From owner-freebsd-questions@FreeBSD.ORG Sun Nov 25 17:46:01 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2CFFA16A420 for ; Sun, 25 Nov 2007 17:46:01 +0000 (UTC) (envelope-from raggen@passagen.se) Received: from av9-1-sn2.hy.skanova.net (av9-1-sn2.hy.skanova.net [81.228.8.179]) by mx1.freebsd.org (Postfix) with ESMTP id B382413C469 for ; Sun, 25 Nov 2007 17:46:00 +0000 (UTC) (envelope-from raggen@passagen.se) Received: by av9-1-sn2.hy.skanova.net (Postfix, from userid 502) id 269CB38AE5; Sun, 25 Nov 2007 18:45:59 +0100 (CET) Received: from smtp4-2-sn2.hy.skanova.net (smtp4-2-sn2.hy.skanova.net [81.228.8.93]) by av9-1-sn2.hy.skanova.net (Postfix) with ESMTP id CAB3338A69; Sun, 25 Nov 2007 18:45:58 +0100 (CET) Received: from [192.168.1.31] (90-230-142-213-no41.tbcn.telia.com [90.230.142.213]) by smtp4-2-sn2.hy.skanova.net (Postfix) with ESMTP id 82CEA37E45; Sun, 25 Nov 2007 18:45:58 +0100 (CET) Message-ID: <4749B54C.8000703@passagen.se> Date: Sun, 25 Nov 2007 18:47:56 +0100 From: Roger Olofsson User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Jerahmy Pocott References: <7BB1A732-4F07-499E-A183-22776FEEEE90@optusnet.com.au> <47482C2C.6010700@passagen.se> <894E3C92-2C45-4FC2-8C56-D4B303F0349F@optusnet.com.au> <4748A115.1010002@passagen.se> <57A2907C-0660-458C-B254-3C893B4532CB@optusnet.com.au> <47498012.9000201@passagen.se> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Nov 2007 17:46:01 -0000 Jerahmy Pocott skrev: > > On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: > >> Hello Jerahmy, (sorry for top-posting, btw). >> >> Gre is protocol 47. In your firewall rules you only allow/block >> protocols tcp/udp/icmp. If you want to use PPTP you will need to allow >> both the port and the protocol for it. > > I put: > > pass out quick on fxp1 proto gre from any to any keep state > > This allowed the PPTP connection to establish, how ever trying to use apps > over that connection resulted in: > > fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag > 57516:33@552) IN bad NAT > > By placing to rule: > > pass in quick on fxp1 proto gre from any to any > > and allowing frags everything started working properly, but allowing all > gre traffic in doesn't seem > like a good idea.. Is there any way to make this work without putting > static ip address rules or allowing > all traffic? > > >> In your original question you mentioned having problems with CVS. From >> the looks of it, you redirect CVS to 10.0.0.2, meaning that all users >> on that machine can use CVS. > > The redirect rule is supposed to redirect connections to CVS on the > external interface to > 10.0.0.2 on the internal lan, where the CVS server is actually running. > > Cheers, > J. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > Hello Jerahmy, Some progress it seems? Why not set it to allow gre from VPN server only? Ie pass in quick on fxp1 proto gre from to any? The way you ask your question, 'make it work without static ip or allowing all traffic', isn't that contradictory? As for the frag part, I'd say that if gre needs frag, then you will have to enable it. About the CVS, I seem to have misunderstood your question. I assumed 10.0.0.2 wanted to recieve CVS inbound and not serve it outbound, or am I mistaking again? /Roger