OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Kodestuen on March 09, 2017, 08:56:36 pm

Title: Does PPTP/GRE limitations still apply to OPNSense / FreeBSD
Post by: Kodestuen on March 09, 2017, 08:56:36 pm

Remember from the pfSense days that PF does not handle GRE and NAT very well.

So my question is, can we still have only one PPTP connection to a server at a time? We have customers were some employees need to connect to the same PPTP endpoint at a time, so it important that this is possible.

Today we use VyOS (Linux) and that handle it just fine, but VyOS harder to maintan for me as it's CLI only.

Best,
Christian

Title: Re: Does PPTP/GRE limitations still apply to OPNSense / FreeBSD
Post by: franco on March 11, 2017, 04:11:19 pm

Hi Christian,

This needs a connection tracker in the OS code. I don't think this was ever added to FreeBSD. Sorry.

The GRE Tunnel does not have a port number, which makes it difficult to police because it would need to be based on its content. "not handle GRE and NAT very well" is a bit misleading therefore -- it's that GRE was chosen and that it operates this way.


Cheers,
Franco

Title: Re: Does PPTP/GRE limitations still apply to OPNSense / FreeBSD
Post by: Kodestuen on March 13, 2017, 01:53:29 pm

Hi Franco,

thank you very much for the clear answer :-)

Keep up the excellent work!!!

/CU

Title: Re: Does PPTP/GRE limitations still apply to OPNSense / FreeBSD
Post by: godot on March 14, 2017, 11:41:08 am

Freebsd has the code for nating pptp in the in kernel ipfw nat code.....

https://github.com/freebsd/freebsd/blob/master/sys/netinet/libalias/alias_pptp.c

Possible workaround:

https://forum.pfsense.org/index.php?topic=46172.0