From owner-freebsd-net@FreeBSD.ORG  Thu Jul 17 12:36:27 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7DC2437B401
	for <net@freebsd.org>; Thu, 17 Jul 2003 12:36:27 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A9DE543F3F
	for <net@freebsd.org>; Thu, 17 Jul 2003 12:36:26 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.org (8.9.3/8.9.3) id NAA03141
	for net@freebsd.org; Thu, 17 Jul 2003 13:36:22 -0600 (MDT)
Date: Thu, 17 Jul 2003 13:36:22 -0600 (MDT)
From: Brett Glass <brett@lariat.org>
Message-Id: <200307171936.NAA03141@lariat.org>
To: net@freebsd.org
Subject: NAT and PPTP
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jul 2003 19:36:27 -0000

FreeBSD makes a very good NAT router... for most applications.
But a client of mine is having terrible trouble with it when
trying to use NAT with one particular protocol: PPTP.

Here's what's going on. A client has a FreeBSD box that's serving as a
NAT router. He has one public IP, and lots of PCs behind the router on
unregistered IPs. This works fine when they're doing browsing, etc., but
fails horribly when users try to use PPTP to tunnel out into another LAN
across the Internet.

The problem appears to be that PPTP -- while it uses TCP for its control
connection -- uses GRE to encapsulate an encrypted PPP session between the
client and the server. GRE, like TCP and UDP, is in the IP protocol family and
uses IP addressing. However, it doesn't use "ports," as IP and UDP do;
instead, it has a different mechanism for identifying packets that belong to
different sessions or connections, and the header fields that must be
inspected vary depending upon the encapsulated protocol. FreeBSD's natd
doesn't understand that mechanism, so it doesn't know how to route GRE packets
from the outside world back to the correct client on the private LAN.

Some NAT routers (including the DI-604 from D-Link; see
http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets
correctly when multiple clients on the private LAN want to tunnel out, so it's
obviously possible. Who is the current maintainer of FreeBSD's NAT code
(including natd and the NAT libraries)? How difficult would it be to add
PPTP support to them?

--Brett Glass