Hi, Thanks to a link in the other PPTP thread currently running on this list, I found this page in the docs :
http://doc.pfsense.org/index.php/Connect_to_a_remote_PPTP_server_when_you_have_the_pfSense_PPTP_server_enabled As stated there it is not possible to NAT PPTP and GRE traffic via the non-default WAN IP without installing an extra package, or without knowing beforehand all the PPTP servers your users will try to connect to in the future. However, I would like to mention that in the past few years I have been successfully running inbound and outgoing PPTP connections on pfsense 1.2.x, even in situations with +500 users, by just 'turning the solution around'. Of course it also only works when you have more than one WAN IP available, since it uses advanced outbound NAT. In stead of trying to NAT specific traffic like PPTP and GRE traffic to a VIP address to solve this issue, I just set up advanced outbound NAT to NAT ALL traffic from LAN clients through a VIP. The firewall WAN address therefore stays free and is used only for VPN connections (and a few internal services on pfsense) This way, pf can very easily keep inbound PPTP and GRE connections to its own PPTP server seperated from the PPTP and GRE traffic from local LAN clients. (Of course you are still limited to one simultaneous outgoing connection to the same PPTP server, because of the way PPTP works) Details: First you create a VIP on your WAN interface. This VIP is not to be used in 1:1 NAT mappings or port forwards, it should be left free for the advanced outbound NAT. In the advanced outbound NAT page you disable the automatic setting and add a rule on the WAN interface for EVERY local subnet you have that should be able to reach the internet, stating the local subnet as the source and ANY as the destination, setting the outgoing address to the beforementioned VIP on the WAN interface. After applying, you may which to clear the state table to see the changes take effect. This way, all your clients use the VIP address for their internet traffic, and you don't have to set up NAT rules again and again for every PPTP server on the internet that your users are trying to reach. And you don't have to install a package for a simple NAT issue. Just thought writing it down, it might be usefull to someone some day. Regards, Hans
