You might need to specifically allow Point-to-Point Tunneling Protocol (PPTP) traffic if you use PPTP tunneling.
For more details about the product and how to configure features, click Help or
press F1.
Steps
-
To allow PPTP passthrough, add matching Access rules with the following two services:
- The TCP Service for PPTP. The default Service element for PPTP uses the standard destination port 1723. Check the actual port used and create a Service with a different port, if necessary.
- The IP Service for GRE (IP protocol 47).
-
Make sure that the GRE traffic is not matched against any dynamic NAT rule, including the dynamic NAT rule required to load-balance connections between NetLinks in a Multi-Link configuration.
Use static NAT instead if IP address translation is required or configure the communicating applications to encapsulate the traffic in TCP or UDP (NAT traversal mode).
Dynamic NAT cannot be applied because it uses ports to track connections using the same IP address. GRE works directly on top of IP and does not have the concept of ports, so it is not possible to do the same with GRE. It requires a static translation that forms a fixed one-to-one relationship between an original and translated IP address. Use a static IP address to IP address or network to same-size network mapping in the NAT rules.
Even with static NAT, some PPTP implementations require extra setup (for example, encapsulation of the packets) to work correctly when IP addresses are translated.