From owner-freebsd-questions Thu Oct 29 19:35:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA25613 for freebsd-questions-outgoing; Thu, 29 Oct 1998 19:35:38 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from boromir.vpop.net (dns1.vpop.net [206.117.147.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA25581 for ; Thu, 29 Oct 1998 19:35:35 -0800 (PST) (envelope-from mreimer@vpop.net) Received: from vpop.net (dns1.vpop.net [206.117.147.2]) by boromir.vpop.net (8.9.1/8.8.5) with ESMTP id TAA21426 for ; Thu, 29 Oct 1998 19:35:31 -0800 (PST) Message-ID: <36393409.CF5E0DAE@vpop.net> Date: Thu, 29 Oct 1998 19:35:37 -0800 From: Matthew Reimer Organization: VPOP Technologies, Inc. X-Mailer: Mozilla 4.5 [en] (X11; I; FreeBSD 2.2.6-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-questions@FreeBSD.ORG Subject: SKIP and NAT on tun0? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Has anyone been able to make SKIP and NAT work on the same interface? My gateway machine has ed1 (192.168.1.2) and tun0. I want to run SKIP on tun0 on the gateway machine to protect traffic to certain hosts, and to run NAT on tun0 to give the hosts on ed1 connectivity. When I start ppp, SKIP and natd on the gateway, but before I add the divert rule with ipfw, the gateway machine can get anywhere, but the other hosts on the local network can't get past the gateway (of course). When I add the divert rule, the other hosts on the local network can get anywhere, even to remote hosts that require SKIP, but the gateway itself can only get to hosts that don't require SKIP. It's forwarding just fine, even with SKIP, but perhaps somehow natd is improperly rewriting incoming SKIP packets destined for the gateway itself. In other words, before adding the divert rule: gateway local hosts ------- ----------- +local +local +remote-noskip -remote-noskip (of course) +remote-skip -remote-skip (of course) After adding the divert rule: gateway local hosts ------- ----------- +local +local +remote-noskip +remote-noskip -remote-skip +remote-skip Tcpdump shows that the SKIP packets are going out, and being returned by the remote host, but being dropped by SKIP; skipstat's dropped packet count increases and skiplog complains about the remote host trying to connect with 'cleartext' instead of 'SKIP V2'. I'm starting ppp and natd like this: ppp -auto provider natd -interface tun0 -dynamic -unregistered_only ipfw add divert natd ip from any to any via tun0 ipfw add allow all from any to any 2.2.6-STABLE as of May or so. Anybody have an answer (Archie?)? Thanks in advance. Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message