From owner-freebsd-pf@FreeBSD.ORG  Mon Jan 16 16:14:10 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0266916A41F
	for <freebsd-pf@freebsd.org>; Mon, 16 Jan 2006 16:14:10 +0000 (GMT)
	(envelope-from sullrich@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.193])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6B40F43D48
	for <freebsd-pf@freebsd.org>; Mon, 16 Jan 2006 16:14:09 +0000 (GMT)
	(envelope-from sullrich@gmail.com)
Received: by wproxy.gmail.com with SMTP id i21so1225461wra
	for <freebsd-pf@freebsd.org>; Mon, 16 Jan 2006 08:14:08 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=pQaUujAeVQEHE3EnR/iEwxOjX47uJlu8N7nCWnlIO9qBFpVRnY7vX2uDEBaBFxv38JBfwYxv4RL57O1pIvW/x7wBz8BzxL4vQJBLuCbSR/pQhTvKCwbcHffN1bi6eZGpEN1Ehcinec4dNo0fm9L1eczctVniNmcxVqIVJ7eaBZs=
Received: by 10.65.183.7 with SMTP id k7mr3016926qbp;
	Mon, 16 Jan 2006 08:14:08 -0800 (PST)
Received: by 10.64.181.18 with HTTP; Mon, 16 Jan 2006 08:14:08 -0800 (PST)
Message-ID: <d5992baf0601160814h3a1c7493hf82d81145508b0b7@mail.gmail.com>
Date: Mon, 16 Jan 2006 11:14:08 -0500
From: Scott Ullrich <sullrich@gmail.com>
To: Alexander Vyrlanovich <iskander@apple-park.kiev.ua>
In-Reply-To: <4007E994-E349-44D4-9356-9DF1A5E1098E@apple-park.kiev.ua>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <4007E994-E349-44D4-9356-9DF1A5E1098E@apple-park.kiev.ua>
Cc: freebsd-pf@freebsd.org
Subject: Re: pf and pptp
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2006 16:14:10 -0000

On 1/16/06, Alexander Vyrlanovich <iskander@apple-park.kiev.ua> wrote:
> Last week I moved my firewall from ipfw to pf on a gateway (FreeBSD
> RELENG_6_0 i386).
> All work fine except nat'ed pptp connections. Only one PC client can
> establish
> pptp VPT at the same time. After some google search I found this
> article: http://www.benzedrine.cx/pf/msg04961.html.
>
> Can anybody confirm, that situation with nating GRE packets with PF
> still
> persist or there is something wrong with my firewall rules?

Yep, this is a known limitation.    We've been looking around for a
PPTP proxy helper to no avail.   Frickin PPTP seems about the closest
match but would require some modifications to make it work correctly.

We see the same problems with pfSense often.

Scott