From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 05:30:07 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBB7A1065670 for ; Mon, 12 Sep 2011 05:30:07 +0000 (UTC) (envelope-from artem@aws-net.org.ua) Received: from lazy.aws-net.org.ua (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]) by mx1.freebsd.org (Postfix) with ESMTP id 5FE788FC0C for ; Mon, 12 Sep 2011 05:30:07 +0000 (UTC) Received: from rainbow.vl.net.ua (rainbow.vl.net.ua [IPv6:2a00:1db0:20:1::215]) (authenticated bits=0) by lazy.aws-net.org.ua (8.14.3/8.14.3) with ESMTP id p8C5Taao003066 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK); Mon, 12 Sep 2011 08:29:42 +0300 (EEST) (envelope-from artem@aws-net.org.ua) Message-ID: <4E6D98C0.8040707@aws-net.org.ua> Date: Mon, 12 Sep 2011 08:29:36 +0300 From: Artyom Viklenko Organization: Art&Co. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.11) Gecko/20101025 Thunderbird/3.1.5 MIME-Version: 1.0 To: Mario Lobo References: <201109101042.53575.lobo@bsd.com.br> <201109101917.30117.lobo@bsd.com.br> <20110911045732.GC29437@insomnia.benzedrine.cx> <201109111117.38461.lobo@bsd.com.br> In-Reply-To: <201109111117.38461.lobo@bsd.com.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (lazy.aws-net.org.ua [IPv6:2a00:1db0:20::828:140]); Mon, 12 Sep 2011 08:29:44 +0300 (EEST) Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 05:30:08 -0000 > 2) What I am attempting that's not working (but used to work!) > > Establish a VPM from My home workstation TO My work GW This is what I have in my home router's pf about GRE: nat on $ext_if proto gre from $int_net to any -> ($ext_if) pass in quick on $int_if inet proto gre from $int_if:network to any keep state pass in quick on $ext_if inet proto gre from any to any no state pass out quick on $ext_if inet proto gre all keep state queue def Any single PPTP connectios always work fine but - as noted before - ONLT ONE. Pay attention to pass rule on external interface - use 'no state'! Without it the first gre packet from VPN server will create wrong state and these packets will not reach VPN client in the home LAN. Anyway, consider migration to L2TP. Hope this helps. -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org