PPTP - automatic NAT for internet connectivity



  • While I'm aware that PPTP is insecure, we are ok with the risk, and our company will stick with this VPN service for the next foreseeable future.  I'm not sure if the automatic NAT settings should "just work" for my external PPTP users, but I figured I'd share this find anyway for the rest of the community that might be looking for a solution.

    I have the following configuration:

    Firewall Version

    2.1-BETA0 (i386)
    built on Thu Nov 22 13:25:42 EST 2012
    FreeBSD 8.3-RELEASE-p4

    You are on the latest version.

    Firewall Interface Configuration
    1.1.1.1 (WAN)
    10.10.10.254 (LAN)
    10.10.10.253 (PPTP Interface)

    NAT Configuration

    • Automatic outbound NAT rule generation
               (IPsec passthrough included)

    Firewall Rules

    WAN

    • RFC 1918 networks * * * * *
    • Reserved/not assigned by IANA * * * * * *

    LAN

    IPv4 * * * * * * none

    PPTP VPN

    IPv4 * * * * * * none

    PPTP Configuration
    10.10.10.253 (Sever Address/P-T-P Virtual Interface)
    Remote Address Range: 10.100.10.100

    My intranet connectivity is fine, but my internet connectivity isn't working.  I'm sure my PPTP/pptp0 traffic is not falling under the NAT rules.

    Status > System Logs > Firewall >

    HTTP Request:

    DNS Request:

    Act: Pass

    "pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100:61962 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 8.8.8.8:53"                    UDP

    Act Pass

    HTTP Request:

    pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100:51586 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 74.125.228.68:80 TCP:S

    ICMP

    Act: Pass

    pptpd0 Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 10.10.10.100 Icon Reverse Resolve with DNS Icon Easy Rule: Pass this traffic 4.2.2.2 ICMP

    This NAT configuration works with PPTP permitting my VPN clients internet connectivity

    Manual Outbound NAT rule generation
             (AON - Advanced Outbound NAT)

    I just have to add my LAN/VPN network to the rule list and then all is well.

    WAN   10.10.10.0/24 * * * WAN address * NO

    Thanks,

    -Shon


Locked