Re: PPTP and PF NAT

[David Young <dyoung%pobox.com@localhost>]

On Tue, Aug 11, 2009 at 10:53:40AM -0500, David Young wrote:
> I have a private network where two or more VPN clients need to
> simultaneously connect with the same PPTP VPN concentrator on the web.
> Between the clients and the wider Internet is my PF NAT firewall.  One
> VPN client can connect, but a second client cannot.  The reason is that
> PF NAT does not grok PPTP or GRE in general, so it cannot use the Call
> ID field to distinguish the packets sent by the concentrator to one
> client from packets sent to another client.
> 
> Is this problem familiar to anyone?  Is there any workaround, short of
> patching my kernel to track PPTP sessions?  On the web, I've found out
> that there are two patchsets for tracking PPTP sessions in PF, so I will
> be trying those if no other solution shows up.

Just in case anybody is interested to see how I solved the problem, I
took advantage of the fact that we had 14 external IP numbers and only
about 8 workstations on the LAN that need to connect to the VPN.  I
wrote two NAT rules for each workstation, one affecting the connections
to the VPN concentrator at TCP port 1723, and one affecting the GRE
packets:

nat on ${wanif} inet proto gre from ${wkstn-a} to any -> ${external-ip-a}
nat on ${wanif} inet from ${wkstn-a} to any port = pptp -> ${external-ip-a}
nat on ${wanif} inet proto gre from ${wkstn-b} to any -> ${external-ip-b}
nat on ${wanif} inet from ${wkstn-b} to any port = pptp -> ${external-ip-b}