PPTP server/client broklen again in latest builds?

  • Hello!

    I've got a real strange problem. A week ago everything was working like a charm, PPTP in and out, no problems.

    Since the this build och maybe a couple of days back, PPTP out through pfs. is behaving strange. I can connect to PPTP server which terminates in Windows RRAS but I can not get it to connect to a pfSense PPTP server. It just sits there waiting with verifying name & password… and error 619 after a while.

    Is it my config which has gone down hill or is it something in the build?

    Q: Can I go back a couple of build-versions? What happens to the config? Does pfSense allow me to "down"-grade?


  • Talking to myself here…

    I went back to pfSense-Full-Update-1.2.1-RC1-20080909-2058 and PPTP out still didn't work. I did this:


    1. Disabled PPTP server. Test: And PPTP out started working again.
    2. Enabled PPTP Server.
    3. Recreated the rule. Test: PPTP out still works!

    Did some more tests. This is interesting!

    1. Made a connection from the out into the PPTP server. Works!
    2. Tried to make a connection out from the inside. PPTP out is not working. Error 619!
    3. Disconnected the incoming PPTP session.
    4. Tried again to make a outgoing PPTP. Does not work. Error 619.

    So, PPTP out stops working after I've had a incoming connection.

    Repeating section (A) gives me PPTP outgoing working again.

    Now going to upgrade to latest snap... So, I'll probably be talking to my self here soon again.

  • There are no PPTP issues in 1.2.1 that don't exist in 1.2.

    from http://www.pfsense.org/index.php?option=com_content&task=view&id=40&Itemid=43
    PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.

    Because of limitations in pf NAT, when the PPTP Server is enabled, PPTP clients cannot use the same public IP for outbound PPTP connections. This means if you have only one public IP, and use the PPTP Server, PPTP clients inside your network will not work. The work around is to use a second public IP with Advanced Outbound NAT for your internal clients. See also the PPTP limitation under NAT on this page.

    Note the second one should not be an issue in 1.2.1 because of a kernel change, but from your description it seems like the patch we have doesn't completely fix things.

  • I thought I search thoroughly on the subject before starting to analyze the problem I had.

    The first paragraph I understand and have read about. The second paragraph I'd miss. But you say that 1.2.1 should not have that problem, in and out at the same time.

    I'd make some more tests with the latest pfSense-Full-Update-1.2.1-RC1-20080913-0353.

    With that version I had both incoming and outgoing working at the same time. But I did use a different PPTP endpoint (a Windows Server with RRAS) this time. Realizing not using the same I again tried against the pfSense PPTP endpoint, and that did not work.

    Do the above really make sense, Windows RRAS/pfSense as PPTP endpoint? It looks strange to me. Shouldn't matter what kind of PPTP server I'm connecting to.

    The only way I got outgoing working against the pfSense PPTP endpoint was to disable PPTP server (on my pfS) and do a reset on states. Then PPTP outgoing started working to that pfS.

    It there any way I can contribute to help solve this problem? I'm no programmer, but I sure can test things if it's needed.

    This is the only thing right now that stops me from using pfS at my customers. Can't use it if I can't trust pfS to handle PPTP in and out reliably.


  • @iorx:

    It there any way I can contribute to help solve this problem? I'm no programmer, but I sure can test things if it's needed.

    I'll would really like to see PPTP working in/out. And I, as said above, will to put great effort into helping you guys if I can.

    The reason to the above is that I would like to replace Kerio Firewall and DD-WRT with pfSense on a couple of places. Kerio and DD-WRT handles all possible combination of PPTP connections in and out …  :(  But features found if pfSense makes me want to use that instead! :)

    Is there a possibility that pfS will ever be able to fulfill my PPTP "needs" in the future? If yes, do you have any idea how far into the future that could be?


  • Sponsor it if you need it so badly :).

    I started fixing it and haven't finished it yet.

  • Ok, I'll think I do that. Will that mean that if it's fixed it will also work in the upcoming 1.3?

  • If Ermal gets it fixed, it'll likely be in 1.3 first and not make a 1.2x release since it's bug fixes only. This isn't a bug, it's an intentional limitation in pf. Fixing it will require significant kernel changes that aren't suitable for a maintenance release.

  • Should it look like this in the log?

    Oct 3 03:25:33 	syslogd: kernel boot file is /boot/kernel/kernel
    Oct 3 03:25:47 	mpd: mpd: pid 47842, version 3.18 (root@freebsd7-releng_1_2.geekgod.com 00:38 2-Oct-2008)
    Oct 3 03:25:47 	mpd: [pt0] ppp node is "mpd47842-pt0"
    Oct 3 03:25:47 	mpd: mpd: local IP address for PPTP is
    Oct 3 03:25:47 	mpd: [pt0] using interface ng1
    Oct 3 03:25:47 	mpd: [pt1] ppp node is "mpd47842-pt1"
    Oct 3 03:25:47 	mpd: [pt1] using interface ng2

    Or should the ip specified in the PPTP-server-address be there instead of

    Runin' latest nite'


  • Bump (Sorry for going on like madman about this pptp stuff, I've tried hard to find an answer for the above "", but I can't)

Log in to reply