[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Serge Leschinsky <serge at artlife dot tomsknet dot ru>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] several PPTP client via NAT simultaneously
 Date:  Tue, 1 Jul 2003 12:00:16 +0200 (CEST)
Hi Serge,

On Tue, 1 Jul 2003, Serge Leschinsky wrote:

>  The problem that I have is in the following: one client can connect
> to PPTP server without any troubles. But the second client can't
> connect to the same PPTP server (with error "No available port" (or
> something like that)).
> Is this a error of my configuration monowall or limitation of current
> version of firewall or ISP server configuration consequence?

It's a limitation in ipnat (ipfilter's NAT implementation) in that it does
not have a custom proxy that understands the details of a GRE tunnel (GRE
is the protocol PPTP uses to tunnel the actual data). As such, GRE looks
like a raw IP protocol to ipnat, and since it has no information like
port numbers (as with TCP/UDP) to distinguish individual connections,
there can only be one concurrent connection to the same PPTP server. It
works fine if each of your PPTP clients connects to a different PPTP
server (i.e. different IP address).

There has been some discussion about this quite a while ago; the consensus
was that an ipnat proxy would have to be written that makes use of the
session ID (or whatever it is called) in the GRE header to distinguish
individual sessions.