843, seq 2, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:14.110075 IP 107.179.178.55 > 192.253.245.254: GREv1, call 3907, seq 3, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:14.802697 IP 107.179.178.55 > 104.143.75.2: GREv1, call 9843, seq 3, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:17.112250 IP 107.179.178.55 > 192.253.245.254: GREv1, call 3907, seq 4, length 32: LCP, Conf-Request (0x01), id 1, length 18
16:01:17.805648 IP 107.179.178.55 > 104.143.75.2: GREv1, call 9843, seq 4, length 32: LCP, Conf-Request (0x01), id 1, length 18

Note(above) many client requests before server reply.

 logread | grep 192.253.245.254
Fri Jul 13 16:04:47 2018 kern.warn kernel: [16503.448060] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=28981 DF PROTO=TCP SPT=47057 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:05:19 2018 kern.warn kernel: [16535.414552] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57174 DF PROTO=TCP SPT=47058 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:05:51 2018 kern.warn kernel: [16567.097177] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=39104 DF PROTO=TCP SPT=47059 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:06:23 2018 kern.warn kernel: [16598.654814] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=19609 DF PROTO=TCP SPT=47060 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:06:54 2018 kern.warn kernel: [16630.255033] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=29361 DF PROTO=TCP SPT=47061 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:07:26 2018 kern.warn kernel: [16662.027954] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=52639 DF PROTO=TCP SPT=47062 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0
Fri Jul 13 16:07:57 2018 kern.warn kernel: [16693.589897] MSSFIX(wan): IN=br-lan OUT=eth1 MAC=00:e0:4c:68:00:36:f0:b4:29:d1:f9:63:08:00 SRC=192.168.1.5 DST=192.253.245.254 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=55491 DF PROTO=TCP SPT=47063 DPT=1723 WINDOW=29200 RES=0x00 SYN URGP=0

You were correct. Upsteam routers not doing gre passthrough. With direct connection, firewall does not seem to be dropping response packets.
"

Still no pptp connection: LCP: timeout sending Config-Requests

rossb · July 13, 2018, 8:23pm

Note the disconnect between request and reply "call" numbers. Shutting down clients for a bit to let server recover.

jeff · July 13, 2018, 8:29pm

http://conntrack-tools.netfilter.org/manual.html

http://conntrack-tools.netfilter.org/manual.html#conntrack in particular

Likely can be installed by https://openwrt.org/packages/pkgdata/conntrack

rossb · July 13, 2018, 8:54pm

hafta enable and compile conntrack-tools. May not need it.

On openwrt (wan), can see bidir pptp. On lan (pptp client), cannot.

mpa · July 13, 2018, 9:08pm

Do you have all of these modules loaded?

# lsmod | egrep '^nf_(conntrack|nat)_(pptp|proto_gre)'
nf_conntrack_pptp       3376  5 nf_nat_pptp
nf_conntrack_proto_gre  2656  1 nf_conntrack_pptp
nf_nat_pptp             1440  0 
nf_nat_proto_gre         816  1 nf_nat_pptp

May I suggest dumping PPTP and GRE together?

tcpdump -ni eth1 tcp port 1723 or proto gre

For a detailed view, dump to a file, then load the result into wireshark.

rossb · July 13, 2018, 9:20pm

all above modules loaded.
tcpdump -ni eth1 proto gre: (on client 192.168.1.14, bridged to lan, no firewall)
I can remote wireshark if needed

