The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 22, 2019, 07:29:35 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Multiple PPTP clients through NAT firewall  (Read 2651 times)
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« on: September 19, 2010, 11:02:26 PM »

OK, so I'm having trouble getting iPads and notebooks to PPTP up to a server when going through a NAT firewall. Search search search, find a little thread that talks about passing TCP/1723 and GRE on to the client ... so I build a couple quick rules in my pfSense box and...

it worked!

I was blown away. So by forwarding TCP port 1723 on to the 'pad and passing GRE on as well my PPTP tunnel fired up instantly and cleanly.

And now the problem.

How do I do this so that multiple 'pads / wireless devices behind the firewall can ALL do this? Classic issue, NAT is specifically designed to AVOID this sort of thing. There is no notion, AFAIK of "port forwarding to multiple machines" it doesn't work that way. It'd have to be some complicated multiple public address scheme... and DHCP clients get both an internal address and a reference to an external address, and the router hooks the two up or something ... I dunno and it makes my head hurt. Some sort of public, leased proxy address? Or perhaps there's something in PPTP that I just don't know at the moment ...

Anyone have any ideas at all where to go with this? Unfortunately pfSense (our firewall of choice) does not do L2TP which I think gets past this issue. Nor will a dynamic IPSEC solution work, because the clients are behind a NAT firewall. ARGH!
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: September 19, 2010, 11:13:59 PM »

haHA!

Found a little something, almost exactly what I described ... pfSense will do a 1:1 mapping (pinhole) so long as you have enough alias external/public IPs.

So, here's my plan: my current service allows for 5 static IPs. I put my DHCP on a fixed internal 5 addresses, then map the externals (port 1723 & GRE) to the DHCP'd addresses. So you're given a dynamic address when you get on my network, but it will associate an external address with your internal. The pfSense docs say that the remote device (the VPN server in this case) will also see traffic originating from the alias public address, so THEORETICALLY it should do what I am thinking. My wireless router is in Bridged mode, so addresses that are dispensed come from pfSense not the wireless. Ergo, pfSense can define who gets what.

Further, using MAC based leasing, I could say that *my* iPad/notebook/whatever always gets a public-pinholed address, where others get non-pinholed addresses.

Too much for tonight, but I think I'm on to something. More as events warrant.
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!