Does PPTP/GRE limitations still apply to OPNSense / FreeBSD

[Kodestuen]

Remember from the pfSense days that PF does not handle GRE and NAT very well.

So my question is, can we still have only one PPTP connection to a server at a time? We have customers were some employees need to connect to the same PPTP endpoint at a time, so it important that this is possible.

Today we use VyOS (Linux) and that handle it just fine, but VyOS harder to maintan for me as it's CLI only.

Best,
Christian

[franco]

Hi Christian,

This needs a connection tracker in the OS code. I don't think this was ever added to FreeBSD. Sorry.

The GRE Tunnel does not have a port number, which makes it difficult to police because it would need to be based on its content. "not handle GRE and NAT very well" is a bit misleading therefore -- it's that GRE was chosen and that it operates this way.


Cheers,
Franco

[Kodestuen]

Hi Franco,

thank you very much for the clear answer :-)

Keep up the excellent work!!!

/CU

[godot]

Freebsd has the code for nating pptp in the in kernel ipfw nat code.....

https://github.com/freebsd/freebsd/blob/master/sys/netinet/libalias/alias_pptp.c

Possible workaround:

https://forum.pfsense.org/index.php?topic=46172.0