PPTP Client Connections to PFSense PPTP Server | PFSENSE TO PFSENSE Issues
-
I am having an interesting issue regarding two pfsense boxes that I manage. Both boxes are setup to use a PPTP server for remote connections. I can connect to each of them using the standard windows PPTP client from any other environment than behind either of the pfsense boxes.
Basically… If I am behind one of the PFSense boxes I cannot connect via PPTP to the other PFSense PPTP server, and vice-versa. I can nail up a PPTP session from any other location that uses an off the shelf router.
Any direction would be appreciated!!!
Thank you, -John
-
From http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43
PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections.
* Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page.
-
May I quickly ask a question to your answer?
Will that "limitation" be solved with the 1.3-version?
Because I have the same problem here, I have a pfsense at home (and so only one public IP)
and we have a pfsense box at work.
Due to the limitation I cannot connect to my work-pfsense from home…Thanks for your reply!
Best regards,
Christian
-
This should have be resolved on current 1.3 builds but with only one outgoing client i hope to finish it to remove this limitation altogether from the pfSense limitations list for 1.3 release.
-
That would indeed be wonderful ;D
Crossing my fingers :)