PPTP GRE Passthrough



  • Before I begin this post I would like to acknowledge that PPTP is not longer considered a secure VPN.
    That said, this is the only VPN available on some of the Cisco routers that our clients have, and they are not likely to be changing anytime soon.
    Please don't answer with the default "Don't use PPTP" that is not helping.

    From the research that I have done I have added the following firewall rules to both the WAN and LAN

    | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
    | IPv4 GRE | * | * | * | * | * | none | | PPTP Passthrough |
    | IPv4 TCP | * | * | * | 1723 (PPTP) | * | none | | PPTP Passthrough |

    However I am still unable to connect out.
    If I change out the pfSense firewall for a cisco device the connection succeeds.

    Is there anything else that I need to change?



  • It should work for a single outgoing connection without any special rules since all the firewall has to do is pass the outgoing TCP connection plus the GRE connection and keep state for those. For multiple connections you're squarely out of luck, pfSense has no way of tracking multiple GRE connections because GRE has no port numbers like TCP and UDP do (in more detail, the session identifiers are not part of the IP header). There used to be a proxy helper for GRE but it has been long since removed.