PPTP tunnel pass-throughs

PPTP tunnels going through Internet Gate have to be specified explicitly in the VPN Pass-through field of the security profile page. PPTP

:!: The most important rule to remember is that two local clients are never allowed to contact the same remote server!

You are recommended to specify all three fields for each row. (Ensures stability and reliability.) Though you can enter as many rows as you want, try to keep the number of rows low.

If remote server IP is not specified (empty field), the specified local client can access any remote server – except servers accessed by other local clients. NOTE: only one such row is allowed to be entered – multiple rows with only local client IP specified are not allowed!

If local client IP is not specified (empty field), the specified remote server can be accessed by any of the local clients – but only by one client at a time.

If neither local client IP nor remote server IP is specified, any local client can access any remote server – but this mode often results in non-stable connections, and is therefore not recommended.

Even though it is possible to enter multiple incomplete rows (with missing IP addresses), such configurations might easily lead to side effects and non-working connections and is therefore not recommended.

It doesn't matter in what order you enter the rows.

The remote server is not allowed to be behind a NAT.

PPTP and IPSec or IPSec NAT-T entries don't affect each other (even though they are entered into the same pass-through-list), thus you can ignore all IPSec and IPSec NAT-T entries when considering what PPTP entry combinations you can enter.


If you only have one PPTP client on your local network, enter its IP address into the Local client IP field, and leave Remote server IP empty.

If you have multiple PPTP clients on your local network, enter multiple complete lines specifying for each client its IP address and the IP address of the server it connects to. Make sure no two lines have same remote server IP-s in them.


To connect to, and to enter:

PPTP , ,

PPTP , ,

To connect to both remote servers enter:




PPTP, , (empty)

The difference is that while the first version only allows the client to connect to the two specified servers (and no others), the second version allows the client to connect to any remote server.

Watch out with rules:


PPTP, , (empty)

Please note that can access any remote PPTP server except – as that one is reserved for client It does not matter if client is actually connected to the server right now or not – as it is a static pass-through through the firewall no other client can use it. To allow both clients to be able to reach server you should instead enter rule:

PPTP, (empty) ,

that allows any inside client to contact the remote server – but not two at the same time!

Please note that it is impossible to, at the same time, connect both and to remote server! The closest you can come is with rule:

PPTP, (empty) ,

that allows any inside client to contact the remote server – one at a time! If is connected, connecting makes immediately loose its PPTP connection.


If you have entered illegal combination of rules the first non-conformant rule is marked with XXX. Please note that the reason for the error could be another rule before or after that rule that makes usage of the marked rule impossible. Read the information on this page carefully to solve the problem.

Incomplete VPN pass-through rules (with one or both IP addresses missing) can, in certain combinations, result in other behaviour than you might have expected. Always try to fill in as many of the fields as possible.

In the examples above, if you enter:



you will get an error, as two pass-through tunnels are not allowed to go to the same remote server.

The other way around - PPTP server on the LAN

It is possible to have one single PPTP server on the LAN to be connected by one ore more remote PPTP clients. If so, first configure the PPTP pass-through as if the server on the LAN was a client:

(In this example, the PPTP server is assumed to sit on the local IP address
Leave the Remote server IP empty.

Then add “dport == pptp and proto == tcp modify static daddr” as an additional rule set on the WAN interface:

If your WAN interface is ADSL, choose “LINE” instead in the first column.

It is recommended to add the additional rule above instead of using the tcp port redirection fields. Adding a tcp port redirection would create two firewall rules instead of one.

web_gui/pptp_pass-through.txt · Last modified: 2012/03/26 10:22 by vopatek
CC Attribution-Noncommercial-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0