GRE and PF problem

Giovanni P. Tirloni gpt at
Thu Jul 14 20:56:07 GMT 2005

Alex Povolotsky wrote:
>>  When a packet comes from to your external interface you can't 
>> determine if it's destined to or if both 
>> initiated a GRE tunnel to That's because GRE doesn't have 
>> ports like UDP or TCP to make (de)multiplexing possible, AFAIK.
> Cool. I did not know that ICMP doesn't work through nat. It always 
> worked for me. Moreover, as far as I remember, GRE worked with 
> IPFW/NATD, and SOMETIMES it works with pf.

  I don't know how PF keeps tracks of ICMP packets but there must be a 
way for it to distinguish between a packet destined to or 0.2.

  We all know ICMP works behind NAT. You don't need to play like that here.

  Looking at the GRE header I simply can't find a way to keep track of 
it  and my experiences with some xDSL/cable routers permit me to say 
that I haven't found anyone that would let me establish more than one 
PPTP connection behind NAT.

  But then I'm no networking/pf/kernel guru to keep talking about this.

Giovanni P. Tirloni / gpt at / PGP: 0xD0315C26

More information about the freebsd-net mailing list