dmfromca

Q: Server VPN not forwarding traffic after upgrade to Sierra

I recently updated to Sierra and now my VPN is no longer forwarding client traffic to the Internet. I am using L2TP and the clients connect with no issue, but are unable to access any websites. I had to add the customNATRules to the /etc/pf.anchors/com.apple file and everyhting else seems to be correct.

 

nat-anchor "100.customNATRules/*"

rdr-anchor "100.customNATRules/*"

load anchor "100.customNATRules" from "/etc/pf.anchors/customNATRules"


And the customNATRules:

nat on en0 from 10.0.0.0/24 to any -> (en0)

pass from {lo0, 10.0.0.0/24} to any keep state


What do I look at next?

Posted on Sep 24, 2016 10:20 PM

Close

Q: Server VPN not forwarding traffic after upgrade to Sierra

  • All replies
  • Helpful answers

  • by dwbrecovery,

    dwbrecovery dwbrecovery Sep 24, 2016 11:37 PM in response to dmfromca
    Level 3 (596 points)
    Servers Enterprise
    Sep 24, 2016 11:37 PM in response to dmfromca

    Hi dmfromca,

    On the client, use verbose logging: SysPrefs-> Network->VPN(L2TP) -> Advanced

    Check for clues with Console, search term process ->racoon and process -> pppd.

     

    hth, cheers, dwbrecovery

  • by dmfromca,

    dmfromca dmfromca Sep 26, 2016 9:35 PM in response to dwbrecovery
    Level 1 (4 points)
    Servers Enterprise
    Sep 26, 2016 9:35 PM in response to dwbrecovery

    I don't find any logs for process -> pppd. Searching racoon I find successful connections. In the server logs, I don't see anything that stands out...

     

    Mon Sep 26 21:28:41 2016 : sent [IPCP ConfReq id=0x1 <addr 199.19.xxx.xxx>]

    Mon Sep 26 21:28:41 2016 : sent [ACSCP ConfReq id=0x1]

    Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]

    Mon Sep 26 21:28:41 2016 : ipcp: returning Configure-NAK

    Mon Sep 26 21:28:41 2016 : sent [IPCP ConfNak id=0x1 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

    Mon Sep 26 21:28:41 2016 : rcvd [LCP ProtRej id=0x2 82 35 01 01 00 04]

    Mon Sep 26 21:28:41 2016 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::6aa8:6dff:fe00:06b6>]

    Mon Sep 26 21:28:41 2016 : Unsupported protocol 0x8057 received

    Mon Sep 26 21:28:41 2016 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 6a a8 6d ff fe 00 06 b6]

    Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfAck id=0x1 <addr 199.19.xxx.xxx>]

    Mon Sep 26 21:28:41 2016 : rcvd [IPCP ConfReq id=0x2 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

    Mon Sep 26 21:28:41 2016 : ipcp: returning Configure-ACK

    Mon Sep 26 21:28:41 2016 : sent [IPCP ConfAck id=0x2 <addr 10.0.0.151> <ms-dns1 10.0.0.1> <ms-dns3 10.0.0.1>]

    Mon Sep 26 21:28:41 2016 : ipcp: up

    Mon Sep 26 21:28:41 2016 : found interface vlan0 for proxy arp

    Mon Sep 26 21:28:41 2016 : local  IP address 199.19.xxx.xxx

    Mon Sep 26 21:28:41 2016 : remote IP address 10.0.0.151

    Mon Sep 26 21:28:41 2016 : Received protocol dictionaries

    Mon Sep 26 21:28:41 2016 : Received acsp/dhcp dictionaries

    Mon Sep 26 21:28:41 2016 : Committed PPP store

    Mon Sep 26 21:28:41 2016 : Received acsp/dhcp dictionaries

    Mon Sep 26 21:28:41 2016 : Committed PPP store

    Mon Sep 26 21:28:41 2016 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 199.19.xxx.xxx), current interface setting (name: ppp0, family: PPP, address: 199.19.xxx.xxx, subnet: 255.255.255.0, destination: 10.0.0.151).

    Mon Sep 26 21:29:33 2016 : rcvd [LCP TermReq id=0x3 "User request"]

    Mon Sep 26 21:29:33 2016 : LCP terminated by peer (User request)

    Mon Sep 26 21:29:33 2016 : ipcp: down

    Mon Sep 26 21:29:33 2016 : sent [LCP TermAck id=0x3]

    Mon Sep 26 21:29:33 2016 : l2tp_wait_input: Address deleted. previous interface setting (name: en0, address: 199.19.xxx.xxx), deleted interface setting (name: ppp0, family: PPP, address: 199.19.xxx.xxx, subnet: 255.255.255.0, destination: 10.0.0.151).

    Mon Sep 26 21:29:33 2016 : L2TP received CDN

    Mon Sep 26 21:29:33 2016 : Connection terminated.

    Mon Sep 26 21:29:33 2016 : Connect time 0.9 minutes.

    Mon Sep 26 21:29:33 2016 : Sent 10433 bytes, received 57601 bytes.

    Mon Sep 26 21:29:33 2016 : L2TP disconnecting...

    Mon Sep 26 21:29:33 2016 : L2TP disconnected

    2016-09-26 21:29:33 PDT   --> Client with address = 10.0.0.151 has hungup

  • by dwbrecovery,

    dwbrecovery dwbrecovery Sep 26, 2016 10:09 PM in response to dmfromca
    Level 3 (596 points)
    Servers Enterprise
    Sep 26, 2016 10:09 PM in response to dmfromca

    Agree, only thoughts;

    - The dns server assigned to the client, check that it has forwarding servers setup and the server itself can access  websites.

    - Does the issue still exist without the custom NAT rules.

     

    hth

  • by dmfromca,

    dmfromca dmfromca Sep 27, 2016 3:57 PM in response to dwbrecovery
    Level 1 (4 points)
    Servers Enterprise
    Sep 27, 2016 3:57 PM in response to dwbrecovery

    The server can access websites. I will comment out the custom NAT rules this evening and see if the problem still exists. I will post results later. Thanks for the assistance.

  • by dmfromca,

    dmfromca dmfromca Sep 28, 2016 9:03 PM in response to dmfromca
    Level 1 (4 points)
    Servers Enterprise
    Sep 28, 2016 9:03 PM in response to dmfromca

    No luck. I have removed the custom rules and still cannot get client traffic to pass through. I am starting from scratch to see if the problem still exists.

  • by miho20,

    miho20 miho20 Sep 30, 2016 9:16 AM in response to dmfromca
    Level 1 (4 points)
    Sep 30, 2016 9:16 AM in response to dmfromca

    I have the same problem Any update on the issue?

  • by dmfromca,

    dmfromca dmfromca Sep 30, 2016 1:33 PM in response to miho20
    Level 1 (4 points)
    Servers Enterprise
    Sep 30, 2016 1:33 PM in response to miho20

    It did not help. I have removed/recreated each file, even following the instructions I used to originally set it up (https://macminicolo.net/blog/files/Setup-a-VPN-server-with-El-Capitan-server%20. html) and it is still not working. I guess the I'm going to try a VM that does not have the VPN server configured and see if it works from scratch.

  • by miho20,

    miho20 miho20 Sep 30, 2016 2:10 PM in response to dmfromca
    Level 1 (4 points)
    Sep 30, 2016 2:10 PM in response to dmfromca

    Okay, this is very strange. I followed the same instructions directly after doing a clean Sierra installation and installing the server app. VPN works. But forwarding traffic does not work.