[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] PPTP GRE is being blocked?
 Date:  Sun, 25 Jun 2006 15:47:00 -0400
On 6/25/06, lists at dinplug dot com <lists at dinplug dot com> wrote:
> I would like to be able to enble the monowall PPTP server and at the same time make
> outgoing PPTP VPN connections from Windows XP machines located on the local LAN.

This works fine, with one caveat.  Only one LAN machine can connect to
a single remote PPTP server simultaneously.  You can have a thousand
LAN machines connecting to a thousand different PPTP servers
simultaneously, but not two LAN machines to the same remote PPTP
server.  The NAT software used in m0n0wall can't track PPTP in this
matter because GRE has no source/dest ports like TCP and UDP, and it
doesn't do inspection of any packets at higher than layer 4.

> I am running monowall v1.22 and I added a WAN firewall rule to pass all GRE packets
> (any source any destination, allowing fragmented packets), is this the correct thing to
> do?

That's unnecessary.  That traffic will get let back in by the state table.