From owner-freebsd-questions@FreeBSD.ORG Sun Nov 25 15:37:05 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C1FB16A469 for ; Sun, 25 Nov 2007 15:37:05 +0000 (UTC) (envelope-from quakenet1@optusnet.com.au) Received: from mail18.syd.optusnet.com.au (mail18.syd.optusnet.com.au [211.29.132.199]) by mx1.freebsd.org (Postfix) with ESMTP id 937D413C448 for ; Sun, 25 Nov 2007 15:37:04 +0000 (UTC) (envelope-from quakenet1@optusnet.com.au) Received: from [10.0.0.3] (c220-239-172-188.belrs4.nsw.optusnet.com.au [220.239.172.188]) by mail18.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id lAPFb11q020875; Mon, 26 Nov 2007 02:37:02 +1100 In-Reply-To: <47498012.9000201@passagen.se> References: <7BB1A732-4F07-499E-A183-22776FEEEE90@optusnet.com.au> <47482C2C.6010700@passagen.se> <894E3C92-2C45-4FC2-8C56-D4B303F0349F@optusnet.com.au> <4748A115.1010002@passagen.se> <57A2907C-0660-458C-B254-3C893B4532CB@optusnet.com.au> <47498012.9000201@passagen.se> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Jerahmy Pocott Date: Mon, 26 Nov 2007 02:37:00 +1100 To: Roger Olofsson X-Mailer: Apple Mail (2.752.2) Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2007 15:37:05 -0000 On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: > Hello Jerahmy, (sorry for top-posting, btw). > > Gre is protocol 47. In your firewall rules you only allow/block > protocols tcp/udp/icmp. If you want to use PPTP you will need to > allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag 57516:33@552) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? > In your original question you mentioned having problems with CVS. > From the looks of it, you redirect CVS to 10.0.0.2, meaning that > all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J.