<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">We've seen the same thing. That said,
I haven't worked with a firewall product which DID allow this,
since it's the GRE component which would need to be inspected..
We've gotten around this by NATTING each client internally onto
their own public IP address for outbound TCP port 1723, and
outbound GRE.<br>
<br>
We're also have a lot of issues with gateway groups, NOT failing
over for existing stateful sessions, when the default gateway goes
down. We have a symetrical link plus a bunch of ADSL links at
each of our offices, and the config should be that if one ADSL
link goes down, we don't care, we just start sending traffic out
the next. Except that does not happen if someone has already
accessed a specific website via the ADSL link which went down -
they can no longer access that website, unless we do a full state
reset on the firewall. <br>
<br>
I thought it was just one 'bad' pfsense install, but we have three
sites showing the same issue.<br>
<br>
--DG<br>
<br>
<br>
On 9/08/2013 2:54 PM, Tony wrote:<br>
</div>
<blockquote
cite="mid:1376024075.97040.YahooMailNeo@web164502.mail.gq1.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff; font-family:times
new roman, new york, times, serif;font-size:12pt">
<div><span><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><span>The only issues we've
had with pfsense are to do with PPTP. The main issue being
that it isn't capable of inspecting outbound PPTP sessions
and maintaining a table similar to an outbound NAT table (am
I making sense). The problem that occurs is that you can
only have ONE PPTP session up between any client on the
inside and any server on the outside. So if you have users
on the inside of a pfsense box and two of them try to fire
up a PPTP session to the SAME remote endpoint, it won't work
as it can't identify the two sessions in any way as they
have the same source (outside public IP of the firewall) and
same remote destination and same protocol (GRE). Even
inbound PPTP isn't the easiest either if you want to have
outbound at the same time, you need to NAT outbound to a
different public IP so it doesn't mess with inbound (which
is fine if you have multiple public IP, but a bit harder if
you only have a single IP).<br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
<span></span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><span>Who still uses PPTP
you might say ? It's insecure, get rid of it I hear ? The
problem is the remote side of things which you don't control
and user in dept X absolutely have to connect to vendor Y
via PPTP session to do something "really important".<br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;">Other than PPTP issues, we
have no problems with it and have many pfsense firewalls
deployed around the place.<br>
</div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
<span></span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
<span></span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><span>regards,</span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><span>Tony.<br>
</span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><br>
<span></span></div>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family:
times new roman,new york,times,serif; background-color:
transparent; font-style: normal;"><span><br>
</span></div>
<div><br>
<blockquote style="border-left: 2px solid rgb(16, 16, 255);
margin-left: 5px; margin-top: 5px; padding-left: 5px;">
<div style="font-family: times new roman, new york, times,
serif; font-size: 12pt;">
<div style="font-family: times new roman, new york, times,
serif; font-size: 12pt;">
<div dir="ltr">
<hr size="1"> <font size="2" face="Arial"> <b><span
style="font-weight:bold;">From:</span></b>
Joshua D'Alton <a class="moz-txt-link-rfc2396E" href="mailto:joshua@railgun.com.au"><joshua@railgun.com.au></a><br>
<b><span style="font-weight: bold;">To:</span></b>
Alex Samad - Yieldbroker
<a class="moz-txt-link-rfc2396E" href="mailto:Alex.Samad@yieldbroker.com"><Alex.Samad@yieldbroker.com></a> <br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:ausnog@lists.ausnog.net">"ausnog@lists.ausnog.net"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:ausnog@lists.ausnog.net"><ausnog@lists.ausnog.net></a> <br>
<b><span style="font-weight: bold;">Sent:</span></b>
Friday, 9 August 2013 1:26 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [AusNOG] Application Firewall Recommendations<br>
</font> </div>
<div class="y_msg_container"><br>
<div id="yiv6499151309">
<div dir="ltr">pfsense is pretty hard to beat as a
fairly full-featured firewall, I've used it in a
lot of situations that don't warrant the cost of a
cisco or similar setup. Works brilliantly in a VM
as well.</div>
<div class="yiv6499151309gmail_extra"><br>
</div>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>