From owner-freebsd-pf@FreeBSD.ORG  Wed Feb  4 18:56:16 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 222D11065675
	for <freebsd-pf@freebsd.org>; Wed,  4 Feb 2009 18:56:16 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from honeysuckle.london.02.net (honeysuckle.london.02.net
	[87.194.255.144])
	by mx1.freebsd.org (Postfix) with ESMTP id DBED28FC1B
	for <freebsd-pf@freebsd.org>; Wed,  4 Feb 2009 18:56:15 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local (78.86.177.183) by honeysuckle.london.02.net
	(8.5.016.1) id 497A2AF00019CE28 for freebsd-pf@freebsd.org;
	Wed, 4 Feb 2009 18:44:50 +0000
Message-ID: <4989E220.2070606@nviz.net>
Date: Wed, 04 Feb 2009 18:44:48 +0000
From: Greg Hennessy <Greg.Hennessy@nviz.net>
User-Agent: Thunderbird 3.0a1 (Windows/2008050715)
MIME-Version: 1.0
To: Sebastiaan van Erk <sebster@sebster.com>
References: <49882A91.3050307@sebster.com>
In-Reply-To: <49882A91.3050307@sebster.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
Subject: Re: GRE not natted on FreeBSD 7.1-p2
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2009 18:56:16 -0000

Sebastiaan van Erk wrote:
>
>
> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>
This is the nub of the problem, 'hide' NAT breaks GRE.

To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE 
call id header to track each session in a manner analagous to rewriting 
the source port of a 'hide' natted tcp/udp session.

The last time I looked, Daniel, Henning et al have not added that 
facility to PF as of yet.

You can statically translate the flow instead which should sort the 
problem.



Greg