GRE not natted on FreeBSD 7.1-p2
Sebastiaan van Erk
sebster at sebster.com
Wed Feb 4 12:34:33 PST 2009
Greg Hennessy wrote:
> Sebastiaan van Erk wrote:
>>
>>
>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>>
> This is the nub of the problem, 'hide' NAT breaks GRE.
>
> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE
> call id header to track each session in a manner analagous to rewriting
> the source port of a 'hide' natted tcp/udp session.
>
> The last time I looked, Daniel, Henning et al have not added that
> facility to PF as of yet.
>
> You can statically translate the flow instead which should sort the
> problem.
> Greg
Thanks for the reply,
I have a feeling that my "upstream" ADSL modem has a similar issue,
because what I did was use multiple "external" addresses on my pf
machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange
behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get
GRE packets back on 192.168.1.3 from the ADSL modem, which presumably
still had an old NAT rule from a recent session via the .3 address).
In the end I took the plunge and kicked PPTP out of the equation (since
all the remote servers are managed by me anyway), and converted
everthing to OpenVPN with bridging. All my problems have vaporized and
I've learned quite a bit in the process.
Regards,
Sebastiaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20090204/3548c382/smime.bin
More information about the freebsd-pf
mailing list