Date: Sun, 19 May 2019 13:41:50 +0200 From: Robert Heron <robert@heron.pl> To: Eugene Grosbein <eugen@grosbein.net> Cc: freebsd-net@freebsd.org Subject: Re: FreeBSD Port: mpd5-5.8_10 - only one client behind NAT can work simultaneously Message-ID: <637DBA48-68C2-4665-8C7C-D011E46B7E8F@heron.pl> In-Reply-To: <0fe5932b-f15b-091b-705b-26af29de0f35@grosbein.net> References: <6B8DCAC2-803F-4247-89B1-7D071104630E@heron.pl> <0fe5932b-f15b-091b-705b-26af29de0f35@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 18 May 2019, at 22:10, Eugene Grosbein <eugen@grosbein.net> wrote: >=20 > 19.05.2019 0:31, Robert Heron wrote: >=20 >> I use mpd5 from ports on FreeBSD 11.2-RELEASE-p10 amd64 and there is = one serious problem I can=E2=80=99t solve: when connecting clients from = behind NAT (with the same public IP) to an mpd5 box, every new = established connection causes the previous one (from the same source IP) = to go dead. Any IP traffic is stopped through the previous connection = but its ng interface still exists. This happens regardless of used = cryptography. I=E2=80=99ve tried both PPTP and L2TP over IPSec PSK = (with racoon). When one client connects, it works OK. When any second = one from the same public IP connects, then previous IP traffic dies. My = firewall is open. >> I=E2=80=99ve searched the net, but found no clue :( >=20 > If you use PPtP and no IPSEC, then you use PPtPGRE - that is, modified = version of GRE protocol. > Your NAT box must support multiple PPtPGRE connections for this to = work. > If you use another FreeBSD as NAT box, it has support for multiple = PPtP connections > by means of ipfw nat if you load alias_pptp.ko kernel module. > If your NAT box has no support for aliasing multiple PPtP clients, you = are out of luck > and need to change NAT box or switch to another protocol. >=20 > As for L2TP without IPSEC, you can use PPP/MPPE inside L2TP to = encapsulate VPN into UDP stream > and then it will pass through any NAT box without extra protocol = support. >=20 > I do not know if it is possible to run multiple L2IP/IPSEC clients = behind same NAT box. >=20 > Anyway, this is all not problem of mpd5 but of NAT box or IPSEC. >=20 I use FreeBSD 12.0 ARM as NAT box and adding alias_pptp.ko fixed the = problem for PPTP. Now PPTP works OK for multiple connections :) Multiple L2TP over IPSec still don=E2=80=99t work, but I think it=E2=80=99= s a problem in my NAT box. I will try some commercial NAT router(s) with = VPN pass-through feature. Many thanks for help! =E2=80=94 Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?637DBA48-68C2-4665-8C7C-D011E46B7E8F>