PPTP - Allowing incoming connections from both WAN & WAN2

martinw

Hi there

Just been spending the last wee while setting up Pfsense firewall with a multi-wan setup, I'm using PPTP VPN on the Pfsense firewall (not redirected or anything) and I have 2 WAN connections WAN & WAN2(opt1), which are DSL connections through different suppliers (for redundancy purposes)

I can currenty connect into the VPN using the WAN interface address, but I cannot connect using the WAN2 interface address. Is it possible to setup the PPTP to accept connections on both (as this would be good for redundancy) ?

Thanks
Martin

cmb

add rules to allow TCP 1723 and GRE on WAN2.

knjers

I was under the impression that incoming PPTP works only over one WAN connection. The secondary WAN (OPTx) will not correctly route incoming PPTP.

I tried to get this to work on 1.2-RC2 but did not succeed.
Windows VPN never got out of Verifying username and password.

It did work when I connected a laptop directly to the subnet between the pfSense and external DSL modem/router. But, when connecting through the Internet it would hang.
The primary WAN worked from day one. My conclusion was that, after initialising hrough TCP port 1723, the GRE tunnel was routed out of the primary WAN, and not through the secondary.

If it was a bug, then it obviously is time to upgrade.

martinw

@knjers:

I tried to get this to work on 1.2-RC2 but did not succeed.
Windows VPN never got out of Verifying username and password.

I've added these rules

TCP/UDP  *  *  *  1723 (PPTP)  *      allow vpn

GRE * * * * *   allow vpn

and I'm getting windows hanging on verifying username & passwork (error 619)

Martinw

knjers

I am almost sure that it is a bug. There are some posts on the forum about PPTP only working through the primary WAN.

The problem is, in my opinion, that the GRE tunnel always goes to the default route, since it originates from the router. The secondary (or tertiary)WAN are governed by policy routing, and that applies only to traffic through the router, not to traffic originating from the router.

I am not sure if this could be fixed through the shell.  My knowledge of GRE protocol is very limited. I just know how to click on icons.

cmb

The reply-to automatically added to WAN rules should route the traffic properly if you're using 1.2.1 or newer.  I'll try it at some point and make sure.

newfirewallman

What do you mean by "The reply-to automatically added to WAN rules "

cmb

@newfirewallman:

What do you mean by "The reply-to automatically added to WAN rules "

read up on pf.

newfirewallman

Thanks for the helpful answer CMB… Why post anything if it isn't going to help. "Read UP on PF" Ok i've searched the entire forum and didn't get a hit except for the post we are in. And i have been using PFsense everywhere. Home, office, schools, muliwan, point to point VPN's. About every feature of it, yet not sure what your talking about by "The reply-to automatically added to WAN rules"

Maybe it is something simple that when you explain or give someone some helpful information like a screenshot i might go oh yeah duh, but for now because you didn't help anyone with your response why do you go make it work and tell us all so we can RESPECT you, till then go lay infront of a bus.

cmb

It is helpful. OpenBSD pf, not pfSense.  It's covered in their documentation. http://www.openbsd.org/cgi-bin/man.cgi?query=pf.conf&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html

cmb

@newfirewallman:

till then go lay infront of a bus.

Wow, classiest post of the week.  Watch out for your karma.