Passing a PPTP/VPN connection through natd

Home -- Tutorials -- Quickies -- Manual Pages -- Search -- Feedback -- About The Site -- Forum

Passing a PPTP/VPN connection through natd
added 9.24.2000 -- written by David van Geyn

Article Description: This article describes how to set up natd so that one computer behind your firewall can act as either a server or a client.

If you want to allow one computer behind your natd firewall to be a PPTP/VPN server or client, here is how to do it.

NATD in at least FreeBSD 3.4 through FreeBSD 4.0 has an option called 'pptpalias'. This option is used for just that, and will pass any GRE (protocol 47) packets to the specified address.

In my case, I access a Microsoft VPN server that is not under my control (otherwise I would use IPsec). The computer I want to be able to access this VPN server from has the internal IP address 192.168.2.51.

So, in my example, I added the following line to my natd.conf.

pptpalias        192.168.2.51

That is all you need to do, as long as your firewall will allow the GRE (protocol 47) packets to pass through it.

Another option is to add the following to your command line when starting natd.

/sbin/natd ...other options here... -pptpalias 192.168.2.51

Here is what the manpage says about redirect_proto.

-redirect_proto proto localIP [publicIP [remoteIP]]

		 Redirect incoming IP packets of protocol proto (see

		 protocols(5)) destined for publicIP address to a localIP

		 address and vice versa.



		 If publicIP is not specified, then the default aliasing

		 address is used.  If remoteIP is specified, then only packets

		 coming from/to remoteIP will match the rule.

It looks to me like this option allows you to establish protocol forwarding settings for different IP addresses. So, if my computer at 192.168.2.51 wanted to access a VPN server at 1.1.1.1 and another computer on the local network, let's say 192.168.2.100 wanted to access a VPN server at 2.2.2.2, you could add two redirect_proto lines to your natd.conf and then both of those computers could use their respective VPN servers. Much better than the pptpalias option where you could only specify one local address and no server address.

If you have any info on the redirect_proto option, or on passing IPsec, VPN and PPTP tunnels through natd, send me the info by sending feedback.

NOTE Added November 1, 2002

After FreeBSD 4.0-RELEASE, this option was deprecated and now you must use the 'redirect_proro' option to specifically forward GRE (protocol 47) packets to the specified host. My server at home is now running FreeBSD 4.5, and this option works great. The only limitation is that there can only be a one-to-one mapping of server to client (i.e.: you could not have two clients using the same PPTP/VPN server).