[ previous ] [ next ] [ threads ]
 From:  Falcor <falcor at netassassin dot com>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  flaplante at sintra dot ca, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with PPTP connection and NAT
 Date:  Tue, 05 Feb 2008 16:52:16 -0600
Manuel Kasper wrote:

> On 05.02.2008, at 16:01, Frédéric Laplante wrote:
>> I just want to know if there is a version of m0n0wall that solved the
>> problem with Natting and GRE for users who connect to a WAN PPTP  
>> server. We
>> canít have more than one user at the same time connected to the same  
>> server.
> FYI - I've played with the ipfilter PPTP NAT proxy module (included 
> in  ipfilter 4.x). Unfortunately, it doesn't solve the problem, which 
> is  why it is also unsolved in m0n0wall.
> - Manuel
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
This goes for many commercial firewalls as well.  Michael Brown gave a 
great suggestion of having them use IPSec if possible rather than PPTP.  
You never know if they will be traveling and be behind a NAT that will 
prohibit PPTP or have someone using it, or the state table still locked 
from an earlier use.  I use the PPTP as a cheap and dirty VPN connection 
to some remote m0n0walls that I have setup for friends.   So far I have 
been lucky and not needed to connect to more than one at a time.  :)

Other options, e.g. work-around, might be to create some other 
point-to-point between the two WAN destinations and use IPs that do not 
require NAT.  E.g. IPSEC tunnel from one firewall to another on the WAN 
and PPTP connections on 10.x.x.x from end to end using the tunnel as the 
conduit thus excluding the need to NAT. 

Or you could always setup a specific 1:1 outbound NAT for each person 
that requires the PPTP connectivity.  :)