Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 02 Feb 2004 10:07:02 -0800
From:      Sean Hafeez <sahafeez@edgefocus.com>
To:        freebsd-questions@freebsd.org, freebsd-ipfw@freebsd.org, Karan Gupta <kgupta@edgefocus.com>, "Eric (E-mail)" <echan@edgefocus.com>
Subject:   Strange GRE packet flows...
Message-ID:  <401E91C6.8040800@edgefocus.com>

next in thread | raw e-mail | index | archive | help
I have a 4.9 box (router1) running IPFW:

/sbin/natd -interface rl0 -s
ipfw add 999 divert natd all from any to any via rl0
ipfw add pipe 1 ip from any to any in recv vr0
ipfw add pipe 2 ip from any to any out xmit vr0
ipfw pipe 1 config mask src-ip 0xffffffff bw 512kbits/s
ipfw pipe 2 config mask dst-ip 0xffffffff bw 512kbits/s

And on this box I have some GRE tunnels:

ifconfig gre8 create
ifconfig gre8 tunnel x.x.x.x y.y.y.y
ifconfig gre8 inet 172.20.1.13 172.20.1.14 netmask 255.255.255.252
ifconfig gre8 up
route add -net 10.0.100.0 -netmask 255.255.255.0 172.20.1.14

The tunnels terminate on a Cisco 1720 or a box running FreeBSD 4.8 or 
4.9. (Same config as above reversed). The Cisco or the BSD box are 
running NAT on their side.

If I ping a box behind the remote side from my desktop which is behind 
the router1 box I drop 3 out of 5 packets. Now for the strange part - If 
I get a ping going to that same node from the router1 box and then ping 
from my desktop I drop no packets. If I kill the ping on the router1 box 
the pings from the desktop start dropping packets. This also works if I 
ping the external interface on the remote router.

BTW, I have just changed the router1 box from Gentoo Linux using the 
IPROTUE package for the tunnels to FreeBSD 4.9. It worked just fine with 
the router1 running Linux. I would hate to have to change back as I hate 
Linux and think IPTABLES was written as a replacement for pulling finger 
nails out with pliers.

Thoughts?

Thanks!



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?401E91C6.8040800>