From owner-freebsd-net@FreeBSD.ORG Thu Jul 14 20:56:07 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1B4716A41C for ; Thu, 14 Jul 2005 20:56:07 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B2A343D45 for ; Thu, 14 Jul 2005 20:56:07 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id EFC664AF4E; Thu, 14 Jul 2005 17:56:23 -0300 (BRT) Received: from [172.16.12.100] (unknown [200.138.144.12]) by srv-03.bs2.com.br (Postfix) with ESMTP id 89F1B4AF21; Thu, 14 Jul 2005 17:56:23 -0300 (BRT) Message-ID: <42D6D164.30000@tirloni.org> Date: Thu, 14 Jul 2005 17:56:04 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.2-1.4.1.centos4 (X11/20050323) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alex Povolotsky References: <42D536EC.5030500@webmail.sub.ru> <9f9a8c4005071322311907b4b@mail.gmail.com> <42D60832.9090206@webmail.sub.ru> <42D65FE4.2030801@tirloni.org> <42D6ACAD.3030708@webmail.sub.ru> In-Reply-To: <42D6ACAD.3030708@webmail.sub.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: GRE and PF problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2005 20:56:07 -0000 Alex Povolotsky wrote: >> When a packet comes from 1.2.3.4 to your external interface you can't >> determine if it's destined to 192.168.0.1 or 192.168.0.2 if both >> initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have >> ports like UDP or TCP to make (de)multiplexing possible, AFAIK. >> >> http://www.networksorcery.com/enp/protocol/gre.htm >> > Cool. I did not know that ICMP doesn't work through nat. It always > worked for me. Moreover, as far as I remember, GRE worked with > IPFW/NATD, and SOMETIMES it works with pf. I don't know how PF keeps tracks of ICMP packets but there must be a way for it to distinguish between a packet destined to 192.168.0.1 or 0.2. We all know ICMP works behind NAT. You don't need to play like that here. Looking at the GRE header I simply can't find a way to keep track of it and my experiences with some xDSL/cable routers permit me to say that I haven't found anyone that would let me establish more than one PPTP connection behind NAT. But then I'm no networking/pf/kernel guru to keep talking about this. -- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26