You don't forward GRE, it is a protocol (47). Perhaps enabling "support"
for Protocol 47 is what the "Forward PPTP Clients..." feature does?
We'd like to stick to AD as the single authentication server on the LAN.
Your solution looks great for an existing Radius framework. Maybe someday
I'll get a chance to use it.
>From: James W. McKeand [mailto:james at mckeand dot biz]
>Sent: Monday, November 07, 2005 15:31 PM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: RE: [m0n0wall] Forwarding PPTP vpn clients to a W2k3 server
>John Benjamin wrote:
>> Hello all,
>> I need some clarification on the "Redirect Incoming PPTP Connections"
>> <<Snip>> In particular, what are the differences between setting-up
>> NAT and Firewall rules" for PPTP VPN clients (e.g., port 1723)
>> compared to turning on the feature "Redirect Incoming PPTP
>> to:" on the VPN:PPTP page and setting up firewall rules.
>> I am trying to setup m0n0wall v1.2final as a DHCP server which will
>> forward VPN requests to a NATd W2k3 server running Active Directory
>> and RAS as the authentication server for VPN:PPTP clients.
>> In the current working config, the pass-through feature is
>> but we had to setup the W2k3 server to hand out IP address from a
>> static pool. Is it possible to config the VPN:PPTP pass-through so
>> that m0n0wall is the DHCP server and the w2k3 box is the VPN
>> authentication server?
>You would also need to forward GRE (or something like
>that...), which is why Inbound NAT does not work for PPTP VPNs.
>I use the PPTP sever on the m0n0wall (don't forward) and use IAS
>(RADIUS) on my SBS2K3 (Win2K3) server to authenticate. See this:
>http://www.michael-i.com/files/projects/m0n0ad/ The m0n0wall
>gives out the IP based on the subnet you specify in the PPTP config.