Remember from the pfSense days that PF does not handle GRE and NAT very well.
So my question is, can we still have only one PPTP connection to a server at a time? We have customers were some employees need to connect to the same PPTP endpoint at a time, so it important that this is possible.
Today we use VyOS (Linux) and that handle it just fine, but VyOS harder to maintan for me as it's CLI only.
Best,
Christian
Hi Christian,
This needs a connection tracker in the OS code. I don't think this was ever added to FreeBSD. Sorry.
The GRE Tunnel does not have a port number, which makes it difficult to police because it would need to be based on its content. "not handle GRE and NAT very well" is a bit misleading therefore -- it's that GRE was chosen and that it operates this way.
Cheers,
Franco
Hi Franco,
thank you very much for the clear answer :-)
Keep up the excellent work!!!
/CU
Freebsd has the code for nating pptp in the in kernel ipfw nat code.....
https://github.com/freebsd/freebsd/blob/master/sys/netinet/libalias/alias_pptp.c
Possible workaround:
https://forum.pfsense.org/index.php?topic=46172.0