Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PPTP - automatic NAT for internet connectivity

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shon
      last edited by

      While I'm aware that PPTP is insecure, we are ok with the risk, and our company will stick with this VPN service for the next foreseeable future.  I'm not sure if the automatic NAT settings should "just work" for my external PPTP users, but I figured I'd share this find anyway for the rest of the community that might be looking for a solution.

      I have the following configuration:

      Firewall Version

      2.1-BETA0 (i386)
      built on Thu Nov 22 13:25:42 EST 2012
      FreeBSD 8.3-RELEASE-p4

      You are on the latest version.

      Firewall Interface Configuration
      1.1.1.1 (WAN)
      10.10.10.254 (LAN)
      10.10.10.253 (PPTP Interface)

      NAT Configuration

      • Automatic outbound NAT rule generation
                 (IPsec passthrough included)

      Firewall Rules

      WAN

      • RFC 1918 networks * * * * *
      • Reserved/not assigned by IANA * * * * * *

      LAN

      IPv4 * * * * * * none

      PPTP VPN

      IPv4 * * * * * * none

      PPTP Configuration
      10.10.10.253 (Sever Address/P-T-P Virtual Interface)
      Remote Address Range: 10.100.10.100

      My intranet connectivity is fine, but my internet connectivity isn't working.  I'm sure my PPTP/pptp0 traffic is not falling under the NAT rules.

      Status > System Logs > Firewall >

      HTTP Request:

      DNS Request:

      Act: Pass

      "pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100:61962 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 8.8.8.8:53"                    UDP

      Act Pass

      HTTP Request:

      pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100:51586 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 74.125.228.68:80 TCP:S

      ICMP

      Act: Pass

      pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 4.2.2.2 ICMP

      This NAT configuration works with PPTP permitting my VPN clients internet connectivity

      Manual Outbound NAT rule generation
               (AON - Advanced Outbound NAT)

      I just have to add my LAN/VPN network to the rule list and then all is well.

      WAN   10.10.10.0/24 * * * WAN address * NO

      Thanks,

      -Shon

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.