>>scenario: NetBSD nat box, PPTP server at some ISP w/public IP,
>>PPTP clients on my private network behind the NetBSD nat.
> 
> You mean you have several PPTP clients running from behind the NAT box?

no, not simultaneously.

> And what does your ipf ruleset look like?

I've tried with ``pass-everything'' and it's the same. :(

> What does ipnat -l say right after a successfully transmitted packet from
> the client to the server?

when the PPTP connection is established, ipnat -l reports this:

MAP 10.0.1.1    2145  <- -> 193.224.190.1   29981 [195.70.36.136 1723]

where 10.0.1.1 is the PPTP client, 193.224.190.1 is the external address
of the natbox, 195.70.36.136 is the address of the PPTP server. this
looks okay.

I can't see anything unusual on the nat box. When the connection hangs,
(IE there's no traffic from the client for 2-3 seconds) the PPTP server
cannot ping the client anymore, cannot get replies to the LCP echo
requests anymore, so - depending on the PPTP server's configuration -
it times out with LCP echo failures, and disconnects the client.

-- 
Egerváry Gergely
egervary@expertlan.hu