Does PPTP/GRE limitations still apply to OPNSense / FreeBSD

Started by Kodestuen, March 09, 2017, 08:56:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 09, 2017, 08:56:36 PM
Remember from the pfSense days that PF does not handle GRE and NAT very well.

So my question is, can we still have only one PPTP connection to a server at a time? We have customers were some employees need to connect to the same PPTP endpoint at a time, so it important that this is possible.

Today we use VyOS (Linux) and that handle it just fine, but VyOS harder to maintan for me as it's CLI only.

Best,
Christian
March 11, 2017, 04:11:19 PM #1
Hi Christian,

This needs a connection tracker in the OS code. I don't think this was ever added to FreeBSD. Sorry.

The GRE Tunnel does not have a port number, which makes it difficult to police because it would need to be based on its content. "not handle GRE and NAT very well" is a bit misleading therefore -- it's that GRE was chosen and that it operates this way.


Cheers,
Franco
March 13, 2017, 01:53:29 PM #2
Hi Franco,

thank you very much for the clear answer :-)

Keep up the excellent work!!!

/CU
March 14, 2017, 11:41:08 AM #3
Freebsd has the code for nating pptp in the in kernel ipfw nat code.....

https://github.com/freebsd/freebsd/blob/master/sys/netinet/libalias/alias_pptp.c

Possible workaround:

https://forum.pfsense.org/index.php?topic=46172.0
Print
Go Up Pages1
User actions