FreeBSD Port: mpd5-5.8_10 - only one client behind NAT can work simultaneously

[Robert Heron]

> On 18 May 2019, at 22:10, Eugene Grosbein <eugen at grosbein.net> wrote:
> 
> 19.05.2019 0:31, Robert Heron wrote:
> 
>> I use mpd5 from ports on FreeBSD 11.2-RELEASE-p10 amd64 and there is one serious problem I can’t solve:  when connecting clients from behind NAT (with the same public IP) to an mpd5 box, every new established connection causes the previous one (from the same source IP) to go dead.  Any IP traffic is stopped through the previous connection but its ng interface still exists. This happens regardless of used cryptography. I’ve tried both  PPTP and L2TP over IPSec PSK (with racoon). When one client connects, it works OK. When any second one from the same public IP connects, then previous IP traffic dies. My firewall is open.
>> I’ve searched the net, but found no clue :(
> 
> If you use PPtP and no IPSEC, then you use PPtPGRE - that is, modified version of GRE protocol.
> Your NAT box must support multiple PPtPGRE connections for this to work.
> If you use another FreeBSD as NAT box, it has support for multiple PPtP connections
> by means of ipfw nat if you load alias_pptp.ko kernel module.
> If your NAT box has no support for aliasing multiple PPtP clients, you are out of luck
> and need to change NAT box or switch to another protocol.
> 
> As for L2TP without IPSEC, you can use PPP/MPPE inside L2TP to encapsulate VPN into UDP stream
> and then it will pass through any NAT box without extra protocol support.
> 
> I do not know if it is possible to run multiple L2IP/IPSEC clients behind same NAT box.
> 
> Anyway, this is all not problem of mpd5 but of NAT box or IPSEC.
> 

I use FreeBSD 12.0 ARM as NAT box and adding alias_pptp.ko fixed the problem for PPTP. Now PPTP works OK for multiple connections :)

Multiple L2TP over IPSec still don’t work, but I think it’s a problem in my NAT box. I will try some commercial NAT router(s) with VPN pass-through feature.

Many thanks for help!

—
Robert