After using Openwrt 21.02 with nf_conntrack_pptp and nf_ct_proto_gre enabled, pptp failed to dial-up to server while firewall WAN input policy was REJECT. (PPTP worked normally when changed WAN input policy to ACCEPT.)
It seems that GRE conntrack was not setup properly, and always UNREPLIED.
Does anyone encounter some issue? Thanks!!!
It does work after adding the GRE coming in rules, but what I'm curious about is that the GRE conntrack might work for the GRE coming in packets before the wan input chain.
And it seems the conntrack did not work, is that right??
I am not sure what happens here. The nf_conntrack_pptp module is indeed supposed to recognize that the GRE packets are related to the already established TCP control connection.
And from kernel log, it suggests using CT firewall rule instead of enable nf_conntrack_helper for CT helper.
nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
Solution is either one of the three
Add a line to the file /etc/sysctl.d/99-pptp.conf (create this file)
"net.netfilter.nf_conntrack_helper = 1"
And if you use openwrt, you can just add "iptables -I OUTPUT -t raw -p tcp --dport 1723 -j CT --helper pptp" to the openwrt ui - Firewall - Custom Rules.