More information is a good thing.
GRE limitations be damned--PFsense is still the best.
This does explain why I've been able to connect to other PPTP vpn
servers (likely linux based).
On Mar 12, 2008, at 6:13 AM, Angelo Turetta wrote:
Jeremy Bennett wrote:
Guys,
Thank you for the confirmation and the pointer in the right
direction.
Anil -- exactly what I was looking for!
With everyone's advice, things are now working smoothly.
BSD PPTP limitations be damned--PFsense is the best!
Let's not generalize too much. The 'real' limitation (in the GRE
protocol, not really BSD) is just: no more than one GRE tunnel
between any two endpoints (no matter whether each endpoint be nat-
ed or bound to the public IP). Actually, years ago Microsoft (as
the largest 'consumer' of GRE) has added a session ID inside some
GRE headers: so now it is possible to distinguish the GRE packets
belonging to different sessions between the same enpoints, as long
as the server is running Windows. But by now, only ipfilter can
take advantage of this nonstandard extension when doing NAT (don't
know about Linux's iptables).
If your WAN has more than 1 IP address, you can hack around some
limitations/over-simplifications of the current pfSense-generated
rules.
If the endpoint of your NAT-ed connection is different from all of
the active clients of your pfSense PPTP server, even if your WAN
has only one public IP, it should 'just work'. But it doesn't,
because the PHP code generates rules like these:
# PPTP
rdr on \$wan proto gre from any to any -> $pptpdtarget
rdr on \$wan proto tcp from any to any port 1723 -> $pptpdtarget
(pptptarget is 127.0.0.1 when the pfSense is acting as a server)
I once had some patches to correct this, but it was for an old
version of pfSense, you'd better redo it from scratch.
Angelo.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
