PPTP client, masquerade and routing

Discussion in 'DD-WRT Firmware' started by g18c, Jun 27, 2007.

  1. g18c

    g18c LI Guru Member

    My box is operating as an ip router. The box brings up a link succesfully with PPTP client to a remote windows server ok without problems. I can ping from the router to the remote PPTP server and can get packets on the remote network ok. I presume this is becasue the router has a ppp0 address of, and the remote server has this address in its routing table.

    What I am trying to do is route all my traffic from the lan through this ppp0 device. However, with the client pc's default gateway set to the routers ip,, the traceroute shows the packet hitting the router and then nothing comes back. My main adsl modem is on the same subnet as How do i add the default route to send packets over the ppp0 link? I think i still need the entry as this is how the ppp0 link is bought up over this default route out onto the net.

    I am running the following on my box:

    ~ # pptp file /tmp/pptpd_client/options.vpn debug nodetach
    ~ # route
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface * UH 0 0 0 ppp0 * U 0 0 0 br0 * U 0 0 0 ppp0 * U 0 0 0 lo
    default UG 0 0 0 br0

    As mentioned, pinging works ok on the router but not from any other pc. Is this an issue with the remote pptp server not knowing where to send the replies (i.e. it will be receiving packets from Ideally, i would like to masquerade/PAT on the ppp0 link so multiple computers can route through this link.

    Any ideas how i can achieve this?

  2. mstombs

    mstombs Network Guru Member

    I may be completely out of my depth here, but you appear to want to set the router up similar to an adsl router which I have some experience with.

    You cannot have 2 default routes (well it breaks things for me!) so you need to delete the existing one with something like

    route del default gw

    then replace it with

    route add default gw

    To NAT things leaving ppp0 from your LAN you need something like

    iptables -t nat -A POSTROUTING -o ppp0 -s -j MASQUERADE

    or to specify what IP address is used and not break connections if interface broken

    iptables -t nat -A POSTROUTING -o ppp0 --src -j SNAT --to-source
  3. g18c

    g18c LI Guru Member

    Thanks for the reply, but if i replace my default route (which i do want to do!), how will the vpn traffic get out? i.e. how will i be able to ping the vpn server ip, as its a chicken and egg scenario, what came first?!

    So taking your good advice, what i propose is (once the ppp0 link comes up), is:

    route add -net netmask dev br0
    route del default gw
    route add default gw

    note that is my PPTP server ip

    This way i can still talk to the PPTP server, and thus bring the link up. Once the link is up i can then route my traffic through the ppp0.

    How does that sound?


  4. mstombs

    mstombs Network Guru Member

    You've just introduced another IP address range, and I am now not sure how it all hangs together, but one more tip from my half-bridge work on adsl routers is to enable proxy_arp

    echo "1" > /proc/sys/net/ipv4/conf/ppp0/proxy_arp
    echo "1" > /proc/sys/net/ipv4/conf/br0/proxy_arp

    This may be useful in getting communication established, it allows your ip router to respond to arp requests for IP addresses it knows are routed through it. May not be needed if you explicitly set this box as the gateway on your other machines. I use proxy_arp so you can specify the gateway as the other end of the ppp tunnel (ISP gateway) without using the modem local IP address.
  5. g18c

    g18c LI Guru Member

    Thanks for the reply mstombs, im asking just to help with my understanding a bit better:

    Say i have this example routing table below:

    Destination Gateway Genmask Flags MSS Window Use Iface * UH 488 0 0 ppp0 * U 1936 0 50 lo * U 1436 0 569 eth0
    default * UG 488 0 3 ppp0

    How in the first place, before the ppp0 link is bought up, would packets get routed to the actual ppp0 server (which for example sake say is on How would the connection be made in the first place to if the ppp0 link is down?? This is the chicken and egg situation i talked about!

    Would it be he case of having the following table before ppp0 is bought up:
    Destination Gateway Genmask Flags MSS Window Use Iface * U 1936 0 50 lo * U 1436 0 569 eth0
    default * UG 488 0 3 eth0

    The connection can be initiated as it will go out eth0 the default route. Once the ppp0 link is alive, it would replace the default route as per the 1st table:
    Destination Gateway Genmask Flags MSS Window Use Iface * UH 488 0 0 ppp0 * U 1936 0 50 lo * U 1436 0 569 eth0
    default * UG 488 0 3 ppp0

    This is more of an understanding rather than problem, i hope you can still explain to me as im a little confused! The more i understand the better i'll be able to deal with any custom scripts etc.

  6. g18c

    g18c LI Guru Member

    This is an excerpt from a site a saw and i think i understand it a bit better:
    From that i can see before the ppp0 link is alive, eth0 will be the default route thus the connection to the ppp server can be established. Once the link is up ppp0 will be set as the default route. After the ppp0 link is lost the eth0 will be restored as the default gateway. From my understanding, if eth0 were not restored as default gateway it would be impossible to bring the ppp0 link back up?

    From windows route print, i understand this compeletly as it explicitly shows the route to the pptp server (please note this is all automatically added by windows when the vpn connection comes up, and is my eth0 interface and is the adsl router on my LAN):

    Active Routes:

    Network Destination Netmask Gateway Interface Metric 1 26 50 50 1 25 25 25 25 25 1 1 10004 1 1
    Default Gateway:

    Now i know this isnt a windows forum, but how is linux able to route data to the pptp server when it doesnt have a route to it? Under Linux is ppp0 interally remembering the route over which it was established, and thus sending packets over eth0 creating the encapsulated tunnel we know as a vpn.

    How does this sound, or am i still miles off understanding the inner workings?
  7. mstombs

    mstombs Network Guru Member

    My understanding is that the default routing is applied if no explicit route rule matches (as per Windows if destination IP address not in network defined by the netmask use the Gateway). So to establish the tunnel you need a valid route for both the initial connection and reply. If your IP addresses are static I see no need for using default, just tell Linux where to find each address with

    route add -host $IP dev $IFACE

    (or route add -net commands)

    Note there are 2 forms of the default route command, for my purposes they seem to behave the same

    route add default ppp0


    route add -net $GW netmask $NM dev ppp0
    route add default gw $GW

    I prefer the latter because I only want to send things down the tunnel that should be routed to the ISP gateway. (route add -host seems to be the same as -net with full netmask). But I do not know if it will block all other traffic, if it does it would appear to be a "no default" rule! I suspect this command applies the default to the interface used by the $GW address above, and the only effect is in the route table printout? I also do need the route to gateway to be defined so proxy_arp can function.

    The script you quoted uses the former, note any "route del" must use the correct form.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice