Personal computing discussed

Moderators: renee, Steel, notfred

 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 11:18 am

Okay, so this is a little mystery that I'd like to get to the bottom of, just out of stubbornness / as a learning experience.

My home router is a small and crappy SMC Barricade SMCWBR14S-N4. It's pretty cheap and nasty but at least it runs BusyBox (from factory).

The main problem: I can't connect to VPNs (PPTP). The more exact problem: GRE packets not passing through - the initial VPN connection is fine, auth is fine, then the configuration packets (GRE) don't come back to me. I've double-checked that the problem is, in fact, the router. Without it, connecting directly to the cable modem, everything's fine.

The mystery: sometimes it works in a Ubuntu virtual machine (VMWare). It does not ever work on the Win7 host. It does not work in a Win7 VM. Does not work on my iPhone. How's that for nonsense?

  • I've tried enabling/disabling the router's firewall and SPI.
  • I've enabled/disabled the DMZ.
  • I've resetted the router to factory settings.
  • I've tried running the router with specific iptables rules to let GRE (protocol 47) through.
  • I've tried running the router with no iptables rules at all (i.e. "let everything through").

So, any idea whatsoever about this? What's pushing my buttons is the "sometimes works with Ubuntu VM" thing. And at one point in the past, it worked fine everywhere! Hurr durr?!
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
mac_h8r1
Minister of Gerbil Affairs
Posts: 2974
Joined: Tue Sep 24, 2002 6:57 pm
Location: Somewhere in the Cloud
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:28 pm

What internet service do you have?

If DSL, the MTU must be 1492. If it is 1500, your packets can be split, and that doesn't bode well for secure connections.
mac_h8r1.postCount++;
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
Slivovitz owns you.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:31 pm

Cable, not DSL. Actually don't know what the MTU is supposed to be. It's a Cisco DOCSIS 3.0 modem, can't remember the model. Can post it later.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
mac_h8r1
Minister of Gerbil Affairs
Posts: 2974
Joined: Tue Sep 24, 2002 6:57 pm
Location: Somewhere in the Cloud
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:37 pm

Worth a shot. Cable and basically everything else uses an MTU of 1500. DSL is 1492 because the PPPoE encapsulation requires the other 8 bytes.

This is one of the most common troubleshooting quick-checks when some secure sites and services work correctly and others do not.
mac_h8r1.postCount++;
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
Slivovitz owns you.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:43 pm

Assuming that was the issue, how would I solve it? Configure all the clients' MTU individually, or is there something that I can do in the router or directly in BusyBox's shell?
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
notfred
Maximum Gerbil
Posts: 4610
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:49 pm

You can clamp the MSS on the iptables NAT rule, but I don't think that MTU is your problem. I think it is far more likely that your router isn't understanding and forwarding GRE as it is protocol 47. Is there any way you can get it to forward whole IP protocols rather than just TCP/UDP ports?
[EDIT] just saw that you tried that. I wonder if it is to do with whether you have the GRE module loaded or not and that may be grabbing the GRE packets.
 
mac_h8r1
Minister of Gerbil Affairs
Posts: 2974
Joined: Tue Sep 24, 2002 6:57 pm
Location: Somewhere in the Cloud
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 12:50 pm

That would be a router setting in internet configuration, sometimes it lives in an 'advanced' settings page.

Clients do not need configuration for this.
mac_h8r1.postCount++;
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
Slivovitz owns you.
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 6:18 pm

Usually the point you need to know with GRE is what notfred said.

morphine - When you said you had set specific rules to let GRE through, was that only outbound, or did that affect inbound packets too. I.e. did you also setup something for outside packets to return to the host where you were running GRE from, because otherwise it's not sure to work, which brings me to this point. GRE is not based on TCP or UDP and is it's own protocol, so you need some form of intelligence in your router to have the returning packets get to the right host. This is usually accomplished by either of the following means.