17:18:38.810728 IP 192.168.1.14 > 104.143.72.253: GREv1, call 14841, seq 6, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:41.813724 IP 192.168.1.14 > 104.143.72.253: GREv1, call 14841, seq 7, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:43.712721 IP 192.168.1.14.45110 > 104.143.74.129.1723: Flags [FP.], seq 3483929575:3483929591, ack 2179750047, win 237, options [nop,nop,TS val 82675872 ecr 367434106], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2642)
17:18:44.816707 IP 192.168.1.14 > 104.143.72.253: GREv1, call 14841, seq 8, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:47.819724 IP 192.168.1.14 > 104.143.72.253: GREv1, call 14841, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:50.822724 IP 192.168.1.14 > 104.143.72.253: GREv1, call 14841, seq 10, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:53.830753 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [P.], seq 431061920:431061936, ack 1816550714, win 237, options [nop,nop,TS val 82685990 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:18:53.830787 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [F.], seq 16, ack 1, win 237, options [nop,nop,TS val 82685990 ecr 211906573], length 0
17:18:54.060780 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [F.], seq 16, ack 1, win 237, options [nop,nop,TS val 82686220 ecr 211906573], length 0
17:18:54.429717 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82686589 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:18:54.925190 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [S], seq 1103165208, win 29200, options [mss 1460,sackOK,TS val 82687084 ecr 0,nop,wscale 7], length 0
17:18:55.061432 IP 104.143.75.2.1723 > 192.168.1.14.50728: Flags [S.], seq 3996607248, ack 1103165209, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 273756351 ecr 82687084], length 0
17:18:55.061458 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [.], ack 1, win 229, options [nop,nop,TS val 82687220 ecr 273756351], length 0
17:18:55.061764 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [P.], seq 1:157, ack 1, win 229, options [nop,nop,TS val 82687221 ecr 273756351], length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(65535) FIRM_REV(1) HOSTNAME(local) VENDOR(cananian)
17:18:55.131720 IP 104.143.75.2.1723 > 192.168.1.14.50728: Flags [P.], seq 1:157, ack 157, win 260, options [nop,nop,TS val 273756358 ecr 82687221], length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(0) HOSTNAME() VENDOR(Microsoft)
17:18:55.131743 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [.], ack 157, win 237, options [nop,nop,TS val 82687291 ecr 273756358], length 0
17:18:55.166743 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82687326 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:18:56.061932 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [P.], seq 157:325, ack 157, win 237, options [nop,nop,TS val 82688221 ecr 273756358], length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(2644) CALL_SER_NUM(0) MIN_BPS(2400) MAX_BPS(1000000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(50) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
17:18:56.123321 IP 104.143.75.2.1723 > 192.168.1.14.50728: Flags [P.], seq 157:189, ack 325, win 259, options [nop,nop,TS val 273756457 ecr 82688221], length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(64809) PEER_CALL_ID(2644) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(13277755) RECV_WIN(16384) PROC_DELAY(0) PHY_CHAN_ID(0)
17:18:56.123343 IP 192.168.1.14.50728 > 104.143.75.2.1723: Flags [.], ack 189, win 237, options [nop,nop,TS val 82688282 ecr 273756457], length 0
17:18:56.139908 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 1, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:56.640745 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82688800 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:18:59.142731 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 2, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:18:59.593717 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82691753 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:19:02.145754 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 3, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:05.148731 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 4, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:05.504713 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82697664 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:19:06.016719 IP 192.168.1.14.45110 > 104.143.74.129.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82698176 ecr 367434106], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2642)
17:19:08.151724 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 5, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:11.154746 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 6, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:14.157689 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 7, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:17.160731 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 8, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:17.312720 IP 192.168.1.14.36020 > 104.143.72.253.1723: Flags [FP.], seq 0:16, ack 1, win 237, options [nop,nop,TS val 82709472 ecr 211906573], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2643)
17:19:20.163728 IP 192.168.1.14 > 104.143.75.2: GREv1, call 64809, seq 9, length 32: LCP, Conf-Request (0x01), id 1, length 18
17:19:21.440701 IP 192.168.1.14.50718 > 104.143.75.2.1723: Flags [FP.], seq 4113360811:4113360827, ack 158814203, win 237, options [nop,nop,TS val 82713600 ecr 273746756], length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(2641)
17:19:21.440984 IP 104.143.75.2.1723 > 192.168.1.14.50718: Flags [R], seq 158814203, win 0, length 0

rossb · July 14, 2018, 8:14pm

here's where I am stuck (gre packets not passed by firewall):

cloud <--> openwrt <---> pptp client on lan

tcpdump -ni interface proto gre

on openwrt(wan): Can see bidirectional gre communication
on openwrt(lan): Can only see gre packets transmitted by pptp client.

