Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 17 Jul 2003 13:36:22 -0600 (MDT)
From:      Brett Glass <brett@lariat.org>
To:        net@freebsd.org
Subject:   NAT and PPTP
Message-ID:  <200307171936.NAA03141@lariat.org>

next in thread | raw e-mail | index | archive | help
FreeBSD makes a very good NAT router... for most applications.
But a client of mine is having terrible trouble with it when
trying to use NAT with one particular protocol: PPTP.

Here's what's going on. A client has a FreeBSD box that's serving as a
NAT router. He has one public IP, and lots of PCs behind the router on
unregistered IPs. This works fine when they're doing browsing, etc., but
fails horribly when users try to use PPTP to tunnel out into another LAN
across the Internet.

The problem appears to be that PPTP -- while it uses TCP for its control
connection -- uses GRE to encapsulate an encrypted PPP session between the
client and the server. GRE, like TCP and UDP, is in the IP protocol family and
uses IP addressing. However, it doesn't use "ports," as IP and UDP do;
instead, it has a different mechanism for identifying packets that belong to
different sessions or connections, and the header fields that must be
inspected vary depending upon the encapsulated protocol. FreeBSD's natd
doesn't understand that mechanism, so it doesn't know how to route GRE packets
from the outside world back to the correct client on the private LAN.

Some NAT routers (including the DI-604 from D-Link; see
http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets
correctly when multiple clients on the private LAN want to tunnel out, so it's
obviously possible. Who is the current maintainer of FreeBSD's NAT code
(including natd and the NAT libraries)? How difficult would it be to add
PPTP support to them?

--Brett Glass



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307171936.NAA03141>