One way is to manually set which inside host should get the GRE packets. This is needed if the data in the GRE is encrypted as it might be in some implementations. That said, PPTP is pretty much broken compared to alternatives. But if you don't have a choice in what to use...

Second is to use an ALG, which require uncrypted GRE, and the router will actually read the GRE protocol and have something similar like a NAT/forwarding table to see which client the returning packets should go for, mostly applicable if you for some reason needs more then a single device to use GRE through a router at the same time, and since the chosed specifics for GRE might clash, this might not always work unless it's against the same server so any GRE sessiones towards multiple clients will have different identifiers.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 7:37 pm

Aphasia wrote:
One way is to manually set which inside host should get the GRE packets. This is needed if the data in the GRE is encrypted as it might be in some implementations.

I just set all the iptables chains to let protocol 47 through, from 0.0.0.0/0 to the same, in all chains (input, output, forward, etc). Unless this was wrong, which is possible, as it's been some time since I had to properly mess with routing and iptables.

Aphasia wrote:
That said, PPTP is pretty much broken compared to alternatives. But if you don't have a choice in what to use...

Interesting, a lot of people bring that up, but PPTP is the only thing that I have found to reliably work with little issue. I have spent literally months in the past to get OpenVPN to work reliably to no avail - it would always be extremely slow with SMB/CIFS. Used the PPTP server in the great Asus AC66U router, and everything instantly worked. Doesn't get better than that.

Here's some more food for thought: today I fired up VMWare and lowered the MTU to 1400 on a Win7 VM client. It connected. I brought the MTU back up to 1500. Stopped connecting. Put it back to 1400. Didn't connect any more. Set other VMs' MTU to 1400, host MTU to 1400, router's MTU to 1400 in every interface, nothing.

This just doesn't make any sense. Any of you want to log in to the thing? :) Perhaps I can post the iptables rules here, if that'd help. Like I said, this isn't worth my time, but dammit, I will get to the bottom of this and hopefully learn something other than "get a proper router".
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
mac_h8r1
Minister of Gerbil Affairs
Posts: 2974
Joined: Tue Sep 24, 2002 6:57 pm
Location: Somewhere in the Cloud
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 7:57 pm

You can set your MTUs back to 1500. It isn't the issue since you have cable internet. Sorry to have you running off on a tangent.
mac_h8r1.postCount++;
Chaos reigns within. Reflect, repent, and reboot. Order shall return.
Slivovitz owns you.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 8:13 pm

mac_h8r1 wrote:
You can set your MTUs back to 1500. It isn't the issue since you have cable internet. Sorry to have you running off on a tangent.

Eh, I've tried things that made much less sense. I appreciate the hint :)
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 8:17 pm

I'm actually not that at home with IP tables.

The point is that GRE packets can't be NAT'ed like TCP or UDP packets, since the information used in any situation outside of a static 1-to-1 nat is missing, so the router doing the NAT'ing have nothing to identify the client sending or to forward the GRE packets to. This is where either 1-to-1 NAT or inspection for multiple clients come into play.

If you have a PPTP server with a public IP and your expected client have a public IP, that's very clearcut. I think the problem is that most of us work in enterprise solutions where you can find multiple faults. Setting up a pptp server i usually pretty easy as long as you can assign a 1-to-1 nat to it or DMZ assignment on public ip, the problems comes when you suddenly have multipler clients that want to use it from behind nat. In part because GRE isnt session based like TCP or UDP it has no inherrant ability to support going over a nat boundrary. It either requires multiple public IP's statically NAT for each clients on the inside or using an ALG or other inspection software to keep track on which client uses which GRE endpoint, etc. That's the GRE part.

PPTP on the other hand is cryptographically considered to be weak since it's most often relying on underlying technologies with weaknesses that would make it unfit for any form of qualified use. Most of them are related to using outdated authentication/encryption mechanisms. The other way is to use EAP-TLS which you can do, but requires you to setup proper certificate chains, and at that step, you might as well use IPSEC or SSL. So if you have the means, setting up your own SSL VPN or IPSEC based solution is quite preferable.

That said, I've found that many home routers/firewalls have much better support for ALG's and similar mechanisms for NATing PPTP then many enterprise firewalls, because the enterprise market often doesnt care about PPTP that much. I've gotten PPTP to work fine on Juniper gear, while on Checkpoint, it's horrible unless you use the IPS inspection facilities, etc. Guess your AC66U router was with the public IP on the internet when you had it setup ?
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 8:25 pm

Aye. I can't recommend that router enough. Setting it up was easy as click-click-click-[...]-done.

What's interesting is that all of my mates at work use that VPN, and none of them have this issue. I think I understand the problem with GRE needing a specific route, but in that case, if I set my computer in this router's DMZ, it was supposed to work. And there's the mystery of it sometimes working in VMWare (and then not working almost at random).

I guess I can try to set up an iptables route to forward GRE packets to this machine specifically to test that theory.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 8:33 pm

You could look at their networks and see how they have it setup and with which gear.
Or you can try it setting up a static nat for all things GRE on your ip tables to the PPTP client if you have the means. Should be easy to back out of.

I have a Asus N66U since I recently upgraded my wireless to N-capability, but I run mine in AP-mode only and still use my Juniper SSG with 100Mbit interfaces as my internet firewall because it's so much better on everything firewall. But then, my internet connection is only 100/10, so the 160Mbit total throughput of my SSG works just fine filling the pipe.
I wish the N66U had VLAN support so I could separate my guest network problery from the router all the way to the AP like my old netgear pure AP could, but, it doesnt so, that was actually diasspointiong considering it's higher status in the consumer segment...
 
notfred
Maximum Gerbil
Posts: 4610
Joined: Tue Aug 10, 2004 10:10 am
Location: Ottawa, Canada

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 9:12 pm

morphine wrote:
Here's some more food for thought: today I fired up VMWare and lowered the MTU to 1400 on a Win7 VM client. It connected. I brought the MTU back up to 1500. Stopped connecting. Put it back to 1400. Didn't connect any more. Set other VMs' MTU to 1400, host MTU to 1400, router's MTU to 1400 in every interface, nothing.
I wonder if the MTU is a red herring in that it was the first time you had connected in a while and it worked. I wonder if the first connection works and then ends up with a bunch of stale states that is causing the problem and those are taking for ever to timeout and get cleared up.

If you don't mind posting what you have for the iptables, I'm happy to take a look at them.
 
morphine
TR Staff
Topic Author
Posts: 11600
Joined: Fri Dec 27, 2002 8:51 pm
Location: Portugal (that's next to Spain)

Re: Mystery: home router + connecting to VPN + GRE packets

Mon Mar 03, 2014 11:33 pm

# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            239.255.255.250
ACCEPT     all  --  0.0.0.0/0            239.192.152.143
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02                                                                 TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain macipport_filter (0 references)
target     prot opt source               destination

Chain port_forward (0 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.102       tcp dpt:4242
ACCEPT     udp  --  0.0.0.0/0            192.168.2.102       udp dpt:58496
ACCEPT     udp  --  0.0.0.0/0            192.168.0.240       udp dpt:55635
ACCEPT     tcp  --  0.0.0.0/0            192.168.0.240       tcp dpt:55635
ACCEPT     udp  --  0.0.0.0/0            192.168.2.102       udp dpt:51430
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.102       tcp dpt:27488
ACCEPT     udp  --  0.0.0.0/0            192.168.2.102       udp dpt:27488
ACCEPT     tcp  --  0.0.0.0/0            192.168.2.102       tcp dpt:17482

Chain web_filter (0 references)
target     prot opt source               destination

The port_forward routes seem to be automatically created by uPnP. Router starts off with those empty.
There is a fixed amount of intelligence on the planet, and the population keeps growing :(

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On