From owner-freebsd-hackers Tue Jun 11 14:14:53 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from smurf.jnielsen.net (12-254-136-47.client.attbi.com [12.254.136.47]) by hub.freebsd.org (Postfix) with ESMTP id 2A7B137B406 for ; Tue, 11 Jun 2002 14:14:38 -0700 (PDT) Received: from max (max.local [192.168.0.9]) by smurf.jnielsen.net (8.12.3/8.12.3) with SMTP id g5BLEUYf000350; Tue, 11 Jun 2002 15:14:30 -0600 (MDT) (envelope-from hackers@jnielsen.net) Message-ID: <019001c2118d$1a7ee560$0900a8c0@max> From: "John Nielsen" To: "Nick Rogness" Cc: References: Subject: Re: gif(4) tunnel through MSN DSL modem Date: Tue, 11 Jun 2002 15:15:23 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Nick Rogness" To: "John Nielsen" Cc: Sent: Tuesday, June 11, 2002 2:06 PM Subject: Re: gif(4) tunnel through MSN DSL modem > On Tue, 11 Jun 2002, John Nielsen wrote: > > > > I remotely administer a FreeBSD 4.5 machine that is connected to the > > internet through and MSN DSL modem. This modem does NAT (for a single > > client) rather than bridging the connection. So the FreeBSD machine > > thinks its public address is 192.168.1.2 (when in reality the modem is > > the only device with a public address). This machine is itself doing > > NAT, acting as a firewall and gateway for a private network. > > Why run nat on the internal machine? No need to do nat > twice. Just do basic routing between interfaces unless you need > this functionality. The DSL modem will only do nat for one address--namely 192.168.1.2. There are four machines that use this connection, hence nat on the FreeBSD box as well. > > I would like to establish a gif(4) tunnel between this machine and my > > firewall here in order to link the two private networks into one > > virtual network. I have done this before with two machines that were > > directly connected to the internet, but in this case the DSL modem on > > the far end seems to be fouling things up. The modem seems to be > > passing everything through, but I haven't gotten gif to work. > > > > Any ideas? Here's what I've tried--this is how I'd set it up if the > > DSL modem weren't in the way. > > > Are you receiving any packets on the remote BSD machine that are > of type ipencap? Either log it via ipfw log or use a packet > sniffer (like tcpdump or snort) to evaluate these packets. No. That's certainly a problem. They don't appear to be getting in OR out through the modem. > > I've tried both the modem's (real) public address and 192.168.1.1 (the > > public interface's address) for DSL.public.ip, but neither seems to > > work. Can this be made to work? Can gif be hacked so it will work? > > You will need to use the DSL's public IP probably. > > > > I can't justify switching to a more expensive provider just so this > > tunnel will work, since it will mostly be a convenience for me and not > > the client. As far as I know, there's no way to modify any settings on > > the DSL modem itself. I do have full access to both FreeBSD machines. > > Again, any suggestions or even a detailed description of why this > > won't work would be appreciated. > > > My best guess would be that the modem is doing some anti-spoofing > between it's interfaces to prevent packets coming from the inside > having it's outside IP. You will be able to tell if NO ipencap > packets are received on the remote BSD machine. Could you elaborate on this? Since that does seem to be the problem (or at least a strong candidate), what would I have to do to work around this? I don't suppose it's possible to create a gif tunnel inside an ssh tunnel, is it? > On the other hand, If you are receiving these ipencap packets on > the remote side, something else is going on (like nat > interrupting). No ipencap packets on either side so far... JN To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message