Date: Tue, 29 Apr 2008 13:18:08 -0500 From: Nicolas de Bari Embriz Garcia Rojas <nbari@k9.cx> To: freebsd-pf@freebsd.org, freebsd-jail@freebsd.org Subject: Re: routing gif0 ipsec Message-ID: <E34C47E6-F500-43CF-A8A0-25AFE659170F@k9.cx> In-Reply-To: <48161085.7030002@quis.cx> References: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> <48161085.7030002@quis.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all, the solution to my problem was to recompile the kernel with this option: #options IPSEC_FILTERGIF now i can route/nat trafic with pf with out any problems, hope this can help some one. regards > > > Nicolas de Bari Embriz Garcia Rojas schreef: >> Hi all, I am trying to all trafic from a gif0 interface used for a >> vpn to an public IP on the same server that is like an alias >> I have the following schema (FreeBSD 6.3) >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> tunnel inet 67.228.79.224 --> 74.86.163.16 >> inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff >> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING> >> inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 >> inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 >> The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ >> telnet to 172.16.16.1 and get a response. >> The jail is running on IP 67.228.79.224 (same IP used for doing the >> VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not >> ping 172.16.16.1 >> currently I am trying this with pf >> -- >> nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 >> rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 >> pass in log from any to any keep state >> pass out log from any to any keep state >> -- >> but is not working, from the jail (67.228.79.224) I can not ping/ >> telnet the VPN 172.16.16.1 >> there is a tool call jumpgate with the one I can redirect incoming >> tcp to gif0 and forward trafic to em1 with out problems, but >> instead I would like to use pf >> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 >> with this i can telnet from the other end point to por 80 and i can >> forward the connection to the public IP of the jail through the vpn >> tunnel. >> any ideas on how to solve this issue using pf or maybe some routing >> rules. >> regards. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E34C47E6-F500-43CF-A8A0-25AFE659170F>