Using scrub + rdr gre does not work as expected
Scott Ullrich
sullrich at gmail.com
Thu Jan 18 19:55:16 UTC 2007
On 1/17/07, Scott Ullrich <sullrich at gmail.com> wrote:
> Hi,
>
> We are trying to track down an issue when using the Frickin PPTP
> proxy. When we use "scrub in all random-id fragment reassemble" the
> GRE traffic fails to get rdr'd properly. If we remove the scrub
> directive the traffic flows as it should. Here is a look at the state
> list both ways:
>
> With scrub:
>
> self gre 192.168.10.198 <- 192.168.10.1 MULTIPLE:MULTIPLE
> self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC
> self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE
>
> Without scrub:
>
> self gre 127.0.0.1 <- 192.168.10.1 <- 192.168.1.199 NO_TRAFFIC:SINGLE
>
> Also, why is the IP address changing in these states? We are only
> using .199 here as a test.
>
> Anyone have an idea? This works okay on OpenBSD 3.6. I am told by
> the Frickin PPTP author that it works ok on 6.0 but it appears broken
> on 6.2.
>
> FreeBSD pfsense.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12
> 15:32:48 EST 2007
> sullrich at default.domain.com:/usr/obj.pfSense/usr/src/sys/pfSense.6
> i386
>
> Thanks in advance!
>
Here is an update to this. We tried to skip scrubbing on lo0 with
"set skip on lo0" but the problem persists. For some reason PF is
using the wrong IP address in the states list:
# pfctl -ss | grep gre
self gre 192.168.10.198 <- 192.168.10.1 NO_TRAFFIC:SINGLE
self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC
self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE
NOTE: 198 is not even an active host on this network. The host does
not exist at all. This seems like a bug.
More information about the freebsd-pf
mailing list