VPN revisited.

wlanmac wlan at mac.com
Fri Aug 22 05:07:02 UTC 2008


Hi Peter,

Since you are doing so many tests, it would be great to see your results
in a spreadsheet noting each test's parameters. 

> That's wired. Maybe it was only luck? Sometimes it works also for me 
> without special iptables rules. But most of the time it doesn't.
> Have you tried to connect/disconnect/connect/disconnect all the time?
> 

I would guess that constantly connecting and disconnecting would
confused Windows more than the firewall. ;)

> If i unload the helper modules, it also works always, without any 
> problem. It stops working only if i load the helper modules. That makes 
> also perfectly sense, because it does not pass twice the helper modules 
> if they are unloaded.
> But certainly I need the modules, otherwise you could never have 
> multiple connections through the machine.
> 

So, you are saying that you never have trouble with one VPN passing
through? No matter what modules you use? 

> I really hope that's the solution.
> Next i would like to try is trying only with the notrack rules and 
> removing the drop rules. Only for trying.. Because in theory they should 
> not harm nor help
> 

The forwarding drop rules on the dhcpif interface are good to have.
Chilli would prefer that the kernel not do anything with the packets
coming in on the dhcpif. Chilli will _always_ see the packets since it's
raw socket goes lower than even iptables (it will see traffic even if
you drop the INPUT on that interface). 

The notrack rules for the dhcpif should probably help if the helpers are
getting confused. I wonder if conntrack sees all packets (unless told to
not track in the raw table) even if they are DROP'ed during INPUT on the
device. Can you also DROP from the raw table? hmm.. 

David




More information about the Chilli mailing list