Re: GRE Mux

On Fri, Mar 21, 2008 at 4:47 PM, Brett Glass <brett@xxxxxxxxxx> wrote:
Everyone:

I have recently been building FreeBSD VPN servers which can accept
50 to 100 PPTP connections. PPTP is, essentially, PPP over GRE
(with a TCP control connection), so we have large numbers of
packets passing in and out using GRE. Unfortunately, GRE on FreeBSD
doesn't currently have a multiplexing function as does TCP. If
userland PPP and pptpd are used to handle the PPTP sessions, each
GRE packet is passed to the first pptpd process. If the call ID
doesn't match, it's passed to the next, and then the next, and so
on. What's more, each test requires a "bounce" into and out of the
kernel. mpd, which uses netgraph, does more of the work within the
kernel, but the testing still takes place in linear time -- and the
potential delay increases with the number of PPTP sessions that
have been established. The packet is bounced from one netgraph node
to another until one of them accepts it or the packet falls off the
end of the chain.

It seems to me that it might be worth it to implement a
multiplexing function that dispatches the packet directly to the
right process or netgraph node rather than passing it from hand to
hand. Thoughts?


ng_gif_demux does the same it shouldn't be to hard to come with
something similar for pptp.
If you find the time and do it please share.

--Brett Glass

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • GRE Mux
    ... PPTP is, essentially, PPP over GRE (with a TCP control connection), so we have large numbers of packets passing in and out using GRE. ... The packet is bounced from one netgraph node to another until one of them accepts it or the packet falls off the end of the chain. ...
    (freebsd-net)
  • RE: VPN connection not passing the password auth stage.
    ... The Generic Route Encapsulation protocol is used ... One thing I want to clarify is that GRE protocol is based on Internet ... We can also use PPTP Ping utility to determine whether any hardware router ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 06 PPTP VPN via NAT
    ... In fact, GRE packets are what is used to transfer the data, while the TCP connection is only used for command channels. ... A LOT of cheap/stupid equipment and admins are unaware of this fact - and then, for example, filter out GRE. ... If any of my users try and connect to a remote VPN server they recieve an error and the connection does not iniaite, I can see packets on port tcp/1723 leaving the box, none of the users are running the ISA firewall client. ... My ISP connection is just plain old ethernet with no pppoe just a static IP address, if I plug my laptop into it I can VPN no problems at all, my cisco PIX can also NAT PPTP connections out of it, I've even gone so far as rolling back to Windows 2003 & ISA 2004 with no success, formatted and started again a couple of times. ...
    (microsoft.public.isa.vpn)
  • Re: GRE Mux
    ... PPTP is, essentially, PPP over GRE, so we have large numbers of packets passing in and out using GRE. ... The packet is bounced from one netgraph node to another until one of them accepts it or the packet falls off the end of the chain. ...
    (freebsd-net)
  • Re: pix and ms pptp
    ... a microsoft pptp server on win2k3. ... gre open for any any(and to the publicly natted server). ... traffic is getting by the pix due to the following debugging output. ...
    (comp.dcom.sys.cisco)