OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes 2
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by nouman8 - 19.10.2017
Last edited by Koen Vandeputte - 05.10.2018

FS#1083 - ar71xx Kernel 4.9 PPTP Passthrough not working

today i compiled for my TP-Link mr3420 v2 with Kerenl 4.9 by simply changing the KERNEL_PATCHVER:=4.4 to KERNEL_PATCHVER:=4.9 in target/linux/ar71xx/Makefile , everything works good so far except i am not able to connect to the VPN which was working good previously with 4.4 kernel compiled lede a week back.

Closed by  Koen Vandeputte
05.10.2018 07:44
Reason for closing:  Not a bug
chandlerding commented on 21.10.2017 16:44

Install kmod-nf-nathelper-extra and try again?

nouman8 commented on 23.10.2017 03:04

kmod-nf-nathelper-extra is installed

nouman8 commented on 25.10.2017 12:28

if anyone else could test this behavior on their ar71xx device with 4.9 kernel ??

Martin Bouska commented on 02.12.2017 14:55

yes, me.
Way to reproduce:
1. flash the Reboot development snapshot image External Linklede-ar71xx-generic-tl-mr3420-v2-squashfs-sysupgrade.bin
2. opkg install kmod-nf-nathelper-extra
3. try the PPTP connection from LAN to external host without succes

I have tried to compile the image from trunk sources, then tried the image generator, but it is always the same:

the module nf_nat_pptp is loaded, but not working with 4.9.65 kernel

I found that in kernel logs this message appeared:
"nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead." Im not sure, if it is relevant to this issue - maybe not.

I attached some more detailed infos to this post. If You need some other traces to investigate, dont hasitate to contact me.
thanks

Martin

Martin Bouska commented on 02.12.2017 20:52

And I confirm, that after building image from trunk source with KERNEL_PATCHVER:=4.4 the problem disappeared.
pptp works fine with older kernel All other options in .config remains same as it was before with 4.9 kernel.

Arjen de Korte commented on 02.12.2017 21:22

This is not surprising. The default for automatic loading of connection tracking helpers was changed in kernel-4.7. So with kernel-4.4, the pptp helper will be loaded automatically when PPTP traffic is seen, but for kernel-4.9 you'll have to do that explicitly.

Adding something along the lines

  iptables -t raw -A OUTPUT -p tcp -m tcp --dport 1723 -j CT --helper pptp

should load the connection tracker helper in your firewall. You could append this line to your /etc/firewall.user for instance to load it automatically.

Martin Bouska commented on 04.12.2017 11:33

Hello and thank You for clearing it out!
After days of trying it to work, finally got an answer.

I decided to keep the older kernel and wait some additional time before updating to 4.9, until all these issues with conntrack helpers will be tested, better documented and user-friendly handled.

I understand, that the automatic loading could be a security issue.
BUT not 100% of the users are iptables config aware, so IMHO is this not the right way to getting it work.
Before it was enough to install the kmod-nf-nathelper-extra and all kinds of traffic passed through like charm.
But now Im not sure, if I can yet determine all of the helpers, wich will be needed in future, in order to add them manually to the .config . It is probably not secure to enable all of them yet (?); and after 1-2 years I will not rememeber how to do it, or even determine that I need to do it.

P.S.: IMHO solution to achieve better security but keep the user friendly management could be splitting the nathelpers-extra into more specific nathelper-pptp , nathelper-sip, etc and add the iptables record automatically within installation without forcing users to do it manually. OR make Luci capable to handle the conntrack config.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing