I think at this point I miss the functionality of the pptp_conntrack module ? When is it necessary to load it ?
The module basically performs three tasks.
1. NAT of the callid
This ensures that the PPTP callid is unique per client/server pair. This is only necessary when you have multiple clients that are NATed to the same source address. Without it, the server will get confused.
2. Tracking of gre connections
The gre connections are tracked as RELATED connections, which makes it easy to add a rule to let them through the firewall.
3. NAT of gre connections
This ensures incoming gre packets are forwarded to the correct internal server/client.
Since you typically only have one internal server, this is just a convenience which means you don't need to add a gre DNAT rule.
However this is necessary if you have multiple clients that are NATed to the same source address, so that the firewall knows which client to forward the gre packet to.
NAT of gre can also be helpful for a single client. Without it, packets from the server may be dropped if the client hasn't sent a packet recently. This is because you typically don't have a DNAT rule to forward gre to the client, so the client has to send the gre packet first to establish the conntrack, and this conntrack will timeout after 30-180 seconds of inactivity. You can workaround this problem by configuring PPP to send LCP echoes to keep the conntrack active.
-- Philip Craig - philipc@xxxxxxxxxxxx - http://www.SnapGear.com SnapGear - Custom Embedded Solutions and Security Appliances
