VPN behind pfSense 2.0



  • I was wondering if the issue with multiple VPN clients behind a pfSense firewall being unable to connect to the same external vpn server has been resolved in 2.0…

    Thanks!



  • are your talking about ipsec or pptp



  • pptp



  • Ok so I found this on another website about pfSense -

    NAT Limitations

    • PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.
    • SIP Limitation - By default, all TCP and UDP traffic other than SIP and IPsec gets the source port rewritten. More information on this can be found in the static port documentation. Because this source port rewriting is how pf tracks which internal IP made the connection to the given external server, and most all SIP traffic uses the same source port, only one SIP device can connect simultaneously to a single server on the Internet. Unless your SIP devices can operate with source port rewriting (most can't), you cannot use multiple phones with a single outside server without using a dedicated public IP per device. The sipproxd package now provides a solution for this problem in pfSense 1.2.1 and newer.
    • NAT Reflection limitations - NAT reflection can only be used with port ranges less than 500 ports and cannot be used with 1:1 NAT hosts.

    –  I guess my question remains as to wether this is attempting to be addressed in the 2.0 release?



  • It should work on 1.2.2+ for outgoing connections.
    2.0 i have not yet merged cause of reshufling things when moving to FreeBSD 7.1 but it will be on 2.0



  • That is good to hear, however just as an FYI, I'm running 1.22 and it does not work.  is there an additional update I need to apply?

    Thanks in advance.



  • Here is the code I'm running..
    Version 1.2.2
    built on Thu Jan 8 22:30:24 EST 2009



  • I am running 1.2.3-PRERELEASE-TESTING-VERSION built on Thu Feb 19 06:12:45 EST 2009 and still will not allow me to connect to the same external IP with TWO VPN (PPTP) clients.

    This is actually preventing me from using it in our corporate environment.  Myself personally I don't have a problem running it at home since I am the only one connecting to it anyway.

    The limitation is by FreeBSD's design?

    I am looking forward to 2.0 when it's actually working.



  • You can try the "fricken" package - that helped me out.

    1.2.3 doesn't even work with a single PPTP client for me - NAT doesn't rewrite the source IP on the GRE packets.



  • Yup I just upgraded to the latest 1.2.3 build and it still doesn't work here either.



  • so after installing frickin, how do I go about configuring it / starting the service?

    Thanks



  • @glor:

    Ok so I found this on another website about pfSense -

    NAT Limitations

    • PPTP and GRE Limitation - The state tracking code in pf for the GRE protocol can only track a single session per public IP per external server. This means if you use PPTP VPN connections, only one internal machine can connect simultaneously to a PPTP server on the Internet. A thousand machines can connect simultaneously to a thousand different PPTP servers, but only one simultaneously to a single server. The only available work around is to use multiple public IPs on your firewall, one per client, or to use multiple public IPs on the external PPTP server. This is not a problem with other types of VPN connections. A solution for this is currently under development.

    AFAIK, this is a problem in TCP/IP's design since NAT only translates UDP or TCP.  GRE cannot be translated.  No firewall I'm aware of "fixes" this problem.


Log in to reply