PPTP Connection Tracking

From wiliGear wiki

Jump to: navigation, search

For firewalling interests: PPTP uses GRE packets (protol 47) and a TCP connection on port 1723 for control. Most FireWall/NAT implementations don't understand the GRE connection identifier and thus will only support one PPTP connection, to a single PPTP server, when your connection is over NAT.

Symptoms

When behind a NAT firewall, you can't make a PPTP connection out from two internal machines to a single external server, or if you stop the connection from the first machine, you can't make a connection from another until 10 minutes is up.

Problem

Netfilter doesn't know about the connection between a PPTP connection on TCP, and the portless GRE protocol. When you create a PPTP connection, a NAT table entry with a default 10 minute timeout is added. When you disconnect the PPTP, this connection is still running and has to time out before you can connect again.

Solution

Get a firmware version with kernel 2.6.14 or higher, that supports PPTP connection tracking. WILI software uses 2.6.x kernel from v5.x.

Make sure that ip_nat_pptp and ip_conntrack_pptp modules are being loaded.

Use: 

lsmod | grep -i pptp

to check for the modules, and 

modprobe ip_nat_pptp

and 

modprobe ip_conntrack_pptp

to load the modules. If your testing works, then add the modules at boot by editing configuration file and adding lines: 

modules.status=enabled
modules.1.status=enabled
modules.1.name=ip_conntrack_pptp
modules.2.status=enabled
modules.2.name=ip_nat_pptp
Retrieved from "http://www.wiligear.com/wiki/index.php/PPTP_Connection_Tracking"
Personal tools