Re: [m0n0wall] Multiple PPTP clients behind a monowall

From:	Lonnie Abelbeck <lists at lonnie dot abelbeck dot com>
To:	m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
Cc:	Adam Armstrong <lists at memetic dot org>
Subject:	Re: [m0n0wall] Multiple PPTP clients behind a monowall
Date:	Thu, 22 Nov 2007 10:53:50 -0600

Adam,

Yes, this is normal for 1:N NAT and PPTP (GRE).  With UDP and TCP,  
NAT keeps track of the local private addresses by using the UDP/TCP  
"port" field.  PPTP's raw IP (GRE) does not have a port field to mess  
with, so only one connection at a time will work.

One solution might be to provide the customer with more static IP's;  
using 1:1 NAT in m0n0wall to provide the PPTP'ers with their own  
public IP address.  This should work around the 1:N NAT issue,  
provided the number of PPTP users are small and known.

Lonnie

On Nov 22, 2007, at 10:30 AM, Adam Armstrong wrote:

> Hi,
>
> I have a customer using our ethernet-based "broadband" service in a  
> managed office building we provide connectivity to.
>
> In their office we provide them with a m0n0wall device with  
> basically the default config providing NAT and DHCP. The firewall  
> has a static IP on the WAN interface and the default 192.168.1.1/24  
> on the LAN interface providing DHCP.
>
> The customer reports that they can only create one PPTP tunnel at a  
> time to their PPTP server at another site.
>
> Is this normal? I'm sure I've had multiple PPTP sessions open  
> before, but they were perhaps to multiple remote servers. If it's a  
> NAT limitation, are there any workarounds?
>
> Thanks in advance,
> Adam.
>