From owner-freebsd-pf@FreeBSD.ORG Tue Feb 3 12:45:18 2009 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5C09510656D1 for ; Tue, 3 Feb 2009 12:45:18 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: from mailhost.cnc-london.net (mailhost.cnc-london.net [209.44.113.194]) by mx1.freebsd.org (Postfix) with ESMTP id 299948FC20 for ; Tue, 3 Feb 2009 12:45:15 +0000 (UTC) (envelope-from torsten@cnc-london.net) Received: (qmail 61835 invoked by uid 90); 3 Feb 2009 12:18:33 +0000 Received: from 78-105-9-127.zone3.bethere.co.uk (postmaster@cnc-london.net@78-105-9-127.zone3.bethere.co.uk) by mailhost.cnc-london.net (envelope-from , uid 89) with qmail-scanner-2.05st (clamdscan: 0.94/8452. spamassassin: 3.2.3. perlscan: 2.05st. Clear:RC:1(78.105.9.127):. Processed in 0.015348 secs); 03 Feb 2009 12:18:33 -0000 Received: from 78-105-9-127.zone3.bethere.co.uk (HELO torstenlabtop) (postmaster@cnc-london.net@78.105.9.127) by mailhost.cnc-london.net with SMTP; 3 Feb 2009 12:18:33 +0000 From: "torsten Kersandt" To: References: <49882A91.3050307@sebster.com> In-Reply-To: <49882A91.3050307@sebster.com> Date: Tue, 3 Feb 2009 12:17:36 -0000 Message-ID: <004101c985f9$66fcbc40$34f634c0$@net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Content-Language: en-gb Thread-Index: AcmF9mwr47Ni1xvgRzmUEZt3TLrr7wAAn/LA Cc: Subject: RE: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2009 12:45:24 -0000 Hi Sebastian I use the following # VPN GRE PROTOCALL pass in proto gre all keep state pass out proto gre all keep state That works fine for me I have read somewhere that the pass quick is not what you want, but I could be wrong Regards Torsten -----Original Message----- From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Sebastiaan van Erk Sent: 03 February 2009 11:29 To: freebsd-pf@FreeBSD.org Subject: GRE not natted on FreeBSD 7.1-p2 Hi, I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2. However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working. When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says: 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp] (vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any (192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated. My nat rule is simple (and DOES NAT tcp/udp): nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if The entire config is attached. Am I doing something stupid? Does anybody know what I'm doing wrong? Thanks in advance, Sebastiaan