Connect to a remote PPTP server when you have the pfSense PPTP server enabled

From PFSenseDocs

This article is part of the HOWTO series.

Contents 1 Summary 2 Reroute traffic for remote PPTP servers out an additional IP 3 Reroute traffic for a specific PPTP server out an additional IP 3.1 Add Virtual IP for your additional public IP to use for outbound PPTP 3.2 Enable Advanced Outbound NAT (AON) rules 3.3 Setup AON rule for single remote PPTP server

Summary

Connecting to a remote PPTP server (outbound) while using the same IP for incoming PPTP connections currently does not work due to limitations in PF's NAT. The only currently working choice is to NAT the outbound PPTP connection to an additional public IP.

Reroute traffic for remote PPTP servers out an additional IP

It would be nice to map outbound GRE and tcp/1723 traffic to another VIP, but that will take a different approach that is not directly available on 1.2.x. There is, however, a package called "onatproto" under System > Packages that will add a protocol option to the outbound NAT rules. This will let you create an outbound NAT rule that will move outgoing GRE traffic to a VIP instead of the WAN IP.

Reroute traffic for a specific PPTP server out an additional IP

This works by the directing all traffic destined for the remote PPTP server's IP address out another VIP instead of the WAN IP.

Add Virtual IP for your additional public IP to use for outbound PPTP

1. Click Firewall > Virtual IP
2. Click "+" to add
   1. Choose Type: Proxy ARP
   2. Interface: WAN
   3. IP Address Type: Single Address
   4. IP Address: <your additional public IP>
   5. Description: Whatever you want, something like "VIP for outbound PPTP"
3. Click Save
4. Click Apply

Enable Advanced Outbound NAT (AON) rules

1. Click Firewall > NAT
2. Click the Outbound tab
3. Select Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
4. Click Save

Setup AON rule for single remote PPTP server

1. Click the "+" at the top of the list of NAT rules
   1. Interface: WAN
   2. Source Type: Network
   3. Source Address: <your LAN subnet>/<your LAN subnet mask> (e.g. 192.168.1.1 / 24 )
   4. Destination Type: Network
   5. Destination Address: <IP of the remote PPTP server>/32
   6. Translation Address: Pick your newly added VIP from the list
   7. Description: Whatever you want, something like "Outbound PPTP"
2. Click Save
3. Click Apply
4. Double check that the newly added rule is at the top of the list. If it is not, move it up.