Multiple PPTP clients behind NAT

rob at rob at
Wed Sep 15 11:25:27 CEST 2004

>>(Why would you use a 9 months old POM when a new one
>>is available ?)
> The reason for using this patch is because
> patch-o-matic-ng-20040621 said my kernel
> is too old (I donot know why, my kernel was 2.4.20-8
> which is the default kernel from RedHat 9).
> The reason for using kernel 2.4.26 is because we
> searched on the web and someone said using
> this kernel with this patch works.

IMHO if you have to compile a new kernel it is best use a new one with
the latest patches unlesss there is a very good reason not to.
But ; that's IMHO ;-).

> My configuration is exactly the following
> PPTP     |
> client1->|
>          |
> PPTP     |
> client2->|                                   |->PPTP
>          |                                   |  Server
>          |->eth1->NAT->eth0->...Internet...->|
> ... ...->|                                   |->...
>          |                                   |
> PPTP     |
> client n->|
> A. Private LAN:
> B. eth1 IP:
> C. eth0 IP:
> D. PPTP server:
> E. IPs in PPTP Server:,
> (These IPs cannot be accessed without VPN)
> F. All clients in private LAN are windows or Mac
> machines. After the VPN is setup, they will be
> assigned with IP addresses of and
> G. The PPTP Server is not firewalled
> The problem is decribed as following:
> 1. I setup one connection from client 1 to the PPTP
> server, then I tried to test the connection by ping
> either or It is
> working.
> 2. I setup the other connection from client 2 to the
> same PPTP server. Then two cases will happen:
>    a) if the client 1 keep pinging (a MAC), the
> connection will fail;
>    b) if client 1 stop pinging, the connection can be
> established.
> 3. After the second connection is setup. Client 2 can
> ping, client 1 cannot ping any more, but the status
> shows that the connection is still there.

Sounds like conntrack is not working because then only 1 client would
be able to connect to the PPTP server.

Are you sure the following are loaded :

You also create logging rules on the firewall to see what is going on.
And you could check on the PPTP server if your ping arrives.


More information about the netfilter mailing list