squid + masquerade/nat + pptp problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello

I have a linux machine which does various things for my corporate users :
- running squid and squidGuard with ncsa auth for http/https/ftp outgoing
traffic 
- running xinetd to redirect some incoming traffic to private ip servers
- running iptables to do some snat/dnat on some outgoing traffic that can't
be masqueraded (proprietary protocols)
- running iptables to do general masquerading for a few users

this machine has a single nic with several vlans, some vlans have aliases
to handle several IPs

thought not simple, it works fine

now I added a PoPToP server on it and things are going bad :
- when pptpd runs, people on one of the internal vlans can hardly sign-on,
whereas people on the other vlans have no problems. squid just doesn't ask
for authentification, then the client browser just can't connect to any
external site. sometimes after relaunching the browser several times the
client can get the signon box and gains access to the outer world again,
but often he doesn't get it and can't go out.
- when the pptp traffic goes throught the masqueraded interface (only one
is masqueraded among all) it's very hard to sign-on, there are very often
LCP time-out errors (on the poptop side) and error 678 on the windows side,
whereas when the pptp traffic only goes throught non masqueraded interfaces
there are no access problems (actually I start the pptpd daemon so it
listens only on one ip). Nevertheless, the first problem above happens
whatever interface the pptp traffic goes throught.

I understand quite well that my iptables rules should get refined to solve
the second problem, to ensure outgoing pptp traffic doesn't get nated or
masqueraded or something like that. anyway I can get it solved by using
another interface for a while. 
What I really can't understand is why and how having pptpd running can
compromise squid's ncas authentification. and really it does : if a stop
pptpd for say a hour, then anybody gets auth'd at the first try and can
connect to any site, and as soon as i restart it, i get calls from people
who don't receive their signon box and get blocked.

Any idea how I could investigate such a problem, before i give up and put
another machine beside with just pptpd ?

tia
			- * - * - * - * - * - * -
Bien sûr que je suis perfectionniste !
Mais ne pourrais-je pas l'être mieux ?
	Thierry ITTY
eMail : Thierry.Itty@xxxxxxxxxxxx		FRANCE



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux