Outgoing VPN connections only allow 1 x user to connect
-
dotdash - Thanks. I've removed the rules mentioned in that post a bit ago, with no change.
I'm waiting on the vendor on the other end to give me details regarding exactly what type of VPN connection it is.
Thanks,
Frank -
@pfSense.org:
Limitations: PPTP / GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. PPTP is insecure and should no longer be used.
Could be this? Sounds like the likely option for Windows + (automatic) VPN.
On a side note, nobody should be using PPTP at this point, it's old and insecure.
-
@ fragged-
The screenshot looks like it's L2TP/L2TP-IPSec -
@ fragged-
The screenshot looks like it's L2TP/L2TP-IPSecDoh. I was originally on mobile and didn't see that at all :P
-
@ fragged-
The screenshot looks like it's L2TP/L2TP-IPSecDoh. I was originally on mobile and didn't see that at all :P
Though if set to 'auto detect' doesn't windows try PPTP first, then L2TP and then fail ? Hence if auto detect is set you only see the failure on the last attempt (L2TP) so could still be PPTP, just that that fails first and windows moves on to try next option…
-
Thanks to all for the replies.
I'm told the VPN service is "Microsoft PPTP VPN". Not good…
However, I'd like to understand why it works for multiple users with the Comcast Business Gateway in place (FW/Routing enabled), instead of the SG-2440.
Anyone have any ideas?
-
Also, maybe someone can tell me why the Comcast Business Gateway (Comcast supplied modem/FW/AP/router)
"just worked".If you was setting up the Comcast device (router) to the so called "bridged mode" it acts as a ordinary modem
but if this was not really matching or ruling and it was a Comcast router your clients are behind a so called
double NAT or router cascade! Could this be?However, I'd like to understand why it works for multiple users with the Comcast Business Gateway
in place (FW/Routing enabled), instead of the SG-2440.One question of mine about this scenario. Why did you not set up only one IPSec or whatever VPN connection
from your SG unit to the unknown box on the other side? So all peoples could be able to use this one VPN
line instead of opening more then one.The in real life existing problem is called "multiple VPN clients behind NAT" or plain NAT traversal
(NAT-T) problem. Really often this problems are occurring and is then full filling forums and boards,
but related to my bad english language skills it would be better to read this article over this problem,
might be better for your all understandings. NAT-T problemSo it is not possible to have multiple L2TP clients connecting from the same static IP to a VPN device
on the other side, because they are using the same port!!!!In real life I would suggest you setting up one IPSec or L2TP/IPSec connection and then alle
employees are able to use this instead of opening their own many VPN connections! -
This is more of a NAT question than a PPTP one, I'll just leave it in general questions.
Some NAT implementations can handle multiple GRE sessions to a single remote server with a single local public IP, and some can't. pf can't. Often modems can't either, but you apparently have one that doesn't have such limitations.
Where you have multiple clients connecting to the same site, you're best off with a proper site to site VPN. Or if using mobile clients, use any type of VPN that wasn't deprecated a decade ago. PPTP is broken on a lot of networks for the same reason, plus the fact it's insecure. Any other type of VPN won't have that issue.
If you have multiple public IPs, and are able to NAT each client out its own public IP, that's the only option to make that circumstance work while using PPTP with multiple simultaneous clients.
-
Thanks to all for the replies.
I'm told the VPN service is "Microsoft PPTP VPN". Not good…
However, I'd like to understand why it works for multiple users with the Comcast Business Gateway in place (FW/Routing enabled), instead of the SG-2440.
It owns a NAT-T setting likes your brand new SG-xx box, but you where setting it not up?
Anyone have any ideas?
Set up NAT-T at your pfSense box would handle this problem proper, but for a professional
VPN set up I really urgent suggest to set up only one VPN connection either IPSec or L2TP/IPSec
that all users can use.And one tip at least, please don´t use any more a PPTP VPN in business cases, this is something
only WISPs would do today but no one else is. -
Thanks for the replies.
I am pushing them to setup an IPSec tunnel to the other site - I know that's the "right" thing to do. They're not sure they want to spend the money on a static IP (only $20 per month, but they are a small office - 3 x people).
I was just surprised that the Comcast Business Gateway "just worked" and I could find no way to get pfSense to work.
-
Regarding PPTP, I know it shouldn't be used.
This is an "established" services for this customer. I can push them to change it, but it involves multiple locations and "incumbent" support/consultants. I have to work at convincing the business PPTP is "bad".
Thanks,
Frank -
You don't need a static IP to use a site to site VPN. Both IPsec and OpenVPN will work fine in that circumstance with dynamic IPs on one or both sides. Granted, that may depend on what the other side is willing to do. They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one.
@BlueKobold:
Set up NAT-T at your pfSense box would handle this problem proper
NAT-T is a concept that's specific to IPsec. Rather than sending ESP protocol packets, where NAT-T is in use, the data will be encapsulated in UDP port 4500 traffic. No more ESP protocol, which eliminates the NAT complications.
The case with PPTP is similar in functionality to IPsec without NAT-T support. PPTP uses TCP 1723 and GRE (IPsec no NAT-T, UDP 500 and ESP). If it supported NAT-T like IPsec does, and would switch from GRE to, say, UDP 1723, this problem with tons of NAT implementations would go away. It was never updated to accommodate that because it was an antiquated protocol already. By the time that was a problem, superior VPN alternatives with no such issues were available.
-
@cmb:
They may have a standard of requiring a static IP, or have equipment where it isn't possible to configure it without one.
Yep - one of the above is true. They are insisting on a static IP before they'll set the tunnel up.
Thanks,
Frank
