If i connectet over wireless to the router (Routerboard 230 with Atheros 5213) i cannot connet to annother MT-routers VPN.
If i conected directly per wire - it works.
No NAT, no firewall rules, all ports open.

What's wrong?

Has anybodey the same problem?

I tryed it with a pc based MT-router (2.9rc4) and have the same problem.
With 2.8 (same config) this problem doesn't exist.

more info

Router (Routerboard or PC - its the same problem) with 2.9.r4
PPP secrets registered on the router (for testing on Radius too = same Problem)

With the hardwired Notebook (Win XP Pro SP2, D-Link G520 WL-Card) i can connect to to the router and start the VPN-Connection on router and on other networks. Everthing works like in 2.8. So the VPN-Config seems configured correct.

If I connect with this Notebook wireless (unplugged LAN-cable) I can work in tnternet and on Servers inside and outside of our net (except second problem described later). But it is not possible to build the VPN (win-error 619). Doesn't matter inside or outside installed VPN's. Under 2.8 the same config works.

I tried to connect to different VPNS in our and our customers Networks over the internet. Everything works accept I connect the Notebook via WLAN.

A second problem is (only if connected wireless) that I can see but cannot open a network drive on our Windows 2000 Server. On Linux Samba-Server the drives can be used normaly.

I switched off all firewall restrictions and opened all ports and services - without results.

any idea?

Thanks

for the VPN issue on the pptp server side do you see anything from that ip address come in .?

also on the wireless side are you tring to use the MT as a bridge or ap ?

can you be a little more exact on what you are trying to do

i understand your wanting a vpn connection . but again are you trying to connect a MT - MT or MT - client via MT in AP mode? give us a example of you network layout . nat , etc.

Randy

The MT-wlan-interface is in "ap-bridge" mode. The LAN and the WLAN-Interface are on the "inner-side" were all the users are. Every wlan-user should surf the internet via VPN (Radius-Accounting. I did not use Radius for testing. So a Radius problem could not exist).
This is the configuration that works bevor 2.9.
But- on 2.9 too - this works fine only if cable is used.


There is no NAT, no filters etc.
PPP uses encryption and ip's from an ip-pool
The WLAN-Interface uses dhcp for intranet ip's
The users mostly connect with XP VPN (all settings default) to the MT

WLAN-Interface
0 name="spielberg1" mtu=1500 mac-address=00:0C:42:05:00:64 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050064" mode=ap-bridge ssid="spielberg1" area=""
frequency-mode=manual-txpower country=austria antenna-gain=0
frequency=2457 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both

PPP
Flags: * - default
0 * name="default" local-address=...120.201.2 remote-address=DHCP1
use-compression=no use-vj-compression=no use-encryption=no only-one=no
change-tcp-mss=no dns-server=...120.200.4,...120.200.6

1 * name="default-encryption" local-address=...120.201.2 remote-address=DHCP1
use-compression=no use-vj-compression=no use-encryption=yes only-one=yes
change-tcp-mss=yes dns-server=...120.200.4,...122.165.3


fritz

ok one thing to look at on our xp box and on MT settings


MT box are you setting user info to default or default-encryp. ?

if you are setting the MT to default . you wont get in because XP defaults to encryp. or discon. so try to look at the one of your xp boxes and see if under security it is set the default encryp. uncheck it and see if it works.

also you did not state if you could even see the xp box trying to access the vpn .

Randy

I tried encrypt and without encryption on both sides.

This cannot be the reason because this settings work if i use wired connection.

I had to say, that i use Atheros AR5212. Mybe thats the reason. Maybe 2.9 needs 5213?

And there are other troubles with 2.9rc4.
1. It is impossible to open net-drives on W2000-Server and - a new one -
2. If i use "key required" i got no ip from dhcp on MT.

I tried this on Routerboard 530, 230 and on PC. Always the same.

I think that some ports, packets, protocols?? are not forwarded on wireless connections. I have not one problem like this - on the same routers under 2.9rc4 - if i use wires.

fritz

you do have port 1723 set to passthru and 47gre on both input and output?

Randy


also if you could give me youre ip layout. i will try and play with one of our test systems

Randy

I have all ports open AND I tried to open it manually in input and output

Without result.

IP Config.


Router ethernet1 intern 10.10.100.1 (DHCP clients 10.10.100.101-254)
Router ethernet2 extern to internet (public ip)
Router wlan1 10.10.99.1 (DHCP clients 10.10.99.101-254)

If i connect from extern I can use VPN (any pub-ip)

If I connect from intern (Client 10.10.100.101) I can use VPN and all internal Servers with all services. I can use VPN on other external MT's too.

If I connect from wlan (Client 10.10.99.1) VPN is impossible. WIN2000 network drives cannot be used correctly. If the wlan1-interface is set to "key requiered" I got no ip from DHCP. If I use the same VPN's external as described above it fails.
All other connections I use in any direction (surfing in internet, listen internetradio, printing internal etc. work). All ip's (interal and external) are reachable.

Fact is. Any VPN connection over wireless do not work. From any 2.9 router in the whole network. VPN's ON 2.9 MT's and behind MT's.
Maybe I am blind about my configuration. But I cannot find any touchable mistake in the config.

I have the same config "live" in use with about 230 users under 2.8. I compared it x-times. I cannot find any difference.

Some other things I observed.

If I connect over another wireless "road", it did not work too (D-Link Bridge to D-link Bridge to MT's ethernet1/2 (but works under 2..

If I connect to a 2.8 router and use VPN I see in "torch" the gre and 1723 port. If i do this on a 2.9 over wireless this ports not able to see. Wether on the first MT using its VPN nor on a second 2.8-MT (after the first one).

I hope I have told you enough

thank you for your time and effort

fritz

i may be going in the wrong direction here but . what if any info does the MT pptp server give you at the instint you try to connect.

nothing or connection then kicked out?

why dont you just brige your wireless with your ether internal . that would fix the issue . and then just hide your ap and require auth.

Randy

Hi!
I removed everything from the routers and make them totally new (with both Atheros Cards on each).
I did not yuse the config from backup. I make "per hand". Same as the old one.
I tried it again and it works????
So I set the routers back to factory default and configure them with the backup files like bevore. And it works too!!

I have no explaination.

Maybe the failure was made by me but I did not know where I have made it. The other possibility is that the failure was generatet by mutiple up- and downgrading the router.

Thanks a lot

greets

fritz

P.S. If I find out how to repeat that situation I will post it here.