From owner-freebsd-questions@FreeBSD.ORG Mon Feb 2 10:07:50 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE34416A4CF; Mon, 2 Feb 2004 10:07:50 -0800 (PST) Received: from valiant.cnchost.com (valiant.concentric.net [207.155.252.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 167F943D31; Mon, 2 Feb 2004 10:07:47 -0800 (PST) (envelope-from sahafeez@edgefocus.com) Received: from edgefocus.com (ws130.advancel.com [207.88.142.131] (may be forged)) by valiant.cnchost.com id NAA13556; Mon, 2 Feb 2004 13:07:45 -0500 (EST) [ConcentricHost SMTP Relay 1.16] Errors-To: Message-ID: <401E91C6.8040800@edgefocus.com> Date: Mon, 02 Feb 2004 10:07:02 -0800 From: Sean Hafeez User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6b) Gecko/20031205 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org, Karan Gupta , "Eric (E-mail)" Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Strange GRE packet flows... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Feb 2004 18:07:51 -0000 I have a 4.9 box (router1) running IPFW: /sbin/natd -interface rl0 -s ipfw add 999 divert natd all from any to any via rl0 ipfw add pipe 1 ip from any to any in recv vr0 ipfw add pipe 2 ip from any to any out xmit vr0 ipfw pipe 1 config mask src-ip 0xffffffff bw 512kbits/s ipfw pipe 2 config mask dst-ip 0xffffffff bw 512kbits/s And on this box I have some GRE tunnels: ifconfig gre8 create ifconfig gre8 tunnel x.x.x.x y.y.y.y ifconfig gre8 inet 172.20.1.13 172.20.1.14 netmask 255.255.255.252 ifconfig gre8 up route add -net 10.0.100.0 -netmask 255.255.255.0 172.20.1.14 The tunnels terminate on a Cisco 1720 or a box running FreeBSD 4.8 or 4.9. (Same config as above reversed). The Cisco or the BSD box are running NAT on their side. If I ping a box behind the remote side from my desktop which is behind the router1 box I drop 3 out of 5 packets. Now for the strange part - If I get a ping going to that same node from the router1 box and then ping from my desktop I drop no packets. If I kill the ping on the router1 box the pings from the desktop start dropping packets. This also works if I ping the external interface on the remote router. BTW, I have just changed the router1 box from Gentoo Linux using the IPROTUE package for the tunnels to FreeBSD 4.9. It worked just fine with the router1 running Linux. I would hate to have to change back as I hate Linux and think IPTABLES was written as a replacement for pulling finger nails out with pliers. Thoughts? Thanks!