FreeBSD Mail Archives

Date:      Tue, 03 Feb 2009 14:29:22 +0100
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        freebsd-pf@FreeBSD.org
Subject:   Re: GRE not natted on FreeBSD 7.1-p2
Message-ID:  <498846B2.1080306@sebster.com>
In-Reply-To: <49882A91.3050307@sebster.com>
References:  <49882A91.3050307@sebster.com>


[-- Attachment #1 --]
Hi,

I changed the GRE rule to:

pass out quick proto gre

and it was still giving me the same errors after flushing the firewall:

pfctl -f /etc/pf.conf

Log:

3. 003875 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: 
GREv1, call 55191, seq 7, proto PPP (0x880b), length 36: [|ppp]

But a few minutes later I started up the VPN (without having changed 
anything in the firewall), and now it suddenly did work.

I don't know where the delay comes from, I've never seen that before...

Regards,
Sebastiaan

Sebastiaan van Erk wrote:
> Hi,
> 
> I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 
> 7.1-p2.
> 
> However, now my firewall will suddenly no longer NAT GRE, so none of 
> client connections to remote (PPTP) VPNs are working.
> 
> When trying to connect from the client (10.1.0.6) to internet, 
> everything works fine (tcp/udp are natted), but when trying to set up a 
> VPN my firewall log says:
> 
> 3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: 
> GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp]
> 
> (vr0 is my external interface, which is connected to the ADSL modem)
> 
> The rule that is blocking is:
> @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any
> 
> (192.168.1.2 is my "external" address). This rule is supposed to block 
> any internal stuff going out that is not NATted properly. It is correct 
> to block my client (10.1.0.6), since it should have had its address 
> translated.
> 
> My nat rule is simple (and DOES NAT tcp/udp):
> 
> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
> 
> The entire config is attached. Am I doing something stupid? Does anybody 
> know what I'm doing wrong?
> 
> Thanks in advance,
> Sebastiaan
> 
> 
> 

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	Q0�0�l�S|
��6�$1-~�j�0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��
	sebster@sebster.com0�"0
	*�H��
�0�
�����Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/�00.0U0�sebster@sebster.com0U�00
	*�H��
��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�0�l�S|
��6�$1-~�j�0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*�H��
	sebster@sebster.com0�"0
	*�H��
�0�
�����Va�\b��E�nݚ��a<���M8�ʄ���^tv>x��7����3bo���hi���2oq������S�_�¶�Bm^�p����*I	x"��9pt���!j������a�r�#���)n)��^�?'�z�<).+Ѐ4i����g���R'�UP��*\��Ւ���,?��.�;?f�B�ܯ����TzM I�Dվ�CK�*�3�Y��ŧ
�m��ca�z���t��xʐs�q�/�00.0U0�sebster@sebster.com0U�00
	*�H��
��KT�4�W6��ӽ���q]
t�S`�� %f�1��G:H��b�z�Jj$Ej��E��'�J���V~�-�VbVn�JZE/�`@��@0�4!+�T:��c	پ���f`$Z�=1�#|�o�G[�OBRG0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�q0�m0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0	+���0	*�H��
	1	*�H��
0	*�H��
	1
090203132922Z0#	*�H��
	1�u�B%�F�N�%�����<0_	*�H��
	1R0P0	`�He0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
��6�$1-~�j�0
	*�H��
�7w�%ˆD�=�z�2ۧ�F=�kt���$n��ῠ��Vxb��bq�+��?S�uB������D����F#��ǹTHl��SH�������A���u�\w
�/*=�]\!xQ�-c��Tz��{dq׶MR��C*��џ2��۶C'�`���{�VQ����t�l���Xͯ����X.�~(�8Ѯ�o������F���Fq#E�tQ*-�H���H)��A����~�$����J��/:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?498846B2.1080306>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation