tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: PPTP and PF NAT



> I have a private network where two or more VPN clients need to
> simultaneously connect with the same PPTP VPN concentrator on the
> web.

PPTP uses the Web?  I thought it was layered directly atop UDP, or
maybe even IP, like most VPNish things.

> Between the clients and the wider Internet is my PF NAT firewall.

You've probably just found yet another casualty of the way NAT breaks
the assumptions underlying IP networking.  Break the assumptions and
you break things built on those assumptions; it's a tribute to the
robustness of the protocols that as many of them work as do.

About all I have to suggest is "don't do that" - don't try to use
behind-NAT connectivity as if it were full-on IP connectivity.  (I make
no pretense to thinking you will consider this helpful; given your
phrasing, I feel moderately sure you would prefer to paper over the
brokenness rather than fix it in this case.  And as to papering it
over, I don't know enough about PPTP, but if it really is layered atop
the Web, it might be worth looking into why it isn't being handled by
the generic TCP tracking in your NAT.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse%rodents-montreal.org@localhost
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Home | Main Index | Thread Index | Old Index