GRE and PF problem

Giovanni P. Tirloni gpt at
Thu Jul 14 12:51:52 GMT 2005

Alex Povolotsky wrote:
> compunction wrote:
>> GRE needs to pass bidirectional.  You will need a binat to make it
>> work.  I have not found a firewall that will allow GRE to work with a
>> many to one nat.
> The most painful thing is that pf's nat works for GRE - SOMETIMES :-(
> The only thing firewall needs to implement for natting GRE is creation 
> of two rules (forward and back) for GRE packet, just like it does for ICMP.
> I'm not a firewall writer, but as far as I understand general procedural 
> programming, it cannot be THAT complicated.

  When a packet comes from to your external interface you can't 
determine if it's destined to or if both 
initiated a GRE tunnel to That's because GRE doesn't have ports 
like UDP or TCP to make (de)multiplexing possible, AFAIK.

Giovanni P. Tirloni / gpt at / PGP: 0xD0315C26

More information about the freebsd-net mailing list