Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Feb 2009 12:17:36 -0000
From:      "torsten Kersandt" <torsten@cnc-london.net>
To:        <freebsd-pf@FreeBSD.org>
Subject:   RE: GRE not natted on FreeBSD 7.1-p2
Message-ID:  <004101c985f9$66fcbc40$34f634c0$@net>
In-Reply-To: <49882A91.3050307@sebster.com>
References:  <49882A91.3050307@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi Sebastian

I use the following 

# VPN GRE PROTOCALL
   pass in proto gre all keep state
   pass out proto gre all keep state

That works fine for me
I have read somewhere that the pass quick is not what you want, but I could
be wrong

Regards
Torsten

-----Original Message-----
From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On
Behalf Of Sebastiaan van Erk
Sent: 03 February 2009 11:29
To: freebsd-pf@FreeBSD.org
Subject: GRE not natted on FreeBSD 7.1-p2

Hi,

I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD
7.1-p2.

However, now my firewall will suddenly no longer NAT GRE, so none of client
connections to remote (PPTP) VPNs are working.

When trying to connect from the client (10.1.0.6) to internet, everything
works fine (tcp/udp are natted), but when trying to set up a VPN my firewall
log says:

3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: 
GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp]

(vr0 is my external interface, which is connected to the ADSL modem)

The rule that is blocking is:
@6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any

(192.168.1.2 is my "external" address). This rule is supposed to block any
internal stuff going out that is not NATted properly. It is correct to block
my client (10.1.0.6), since it should have had its address translated.

My nat rule is simple (and DOES NAT tcp/udp):

nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if

The entire config is attached. Am I doing something stupid? Does anybody
know what I'm doing wrong?

Thanks in advance,
Sebastiaan

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004101c985f9$66fcbc40$34f634c0$>