<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt">The issue is it's not supported by the underlying BSD packet-filter code (ie. the "pf" part of the name). Normal "linux" has this built into it I believe and uses the GRE session ID to keep a state table of PPTP sessions, eg:<br><br>=====<br>the older PPTP patch does NOT support masquerading
of multiple PPTP clients attempting to access the <em>same</em> PPTP
server. If you're trying to do this, you should take a look at your network
design and consider whether you should set up a PPTP router for your local
clients. The 2.0 patch incorporates Call-ID masquerading, which allows
multiple simultaneous sessions.<br><div><span>=====</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">Plenty of firewall DO allow multiple outbound PPTP to the same server IP, just not pfSense. When we evaluated it several years ago as a replacement for SnapGear's we tested that PPTP worked inbound and outbound (and even at the same time), we just never thought to test multiple outbound to the same server.<br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new
york,times,serif; background-color: transparent; font-style: normal;"><span>Would be nice to be able to NAT each internal client to their own public IP address, but I'm sure you can see the problem there :)</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Bring on IPv6 to solve this as well I guess to remove the restrictions related to NAT and only having a limited number of public IP addresses available (typically a /29 for the locations we have pfsense installs).<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>In regard to using
something more secure, yes for inbound connectivity we are typically using OpenVPN, the problem is connecting outbound to places that we have no influence over and are still using PPTP with no chance of changing any time soon.<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>regards,</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span>Tony.<br></span></div><div
style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span><br></span></div><div><br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; margin-top: 5px; padding-left: 5px;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div style="font-family: times new roman, new york, times, serif; font-size: 12pt;"> <div dir="ltr"> <hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b> Damien Gardner Jnr <rendrag@rendrag.net><br> <b><span style="font-weight: bold;">To:</span></b> Tony <td_miles@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Joshua D'Alton <joshua@railgun.com.au>; Alex Samad - Yieldbroker <Alex.Samad@yieldbroker.com>; "ausnog@lists.ausnog.net" <ausnog@lists.ausnog.net> <br> <b><span style="font-weight:
bold;">Sent:</span></b> Friday, 9 August 2013 3:33 PM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [AusNOG] Application Firewall Recommendations<br> </font> </div> <div class="y_msg_container"><br><div id="yiv1284562536">
<div>
<div class="yiv1284562536moz-cite-prefix">We've seen the same thing. That said,
I haven't worked with a firewall product which DID allow this,
since it's the GRE component which would need to be inspected..
We've gotten around this by NATTING each client internally onto
their own public IP address for outbound TCP port 1723, and
outbound GRE.<br>
<br>
We're also have a lot of issues with gateway groups, NOT failing
over for existing stateful sessions, when the default gateway goes
down. We have a symetrical link plus a bunch of ADSL links at
each of our offices, and the config should be that if one ADSL
link goes down, we don't care, we just start sending traffic out
the next. Except that does not happen if someone has already
accessed a specific website via the ADSL link which went down -
they can no longer access that website, unless we do a full state
reset on the firewall. <br>
<br>
I thought it was just one 'bad' pfsense install, but we have three
sites showing the same issue.<br>
<br>
--DG<br>
<br>
<br>
On 9/08/2013 2:54 PM, Tony wrote:<br>
</div>
<blockquote type="cite">
<div style="color:#000;background-color:#fff;font-family:times new roman, new york, times, serif;font-size:12pt;">
<div><span><br>
</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><span>The only issues we've
had with pfsense are to do with PPTP. The main issue being
that it isn't capable of inspecting outbound PPTP sessions
and maintaining a table similar to an outbound NAT table (am
I making sense). The problem that occurs is that you can
only have ONE PPTP session up between any client on the
inside and any server on the outside. So if you have users
on the inside of a pfsense box and two of them try to fire
up a PPTP session to the SAME remote endpoint, it won't work
as it can't identify the two sessions in any way as they
have the same source (outside public IP of the firewall) and
same remote destination and same protocol (GRE). Even
inbound PPTP isn't the easiest either if you want to have
outbound at the same time, you need to NAT outbound to a
different public IP so it doesn't mess with inbound (which
is fine if you have multiple public IP, but a bit harder if
you only have a single IP).<br>
</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><br>
<span></span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><span>Who still uses PPTP
you might say ? It's insecure, get rid of it I hear ? The
problem is the remote side of things which you don't control
and user in dept X absolutely have to connect to vendor Y
via PPTP session to do something "really important".<br>
</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><br>
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;">Other than PPTP issues, we
have no problems with it and have many pfsense firewalls
deployed around the place.<br>
</div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><br>
<span></span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><br>
<span></span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><span>regards,</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><span>Tony.<br>
</span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><br>
<span></span></div>
<div style="color:rgb(0, 0, 0);font-size:16px;
font-family:times new roman, new york, times, serif;
background-color:transparent;font-style:normal;"><span><br>
</span></div>
<div><br>
<blockquote style="border-left:2px solid rgb(16, 16, 255);margin-left:5px;margin-top:5px;padding-left:5px;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div style="font-family:times new roman, new york, times, serif;font-size:12pt;">
<div dir="ltr">
<hr size="1"> <font face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b>
Joshua D'Alton <a rel="nofollow" class="yiv1284562536moz-txt-link-rfc2396E" ymailto="mailto:joshua@railgun.com.au" target="_blank" href="mailto:joshua@railgun.com.au"><joshua@railgun.com.au></a><br>
<b><span style="font-weight:bold;">To:</span></b>
Alex Samad - Yieldbroker
<a rel="nofollow" class="yiv1284562536moz-txt-link-rfc2396E" ymailto="mailto:Alex.Samad@yieldbroker.com" target="_blank" href="mailto:Alex.Samad@yieldbroker.com"><Alex.Samad@yieldbroker.com></a> <br>
<b><span style="font-weight:bold;">Cc:</span></b>
<a rel="nofollow" class="yiv1284562536moz-txt-link-rfc2396E" ymailto="mailto:ausnog@lists.ausnog.net" target="_blank" href="mailto:ausnog@lists.ausnog.net">"ausnog@lists.ausnog.net"</a>
<a rel="nofollow" class="yiv1284562536moz-txt-link-rfc2396E" ymailto="mailto:ausnog@lists.ausnog.net" target="_blank" href="mailto:ausnog@lists.ausnog.net"><ausnog@lists.ausnog.net></a> <br>
<b><span style="font-weight:bold;">Sent:</span></b>
Friday, 9 August 2013 1:26 PM<br>
<b><span style="font-weight:bold;">Subject:</span></b>
Re: [AusNOG] Application Firewall Recommendations<br>
</font> </div>
<div class="yiv1284562536y_msg_container"><br>
<div id="yiv1284562536">
<div dir="ltr">pfsense is pretty hard to beat as a
fairly full-featured firewall, I've used it in a
lot of situations that don't warrant the cost of a
cisco or similar setup. Works brilliantly in a VM
as well.</div>
<div class="yiv1284562536gmail_extra"><br>
</div>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="yiv1284562536mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
AusNOG mailing list
<a rel="nofollow" class="yiv1284562536moz-txt-link-abbreviated" ymailto="mailto:AusNOG@lists.ausnog.net" target="_blank" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a rel="nofollow" class="yiv1284562536moz-txt-link-freetext" target="_blank" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</div>
</div><br><br></div> </div> </div> </blockquote></div> </div></body></html>