From owner-freebsd-pf@FreeBSD.ORG Tue Apr 29 18:18:15 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2ACB9106564A for ; Tue, 29 Apr 2008 18:18:15 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.185]) by mx1.freebsd.org (Postfix) with ESMTP id BB70D8FC0A for ; Tue, 29 Apr 2008 18:18:14 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id h3so28790nfh.33 for ; Tue, 29 Apr 2008 11:18:13 -0700 (PDT) Received: by 10.210.58.17 with SMTP id g17mr7732279eba.190.1209493093329; Tue, 29 Apr 2008 11:18:13 -0700 (PDT) Received: from ?10.50.46.92? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm839376mug.9.2008.04.29.11.18.10 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 29 Apr 2008 11:18:11 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org, freebsd-jail@freebsd.org In-Reply-To: <48161085.7030002@quis.cx> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 29 Apr 2008 13:18:08 -0500 References: <1D3CC81F-19C9-4DAB-A2C8-3CC84C4528BD@k9.cx> <48161085.7030002@quis.cx> X-Mailer: Apple Mail (2.919.2) Cc: Subject: Re: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Apr 2008 18:18:15 -0000 Hi all, the solution to my problem was to recompile the kernel with this option: #options IPSEC_FILTERGIF now i can route/nat trafic with pf with out any problems, hope this can help some one. regards > > > Nicolas de Bari Embriz Garcia Rojas schreef: >> Hi all, I am trying to all trafic from a gif0 interface used for a >> vpn to an public IP on the same server that is like an alias >> I have the following schema (FreeBSD 6.3) >> gif0: flags=8051 mtu 1280 >> tunnel inet 67.228.79.224 --> 74.86.163.16 >> inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff >> em1: flags=8843 mtu 1500 >> options=1b >> inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 >> inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 >> The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ >> telnet to 172.16.16.1 and get a response. >> The jail is running on IP 67.228.79.224 (same IP used for doing the >> VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not >> ping 172.16.16.1 >> currently I am trying this with pf >> -- >> nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 >> rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 >> pass in log from any to any keep state >> pass out log from any to any keep state >> -- >> but is not working, from the jail (67.228.79.224) I can not ping/ >> telnet the VPN 172.16.16.1 >> there is a tool call jumpgate with the one I can redirect incoming >> tcp to gif0 and forward trafic to em1 with out problems, but >> instead I would like to use pf >> jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 >> with this i can telnet from the other end point to por 80 and i can >> forward the connection to the public IP of the jail through the vpn >> tunnel. >> any ideas on how to solve this issue using pf or maybe some routing >> rules. >> regards. >> _______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"