Jeremy Bennett wrote:
Guys,
Thank you for the confirmation and the pointer in the right direction.
Anil -- exactly what I was looking for!
With everyone's advice, things are now working smoothly.
BSD PPTP limitations be damned--PFsense is the best!
Let's not generalize too much. The 'real' limitation (in the GRE
protocol, not really BSD) is just: no more than one GRE tunnel between
any two endpoints (no matter whether each endpoint be nat-ed or bound to
the public IP). Actually, years ago Microsoft (as the largest 'consumer'
of GRE) has added a session ID inside some GRE headers: so now it is
possible to distinguish the GRE packets belonging to different sessions
between the same enpoints, as long as the server is running Windows. But
by now, only ipfilter can take advantage of this nonstandard extension
when doing NAT (don't know about Linux's iptables).
If your WAN has more than 1 IP address, you can hack around some
limitations/over-simplifications of the current pfSense-generated rules.
If the endpoint of your NAT-ed connection is different from all of the
active clients of your pfSense PPTP server, even if your WAN has only
one public IP, it should 'just work'. But it doesn't, because the PHP
code generates rules like these:
# PPTP
rdr on \$wan proto gre from any to any -> $pptpdtarget
rdr on \$wan proto tcp from any to any port 1723 -> $pptpdtarget
(pptptarget is 127.0.0.1 when the pfSense is acting as a server)
I once had some patches to correct this, but it was for an old version
of pfSense, you'd better redo it from scratch.
Angelo.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
