Date: Thu, 17 Jul 2003 13:36:22 -0600 (MDT) From: Brett Glass <brett@lariat.org> To: net@freebsd.org Subject: NAT and PPTP Message-ID: <200307171936.NAA03141@lariat.org>
next in thread | raw e-mail | index | archive | help
FreeBSD makes a very good NAT router... for most applications. But a client of mine is having terrible trouble with it when trying to use NAT with one particular protocol: PPTP. Here's what's going on. A client has a FreeBSD box that's serving as a NAT router. He has one public IP, and lots of PCs behind the router on unregistered IPs. This works fine when they're doing browsing, etc., but fails horribly when users try to use PPTP to tunnel out into another LAN across the Internet. The problem appears to be that PPTP -- while it uses TCP for its control connection -- uses GRE to encapsulate an encrypted PPP session between the client and the server. GRE, like TCP and UDP, is in the IP protocol family and uses IP addressing. However, it doesn't use "ports," as IP and UDP do; instead, it has a different mechanism for identifying packets that belong to different sessions or connections, and the header fields that must be inspected vary depending upon the encapsulated protocol. FreeBSD's natd doesn't understand that mechanism, so it doesn't know how to route GRE packets from the outside world back to the correct client on the private LAN. Some NAT routers (including the DI-604 from D-Link; see http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets correctly when multiple clients on the private LAN want to tunnel out, so it's obviously possible. Who is the current maintainer of FreeBSD's NAT code (including natd and the NAT libraries)? How difficult would it be to add PPTP support to them? --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307171936.NAA03141>