Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» PPTP» pf+ipfw nat to break pptp outbound limitation
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: pf+ipfw nat to break pptp outbound limitation  (Read 2888 times)
0 Members and 1 Guest are viewing this topic.
hshh
Newbie
*
Offline Offline

Posts: 19


View Profile
« on: February 12, 2012, 10:29:51 pm »
ipfw enable in-kernel nat, kernel conf:
options LIBALIAS
options IPFIREWALL_NAT
or load module, kldload libalias; kldload ipfw_nat


pf rules:
no nat on $ext_if proto gre from any to any

ipfw rules:
ipfw nat 1 config if $ext_if same_ports reset unreg_only
ipfw add 1000 nat 1 gre from any to any

now, outbound pptp can be simultaneous.
Logged
newfirewallman
Jr. Member
**
Offline Offline

Posts: 28


View Profile
« Reply #1 on: February 13, 2012, 02:15:42 pm »
So are you saying you may have fixed the PPTP outbound limitation?
Logged
hshh
Newbie
*
Offline Offline

Posts: 19


View Profile
« Reply #2 on: February 17, 2012, 05:21:39 am »
Quote from: newfirewallman on February 13, 2012, 02:15:42 pm
So are you saying you may have fixed the PPTP outbound limitation?

yes, just bypass gre nat on pf
Logged
newfirewallman
Jr. Member
**
Offline Offline

Posts: 28


View Profile
« Reply #3 on: February 17, 2012, 08:53:57 am »
Ok you have me excited, how? The above commands mean nothing to me can you simplify for dummies?
Logged
hshh
Newbie
*
Offline Offline

Posts: 19


View Profile
« Reply #4 on: February 18, 2012, 05:37:07 pm »
Just post tips, maybe pfsense developer team to do it. Grin
I am using pure freebsd system not pfsense.
Logged
cmb
Administrator
Hero Member
*****
Offline Offline

Posts: 6049


View Profile WWW
« Reply #5 on: February 19, 2012, 01:30:31 am »
Interesting work around. It'd be hard to make work correctly in every possible scenario for every user though. It's something to consider at least.
Logged
pfSense Commercial Support

Paying customers receive support priority and as in depth of assistance as desired through the official commercial support channels at portal.pfsense.org. Forum users receive as much help as time permits.
dhatz
Hero Member
*****
Offline Offline

Posts: 925


View Profile
« Reply #6 on: March 20, 2012, 01:21:41 pm »
Could this also be used to do "NAT before IPsec" ? (I haven't used ipfw's NAT)
Logged
pbo808
Newbie
*
Offline Offline

Posts: 7


View Profile
« Reply #7 on: March 20, 2012, 01:44:30 pm »
What are the issues with this solution?  Any chance this is an option for 2.2?
Logged
alber_rm
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #8 on: April 03, 2012, 09:25:16 am »
If there was a stable and good solution the pfSense team would have implemented it... In the meanwhile I have deployed a second firewall (clearos) between my lan and wan. A static route "route -p add VPNServerIP ..." tells every computer to connect through clearos (which can nat gre protocol) for the vpn servers people use more often. I know this is not by far the best solution but It allows me to keep using pfsense in my company... I hope this helps someone...
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.027 seconds with 19 queries.