VPN pass through?

John Murphy jfm at blueyonder.co.uk
Tue Apr 1 12:23:25 PST 2003

"Mark-Nathaniel Weisman" <mark at outlander.us> wrote:
<long lines re-formatted>
>I have a W2K VPN server (RRAS using PPTP) setup behind my FreeBSD firewall.
>I also have a web server, mail server, and several others. I've setup up my
>ipfw to allow packets for port 1723 on both tcp and udp from any to any,
>and setup up NATD to redirect_port 1723 to the internal address of my VPN
>box. I am unable to pass the packets through, and when I put the redirect
>statement in my natd.conf file, none of the redirection works. I've tried
>redirecting both the port and the protocol to no avail.
>Can someone take a moment to explain where I'm going wrong?

You need to pass proto gre.  Ipfw may do this by default, I'm not sure,
but I had to add:

pass in quick on ed0 proto gre all
pass out quick on ed0 proto gre all

to get a VPN working through an ipf firewall.

You may not need to redirect 1723 if the firewall is 'stateful'
and you initiate the connection from 'this' end.


More information about the freebsd-questions mailing list