From owner-freebsd-pf@FreeBSD.ORG Mon Jun 27 18:51:48 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4B3E106566C for ; Mon, 27 Jun 2011 18:51:48 +0000 (UTC) (envelope-from schmurfy@gmail.com) Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B90968FC14 for ; Mon, 27 Jun 2011 18:51:48 +0000 (UTC) Received: by pzk27 with SMTP id 27so885902pzk.13 for ; Mon, 27 Jun 2011 11:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=W6PKBfK+rUodwou8TAno3ZQl9/uRerxLi3gclYHzJfU=; b=TS8RDhRMxiU2Ux736lfopjocEw3eK/HJEid0ldrFe/8nwjZJV+w6eUhTHp7rL9oN8d oPEKvBYSFQD8vC6/08fPAcQksfcP6BfZwX/6jnK0Nho9ZOBf5nXPeIB84rjzvGWZLPtR gUql9u2l37NC3THUVHpaowlpBPFOLwrLSjD+s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=P6mTVYjOSGyLrh41ldbpOEu7GF/RXM9DK8hwoLkNowC6yA4/khAYm76z7/CxKrR7vP VF5oyW6nFos717wyDGfTko/O3R7L21QId48pWHSnMjbcmKpLWhRA2l2oAb/kIoJK34vT 7jizMRIedj1YIzhCOvIrL2SLOPL8oAXu/lt3I= Received: by 10.68.56.196 with SMTP id c4mr3046610pbq.367.1309200708129; Mon, 27 Jun 2011 11:51:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.43.202 with HTTP; Mon, 27 Jun 2011 11:51:28 -0700 (PDT) In-Reply-To: <4E0897F9.30204@my.gd> References: <4E0897F9.30204@my.gd> From: Schmurfy Date: Mon, 27 Jun 2011 20:51:28 +0200 Message-ID: To: Damien Fleuriot Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: PF + route-to + gif weird behavior (bug ?) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jun 2011 18:51:49 -0000 On 27 June 2011 16:47, Damien Fleuriot wrote: > On 6/27/11 12:50 PM, Schmurfy wrote: > > Hi, > > I just came across a problem with route-to and gif interfaces. > > First, here is my rc.conf: > > > > # Router > > ifconfig_em0="inet 10.11.12.212/24" > > defaultrouter="10.11.12.253" > > gateway_enable="YES" > > > > static_routes="gif_endpoint" > > route_visp="10.11.20.1/32 10.11.12.213" > > > > I'd like to point out you declare a gif_endpoint static route, but it > doesn't exist. > Similarly a route called route_visp exists but is not declared as a > static route. > > > Sorry for that, in fact the real declaration was: static_routes="visp" not sure how I ended up with the wrong line in my first version xD > > > pf_enable="YES" > > pf_rules="/etc/pf.conf" > > pflog_enable="YES" > > > > # IPIP tunnels > > gif_interfaces="gif1001" > > > > ifconfig_em0_alias0="inet 10.11.20.2/32" > > ifconfig_em0_alias1="inet 192.168.254.1/32" > > gifconfig_gif1001="10.11.20.2 10.11.20.1" > > ifconfig_gif1001="inet 1.2.3.1 1.2.3.2 netmask 255.255.255.252" > > > > > > > > > > > > What I wanted to do is to redirect incoming connections on the external > > interface (em0) on a specific address to a gif tunnel, my problem is that > > the packet is redirected so that part works but the packet exiting the > em0 > > interfaces (the gif tunnel is also using em0) has a wrong ipip header: > the > > source address is the first address assigned to em0 instead of the alias > > added for the gif tunnel. > > This looks like a case where you'd like to NAT then. > > Use PF to say you'll be NATing, so that you can force the correct IP ? > > I am not sure I understand what you mean here, could you show me how you would do this ? You would NAT with the IPIP tunnel local address ? I did not said it in my first message but I tried the same ruleset on OpenBSD 4.9 (with the syntax changes) and everything works as expected there, the packets redirected into the gif tunnel (with route-to) exists on the physical network with the correct IPIP header. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >