I've done quite a bit of testing and the end result is always the same. If the PPTP server is enabled locally on the premise edge router/firewall, local clients cannot connect to remote PPTP servers at all. As soon as the PPTP server is disabled, connectivity works exactly as expected. I made some posts on the list quite a while ago and also did some chatting in #pfSense. It was deemed to be a problem with GRE state tracking within pf and/or the NAT implementation.
The problem is defined specifically here: http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43 under the VPN --> PPTP Server heading. "Limitations * Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page." So in short, yes... that is how I would describe the way it functions. :-) Tim Nelson Systems/Network Support Rockbochs Inc. (218)727-4332 x105 ----- Original Message ----- From: "Chris Buechler" <[EMAIL PROTECTED]> To: support@pfsense.com Sent: Monday, July 28, 2008 11:20:10 AM GMT -06:00 US/Canada Central Subject: Re: [pfSense Support] Recent PPTP updates Tim Nelson wrote: > Recent updates to PPTP allow multiple local clients to connect to the same > remote PPTP server. However, do these updates fix the issue between PPTP and > NAT where if you have a local PPTP server enabled, you cannot use PPTP > outbound to remote PPTP sites? > Last I heard that was the only piece it fixed in its current permutation, it didn't resolve the multiple clients to single outside server yet. For those out of the loop, Ermal has been working on hacking pf's NAT to better support PPTP/GRE. I might be a bit out of the loop on that, though I don't think any changes were committed since that was the last verified case. Is the way you describe how it's working in your environment, Tim? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
