From owner-freebsd-pf@FreeBSD.ORG Mon Sep 12 23:51:50 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB0731065678 for ; Mon, 12 Sep 2011 23:51:50 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by mx1.freebsd.org (Postfix) with ESMTP id 9DD758FC1A for ; Mon, 12 Sep 2011 23:51:50 +0000 (UTC) Received: by gwb20 with SMTP id 20so4740610gwb.17 for ; Mon, 12 Sep 2011 16:51:49 -0700 (PDT) Received: by 10.236.157.41 with SMTP id n29mr29470236yhk.88.1315871509831; Mon, 12 Sep 2011 16:51:49 -0700 (PDT) Received: from papi.localnet ([186.212.158.115]) by mx.google.com with ESMTPS id y79sm12097125yhg.23.2011.09.12.16.51.46 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 12 Sep 2011 16:51:48 -0700 (PDT) From: Mario Lobo To: Artyom Viklenko Date: Mon, 12 Sep 2011 20:51:51 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109101042.53575.lobo@bsd.com.br> <201109111117.38461.lobo@bsd.com.br> <4E6D98C0.8040707@aws-net.org.ua> In-Reply-To: <4E6D98C0.8040707@aws-net.org.ua> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109122051.52012.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Sep 2011 23:51:50 -0000 On Monday 12 September 2011 02:29:36 Artyom Viklenko wrote: > > This is what I have in my home router's pf about GRE: > [snip] > pass in quick on $ext_if inet proto gre from any to any no state > Pay attention to pass rule on external interface - use 'no state'! > Without it the first gre packet from VPN server will create wrong > state and these packets will not reach VPN client in the home LAN. Thanks a million, Artyom ! You nailed it! This fixed my problem at BOTH endpoints! But look at how particular that is!. And why in heavens name this wasn't happening before? The fact that I never needed that rule before, and after maybe a couple csups now I do, worries me a bit. I can't help wondering if this sort of thing may happen somewhere else on a next (now improbable) csup. > > Any single PPTP connectios always work fine but - as noted before - > ONLY ONE. > This was never an issue in my case. > > Anyway, consider migration to L2TP. > Not anymore thanks to you !! -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)