PFSENSE 2.3 PPTP VPN passthru workaround

PFSense 2.3.x and up have removed the PPTP tab, and PPTP passthru options.  This is because PPTP has been depreciated and it not considered 100% safe anymore.

For those of you still in need of using PPTP passthru to allow Windows VPN remote users into your LAN, here is the easy workaround.

  1. Firewall, NAT, Port forward.
    1. add port forward from WAN (presumably your outside interface name)
      1. TCP
      2. WAN ADDRESS
      3. DEST PORT RANGE=PPTP 1723
      4. REDIRECT TARGET IP=the internal IP of your Windows RRAS server.
      5. REDIRECT TARGET PORT=1723
      6. Allow it to ADD ASSOCIATED FILTER RULE for this entry
      7. SAVE
    2. add another rule, exactly the same as above EXCEPT for GRE.  All the same settings, but use GRE
  2. Once that is complete, go look at your WAN firewall rules.  You should have two new auto-created rules.  One for PPTP and one for GRE.
  3.  Remote users should now be able to connect just fine through PFSENSE 2.3.x into your Windows RRAS server.

Remember, using PPTP in 2016 is considered a risk, so do it at your own risk.  Please consider moving towards a newer VPN standard with better security.

One comment

  • Marco Mangiante

    Hello,

    with the old firewall I had a pptp integrated with radius: do you think it is possible to emulate the old firewall working?

    Currently, I have the old firewall working and in windows 2003 IAS it is pointed as “RADIUS Clients”; I created a similar entry for the pfsense server.
    If I try to connect in vpn via the new firewall (I point a static ip address different from the old one) I can connect, but when I trace the connection with WireShark I see that the system contact the lan address of the old firewall.
    Is it possible so to say to the pfsense to act as the old one for radius?

    Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *