GRE not natted on FreeBSD 7.1-p2

Sebastiaan van Erk sebster at sebster.com
Tue Feb 3 05:29:26 PST 2009


Hi,

I changed the GRE rule to:

pass out quick proto gre

and it was still giving me the same errors after flushing the firewall:

pfctl -f /etc/pf.conf

Log:

3. 003875 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: 
GREv1, call 55191, seq 7, proto PPP (0x880b), length 36: [|ppp]

But a few minutes later I started up the VPN (without having changed 
anything in the firewall), and now it suddenly did work.

I don't know where the delay comes from, I've never seen that before...

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi,
> 
> I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 
> 7.1-p2.
> 
> However, now my firewall will suddenly no longer NAT GRE, so none of 
> client connections to remote (PPTP) VPNs are working.
> 
> When trying to connect from the client (10.1.0.6) to internet, 
> everything works fine (tcp/udp are natted), but when trying to set up a 
> VPN my firewall log says:
> 
> 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: 
> GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp]
> 
> (vr0 is my external interface, which is connected to the ADSL modem)
> 
> The rule that is blocking is:
> @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any
> 
> (192.168.1.2 is my "external" address). This rule is supposed to block 
> any internal stuff going out that is not NATted properly. It is correct 
> to block my client (10.1.0.6), since it should have had its address 
> translated.
> 
> My nat rule is simple (and DOES NAT tcp/udp):
> 
> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
> 
> The entire config is attached. Am I doing something stupid? Does anybody 
> know what I'm doing wrong?
> 
> Thanks in advance,
> Sebastiaan
> 
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090203/a215cf0a/smime.bin


More information about the freebsd-pf mailing list