GRE not natted on FreeBSD 7.1-p2
Andrew
awd at awdcomp.net
Sat Feb 7 03:50:07 PST 2009
Howdy,
If you (or others watching this list) ever need to go back to the pptp
route then consider using net/frickin which is a pptp proxy :)
I'm using it successfully with redirection.
rdr on $int_if proto tcp from $lnet to any port 1723 -> 127.0.0.1 port 1724
rdr on $int_if proto gre from $lnet to any -> 127.0.0.1
Cheers
cya
Andrew
Sebastiaan van Erk wrote:
> Greg Hennessy wrote:
>> Sebastiaan van Erk wrote:
>>>
>>>
>>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>>>
>> This is the nub of the problem, 'hide' NAT breaks GRE.
>>
>> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE
>> call id header to track each session in a manner analagous to
>> rewriting the source port of a 'hide' natted tcp/udp session.
>>
>> The last time I looked, Daniel, Henning et al have not added that
>> facility to PF as of yet.
>>
>> You can statically translate the flow instead which should sort the
>> problem.
>
>> Greg
>
> Thanks for the reply,
>
> I have a feeling that my "upstream" ADSL modem has a similar issue,
> because what I did was use multiple "external" addresses on my pf
> machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange
> behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get
> GRE packets back on 192.168.1.3 from the ADSL modem, which presumably
> still had an old NAT rule from a recent session via the .3 address).
>
> In the end I took the plunge and kicked PPTP out of the equation (since
> all the remote servers are managed by me anyway), and converted
> everthing to OpenVPN with bridging. All my problems have vaporized and
> I've learned quite a bit in the process.
>
> Regards,
> Sebastiaan
>
More information about the freebsd-pf
mailing list