NAT and PPTP
Julian Elischer
julian at elischer.org
Thu Jul 17 13:34:56 PDT 2003
how is he doing pptp?
On Thu, 17 Jul 2003, Brett Glass wrote:
> FreeBSD makes a very good NAT router... for most applications.
> But a client of mine is having terrible trouble with it when
> trying to use NAT with one particular protocol: PPTP.
>
> Here's what's going on. A client has a FreeBSD box that's serving as a
> NAT router. He has one public IP, and lots of PCs behind the router on
> unregistered IPs. This works fine when they're doing browsing, etc., but
> fails horribly when users try to use PPTP to tunnel out into another LAN
> across the Internet.
>
> The problem appears to be that PPTP -- while it uses TCP for its control
> connection -- uses GRE to encapsulate an encrypted PPP session between the
> client and the server. GRE, like TCP and UDP, is in the IP protocol family and
> uses IP addressing. However, it doesn't use "ports," as IP and UDP do;
> instead, it has a different mechanism for identifying packets that belong to
> different sessions or connections, and the header fields that must be
> inspected vary depending upon the encapsulated protocol. FreeBSD's natd
> doesn't understand that mechanism, so it doesn't know how to route GRE packets
> from the outside world back to the correct client on the private LAN.
>
> Some NAT routers (including the DI-604 from D-Link; see
> http://www.dlink.com/products/?pid=62) are able to route PPTP's GRE packets
> correctly when multiple clients on the private LAN want to tunnel out, so it's
> obviously possible. Who is the current maintainer of FreeBSD's NAT code
> (including natd and the NAT libraries)? How difficult would it be to add
> PPTP support to them?
>
> --Brett Glass
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list