Info:
Linux SecureOffice 4.4.14 #2 SMP Sat May 19 14:26:36 UTC 2018 x86_64 GNU/Linux
kmod-nf-nathelper-extra - installed on openwrt
/etc/config/firewall (openwrt, may be redundant?):

config rule 
        option name 'Allow-gre'
        option src 'wan'
        option proto 'gre'
        option target 'ACCEPT'
        option dest 'lan'

config rule
        option src 'wan'
        option src_port '1723'
        option proto 'tcp'
        option target 'ACCEPT'
        option name 'gre'
        option dest 'lan'

~# lsmod | grep nf
ipv6                  269619 42 nf_conntrack_ipv6
nf_conntrack           49022 27 nf_nat_pptp
nf_conntrack_amanda     1824  1 nf_nat_amanda
nf_conntrack_broadcast     845  1 nf_conntrack_snmp
nf_conntrack_ftp        5280  1 nf_nat_ftp
nf_conntrack_h323      34511  1 nf_nat_h323
nf_conntrack_ipv4       5152 14
nf_conntrack_ipv6       5536  3
nf_conntrack_irc        2832  1 nf_nat_irc
nf_conntrack_pptp       3200  1 nf_nat_pptp
nf_conntrack_proto_gre    2766  1 nf_conntrack_pptp
nf_conntrack_rtcache    2480  0
nf_conntrack_sip       17981  1 nf_nat_sip
nf_conntrack_snmp        784  1 nf_nat_snmp_basic
nf_conntrack_tftp       2832  1 nf_nat_tftp
nf_defrag_ipv4           838  1 nf_conntrack_ipv4
nf_defrag_ipv6          9047  1 nf_conntrack_ipv6
nf_log_common           2559  2 nf_log_ipv4
nf_log_ipv4             3248  3
nf_log_ipv6             3376  3
nf_nat                 10028 12 nf_nat_pptp
nf_nat_amanda            784  0
nf_nat_ftp              1216  0
nf_nat_h323             4992  0
nf_nat_ipv4             4257  1 iptable_nat
nf_nat_irc              1008  0
nf_nat_masquerade_ipv4    1372  1 ipt_MASQUERADE
nf_nat_pptp             1504  0
nf_nat_proto_gre         880  1 nf_nat_pptp
nf_nat_sip              7024  0
nf_nat_snmp_basic       6960  0
nf_nat_tftp              560  0
nf_reject_ipv4          1939  1 ipt_REJECT
nf_reject_ipv6          2215  1 ip6t_REJECT

rossb · July 18, 2018, 1:02pm

I have completed debugging this and concluded: BUG (gre conntrack) with my mix of packages, even after updating to latest LEDE trunk firewall. Will not report bug, since it may be due to my particular versions;

Linux SecureOffice 4.4.14 #2 SMP Sat May 19 14:26:36 UTC 2018 x86_64 GNU/Linux
kmod-nf-nathelper-extra - installed on openwrt
option masq_allow_invalid - firewall, wan, no effect

cloud <--> openwrt <---> pptp client on lan

Two firewall failure scenarios:

Using rules to enable proto gre and port 1723
-GRE response packets do not traverse from wan to lan

bidir communication: port 1723

Using redirects for proto gre and port 1723

bidir GRE communication, bidir port 1723 communication

In both cases: LCP time-outs
In both cases conntrack shows no response for gre packets

Workaround: use openvpn

If any guru's take an interest in this, I am willing to allow ssh access for debug purposes

newtowrt · September 21, 2018, 2:42pm

Hi Rossb,
I got similar error after upgrade from 15.xx to 18.06.1 on Linksys WRT54GS.
So many effort I had tried and I got tired, nothing is useful.

PPPOE over the optical fiber
-------Router-A(with IPTV connection in different VLAN)
------OpenWRT Router-B
------(1)PPTP client-A built-in the openwrt router itself,
------(2)PPTP client-B on Ubuntu,
------(3)PPTP client-C on Android.
Both the above 3 pptp clients-A/B/C are not working beind the OpenWRT Route-B, after upgrade to openwrt 18.06.1.
Bothe the above 2 pptp clients-B/C are working behind the Route-A.
So I think the OpenWRT 18.06.1 is the problem, but I dont know how to fix it. Hope the next build(openwrt 19.xxx) will resolve the problem.

jow · September 21, 2018, 2:45pm

Did you install kmod-ipt-raw ? This is required for the pptp conntrack helpers to function.

newtowrt · September 21, 2018, 2:48pm

/tmp# opkg list-installed | grep kmod-ipt-raw
/tmp#

Hi Jow,
It seems not installed.
let me try again after install the package.Thank you,

jow · September 21, 2018, 2:51pm

After installing it and running "fw3 restart" you should see a bunch of CT helper rules in iptables -t raw -nvL, one among them which is handling PPTP traffic