Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN behind pfSense 2.0

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    12 Posts 6 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      glor
      last edited by

      pptp

      1 Reply Last reply Reply Quote 0
      • G
        glor
        last edited by

        Ok so I found this on another website about pfSense -

        NAT Limitations

        • PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.
        • SIP Limitation - By default, all TCP and UDP traffic other than SIP and IPsec gets the source port rewritten. More information on this can be found in the static port documentation. Because this source port rewriting is how pf tracks which internal IP made the connection to the given external server, and most all SIP traffic uses the same source port, only one SIP device can connect simultaneously to a single server on the Internet. Unless your SIP devices can operate with source port rewriting (most can't), you cannot use multiple phones with a single outside server without using a dedicated public IP per device. The sipproxd package now provides a solution for this problem in pfSense 1.2.1 and newer.
        • NAT Reflection limitations - NAT reflection can only be used with port ranges less than 500 ports and cannot be used with 1:1 NAT hosts.

        –  I guess my question remains as to wether this is attempting to be addressed in the 2.0 release?

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          It should work on 1.2.2+ for outgoing connections.
          2.0 i have not yet merged cause of reshufling things when moving to FreeBSD 7.1 but it will be on 2.0

          1 Reply Last reply Reply Quote 0
          • G
            glor
            last edited by

            That is good to hear, however just as an FYI, I'm running 1.22 and it does not work.  is there an additional update I need to apply?

            Thanks in advance.

            1 Reply Last reply Reply Quote 0
            • G
              glor
              last edited by

              Here is the code I'm running..
              Version 1.2.2
              built on Thu Jan 8 22:30:24 EST 2009

              1 Reply Last reply Reply Quote 0
              • D
                Darkk
                last edited by

                I am running 1.2.3-PRERELEASE-TESTING-VERSION built on Thu Feb 19 06:12:45 EST 2009 and still will not allow me to connect to the same external IP with TWO VPN (PPTP) clients.

                This is actually preventing me from using it in our corporate environment.  Myself personally I don't have a problem running it at home since I am the only one connecting to it anyway.

                The limitation is by FreeBSD's design?

                I am looking forward to 2.0 when it's actually working.

                1 Reply Last reply Reply Quote 0
                • S
                  sporkme
                  last edited by

                  You can try the "fricken" package - that helped me out.

                  1.2.3 doesn't even work with a single PPTP client for me - NAT doesn't rewrite the source IP on the GRE packets.

                  1 Reply Last reply Reply Quote 0
                  • G
                    glor
                    last edited by

                    Yup I just upgraded to the latest 1.2.3 build and it still doesn't work here either.

                    1 Reply Last reply Reply Quote 0
                    • G
                      glor
                      last edited by

                      so after installing frickin, how do I go about configuring it / starting the service?

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • valnarV
                        valnar
                        last edited by

                        @glor:

                        Ok so I found this on another website about pfSense -

                        NAT Limitations

                        • PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.

                        AFAIK, this is a problem in TCP/IP's design since NAT only translates UDP or TCP.  GRE cannot be translated.  No firewall I'm aware of "fixes" this problem.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.