1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PPTP VPN can't reach the devices in the LAN

Discussion in 'Tomato Firmware' started by bdf0506, Sep 6, 2013.

  1. bdf0506

    bdf0506 Serious Server Member

    I'm having an issue with my PPTP VPN setup and was hoping others could help. I have an E3000 running Tomato with a PPTP VPN enabled, and mostly working. I have the PPTP VPN on the 192.168.20.x subnet, and I have the rest of my LAN operating on the 192.168.2.x subnet.

    If I use the VPN from outside the network, I'm able to get to the local side of the router without issues, but I can't seem to get to the LAN hosts. I'm guessing I need to add a static route of some sort, or add some iptables rules with port forwarding, but after trying a few different ones, I haven't had any luck.

    Any help would be greatly appreciated.
     
  2. FlashSWT

    FlashSWT LI Guru Member

    I ran into this issue last week as well. I use OpenVPN on my home router but turned the PPTP Server on at my parent's house so it'll be there the occasional times I need it. Connected just fine but couldn't reach any of their machines at all.

    Some reading online seems to indicated the simple solution, and what will probably be fine for my usage, will be to assign the PPTP IPs from the same subnet as the main LAN. I haven't have a chance to test it yet though.

    It seems like this might be related, but I didn't take the time to fully try to digest the information contained:
    http://poptop.sourceforge.net/dox/qna.html#2
     
  3. bdf0506

    bdf0506 Serious Server Member

    No dice there. Seems like its on the right track, but that doesn't work - the router won't accept those commands, since it runs busybox which is a stripped down version of linux. I tried to change it to iptables commands, no luck either.

    SIDE NOTE - Interestingly enough, when I go on the router and set the logging from "disabled" to "both" (to log the firewall connection), it kills the VPN connection, and connections won't establish. Is this a known bug by any chance? It really negatively affects troubleshooting.

    Now, from a client using the PPTP connection, here's the traceroute if I tell the shell to use interface ppp0:

    Code:
    traceroute -i ppp0 192.168.2.104
    traceroute to 192.168.2.104 (192.168.2.104), 64 hops max, 52 byte packets
    1  brad-router (192.168.2.1)  31.667 ms  28.687 ms  21.073 ms
    2  printer (192.168.2.104)  22.738 ms  54.820 ms  50.797 ms
    If I don't specify which interface to use, it times out:
    Code:
    traceroute 192.168.2.104
    traceroute to 192.168.2.104 (192.168.2.104), 64 hops max, 52 byte packets
     1  * * *
     2  * *traceroute: sendto: No route to host
    traceroute: wrote 192.168.2.104 52 chars, ret=-1
    
    If I try to get to http://192.168.2.104 from the device that is using the PPTP connection, the browser times out. If it is on the LAN, I get results.

    After digging a bit, I realized this was a result of my routing on my client device. The client I am using to test is on a 192.168.2.x subnet on a different router, and the router that serves as the VPN Server is 192.168.2.x as well. The routing table on my client must be trying to route it locally instead of through the VPN. I might have no option other than to change the subnet of either the client or the server to resolve this. When using a linux shell, I can point the traceroute to use a specific interface, but can't do that with the native OS. Unless anyone has any other tips, let me know.
     
  4. bdf0506

    bdf0506 Serious Server Member

    After further testing, I found that PPTP VPN Connections do NOT work when INBOUND logging is set to:
    • If Blocked by Firewall
    • Both
    If INBOUND logging is set to the following, VPN connections work fine:
    • If Allowed by Firewall
    • None
    It looks like it doesn't matter what OUTBOUND connections are set to - doesn't affect VPN connections either way.
     
  5. FlashSWT

    FlashSWT LI Guru Member

    Haha, another problem I ran into last year that drove me crazy until I figured it out! I've now got a file that I use to track all the different subnets at work and family's places and everyone is on a different one now.
     

Share This Page