GRE not natted on FreeBSD 7.1-p2
Sebastiaan van Erk
sebster at sebster.com
Tue Feb 3 05:29:26 PST 2009
Hi,
I changed the GRE rule to:
pass out quick proto gre
and it was still giving me the same errors after flushing the firewall:
pfctl -f /etc/pf.conf
Log:
3. 003875 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81:
GREv1, call 55191, seq 7, proto PPP (0x880b), length 36: [|ppp]
But a few minutes later I started up the VPN (without having changed
anything in the firewall), and now it suddenly did work.
I don't know where the delay comes from, I've never seen that before...
Regards,
Sebastiaan
Sebastiaan van Erk wrote:
> Hi,
>
> I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD
> 7.1-p2.
>
> However, now my firewall will suddenly no longer NAT GRE, so none of
> client connections to remote (PPTP) VPNs are working.
>
> When trying to connect from the client (10.1.0.6) to internet,
> everything works fine (tcp/udp are natted), but when trying to set up a
> VPN my firewall log says:
>
> 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81:
> GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp]
>
> (vr0 is my external interface, which is connected to the ADSL modem)
>
> The rule that is blocking is:
> @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any
>
> (192.168.1.2 is my "external" address). This rule is supposed to block
> any internal stuff going out that is not NATted properly. It is correct
> to block my client (10.1.0.6), since it should have had its address
> translated.
>
> My nat rule is simple (and DOES NAT tcp/udp):
>
> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>
> The entire config is attached. Am I doing something stupid? Does anybody
> know what I'm doing wrong?
>
> Thanks in advance,
> Sebastiaan
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090203/a215cf0a/smime.bin
More information about the freebsd-pf
mailing list