Issues with PPTP on Balance 20

We just set up a Balance 20 and it is working great with the exception of the PPTP server. I’ve upgraded to the latest firmware (5.4.9) and I can connect to the PPTP server, however, I can go no further. According to, it says that a 3rd party DHCP server should work, and I do get an IP address, however there is no default gateway, and I cannot connect to any devices inside the remote network.

Am I missing something? Do I need to turn on the DHCP for the PPTP server? Can I limit it to just that?


The Balance does support using a 3rd party DHCP server for PPTP clients if the LAN port of your Balance is on the same subnet/network as your 3rd party DHCP server. If you are using the Balance as a firewall, be sure to add an inbound allow rule for the PPTP clients.

Source = internal network (PPTP clients will be on the LAN)
Destination = internal network (no internet access) or any (allowing internet access)


I’ve always done this as

source = internal network
destination = any

I haven’t had any problems with this, but will it cause any other unintended consequences?

The Windows VPN client by default sends all traffic through the virtual adapter. This means you can control this traffic from the Balance. As long as you have available bandwidth for the PPTP clients to browse the internet it should not be a concern.

If the VPN client is configured to not use the default gateway on remote network, the client will use its local internet connection for non-private internet traffic. This is referred to as “split tunneling” and the disadvantage is that the client would be putting the corporate network at risk because they are bypassing secure gateways that might normally be found on the company’s infrastructure, making it accessible through the non-secured public network.

If you want PPTP clients to be able to access the internet while they are connected to the corporate network, you are doing this in the more secure way.

Ron - to restate what you said, to be sure I understand it, if I make the rule as you originally suggested above:

source = internal network
destination = internal network

With that route, the user’s PC will use his own internet source for non-VPN data? In my case I actually prefer that because it saves bandwidth.

With the Balance configured this way, the PPTP client can only access your network, not the internet. If you want the clients to use their own internet connection while connected to your network, the change needs to be made on the client side. This method is not secure, so I would recommend having them disconnect from your network when browsing the internet instead.


Thanks for the replies, sorry it’s taken me a while to get back to this.

Do you have the exact firewall rule that needs to be set up? I saw in one thread that it’s an inbound rule with Any protocol an dthat makes me a bit nervous…

If the PPTP clients are configured to use the remote default gateway you can control access with firewall rules in the Balance. You have the ability to allow only specific protocols or destinations if you wish.