Several PPTP VPN Clients Under Network



  • Hi There,

    I finally made it to convince the my company to try a solution like PFsense. It's working well but I forgotten that I have some users using remote PPTP Server (they make connections between the PC and the remote network). The problem is the first user connects to the remote network successfully but when the second one tries to connect I have 2 dropped connections. I think that's a NAT problem, can someone give me some explanation how can I solve this problem? Thanks in advance.



  • You might want to look at the limitations of pptp on pfSense. Each pptp connection needs it's own IP to NAT to get out to the Internet, or Extranet, WAN interface.

    http://doc.pfsense.org/index.php/What_are_the_limitations_of_PPTP_in_pfSense%3F

    Here is the set-up for multiple pptp connections.

    http://doc.pfsense.org/index.php/Connect_to_a_remote_PPTP_server_when_you_have_the_pfSense_PPTP_server_enabled



  • Hi M.I.Bovrd

    First of all thanks for your quick answer. I was reading your link and I notice something. They mention that the problem is when you have the PPTP server enabled but this is not the case. PFSense don't have any vpn server enable and I'm just connecting to an external server. This applies to that too? Because I tried that and now I lost my single VPN connection.



  • Hi M.I.Bovrd

    First of all thanks for your quick answer. I was reading your link and I notice something. They mention that the problem is when you have the PPTP server enabled but this is not the case. PFSense don't have any vpn server enable and I'm just connecting to an external server. This applies to that too? Because I tried that and now I lost my single VPN connection. Any other Idea?
    Thanks



  • @toxicrainpx:

    PFSense don't have any vpn server enable and I'm just connecting to an external server. This applies to that too?

    Yes, because passing PPTP through NAT requires "PPTP proxy" which pf lacks.

    Check the Call-ID info at
    http://technet.microsoft.com/en-us/library/cc958044.aspx
    http://blogs.isaserver.org/pouseele/2007/06/17/multiple-pptp-vpn-clients-behind-a-nat-device/



  • Well, not sure what you can do.

    • Have you got spare public IP's laying around not being used, then use them.

    • Don't NAT, but you would still need those spare IP's.

    • Move to Open VPN or IPsec.

    Another rather obscure option:
    L2TP available from you ISP Vendor.

    Changing to OpenVPN seems the best and most secure option. IMO



  • Well I know, we use another system to support VPNs to the company and It's a good system. The problem is that we're on a middle of a fusion and we need to have compatibility to the other company infrastructure, that's why I need this.  Just another question, do I need to create a Virtual IP for each machine that want's to connect the outside VPN for each machine that's trying to connect or I just need one? Thanks for your support guys. you're incredible.



  • I was think on something, Is it possible to disable my NAT? I do not need any port redirection from outside network. This is just some internet access point that I want to use with the PPTP clients and Captive portal for www navigation. I it possible to try that? Putting PFSense just like a normal house router?



  • You need a VIP for every ptpp connection.

    Normal House routers use NAT because they usually have a single IP and need to access everything through that single IP.

    If you are routing private addresses only then you can disable NAT, but if you have to go onto the internet they won't route so you have to NAT.

    Thinking out loud here? Don't know enough about your system. Maybe if u put a diagram we could help.
    What did you use before pfSense, can you use that to terminate the pptp's to, and then connect via IPSec inside?
    Chuck a Linux box outside and ssr each connection inside, not sure that'd work either?


Log in to reply