From owner-freebsd-pf@FreeBSD.ORG Wed Oct 31 15:41:24 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6DF016A46C for ; Wed, 31 Oct 2007 15:41:24 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id A1C8F13C494 for ; Wed, 31 Oct 2007 15:41:24 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so139443nzf for ; Wed, 31 Oct 2007 08:41:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=00Sc338+43rztNi6MR9WNIFzeuWWCkVbOmZOXyRgFaA=; b=rPIUIueuWpoK7lZ6FBNitaYtdHKJWzQTzr6fgN+o0D60UaP+97fP/sr6VzG2WXjUa9AlCAtuoWICpODcjFLwZsJng0vLM6KlktN18WozVNJ1LmqeRtZL9JYGdEG28ds+zIC006tu/AVMc0OlZrXNExW2CzH5Z1f2J0R49rUzWfk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=S6vYXvB/KfvIP/MnddETGLFNwukvEj3oThaPru0JFkZ31EQVnggKPyHFibmqUfS6v+BYvuX5mU6doo2PORdiH0I4jZs63fEVgecIXfgSMEmjUJNQBlVfaaLvOUd/TlvQ6MKk+ADw4cjMzARVtVbTCtqC0PyPbzUnV7PUzJDMEwc= Received: by 10.114.152.17 with SMTP id z17mr1693687wad.1193841915692; Wed, 31 Oct 2007 07:45:15 -0700 (PDT) Received: by 10.115.109.10 with HTTP; Wed, 31 Oct 2007 07:45:15 -0700 (PDT) Message-ID: Date: Wed, 31 Oct 2007 10:45:15 -0400 From: "Scott Ullrich" To: "Rob Shepherd" In-Reply-To: <472871EC.9040509@techniumcast.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <472871EC.9040509@techniumcast.com> Cc: freebsd-pf@freebsd.org Subject: Re: PPTP "fixup" for FreeBSD NAT Router X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Oct 2007 15:41:25 -0000 On 10/31/07, Rob Shepherd wrote: > Dear FreeBSD PF users, > > We have Cisco FWSM software v2.3 which doesn't pass PPTP traffic due to it not > being able to extract the GRE session information. Grrr.... Enterprise grade my > *rse! > > Nevertheless, I am intrigued to see if I can provide an alternate route for a > customers PPTP connection through a FreeBSD router. > > I'll VLAN interface on to their LAN, NAT as usual to a public IP, but I would > like to inquire (before I commence my setup) if... > > 1. FreeBSD NAT (PF) will pass PPTP > 2. if (1), will it support multiple PPTP sessions (multiple clients to common > remote VPN server) PF does not have PPTP session handling code. You could try using a proxy such as frickin-pptp[1] (yes, that is really it's name) that should keep state on the GRE traffic much better but the last time I tried to use this daemon it had issues on FreeBSD which the author was aware of but did not know how to fix. [1] http://sourceforge.net/projects/frickin/ Scott Scott