From owner-freebsd-pf@FreeBSD.ORG Sat Feb 7 11:50:07 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 401E81065672 for ; Sat, 7 Feb 2009 11:50:06 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from home.awdcomp.net (ppp234-119.static.internode.on.net [203.122.234.119]) by mx1.freebsd.org (Postfix) with ESMTP id 72ECE8FC13 for ; Sat, 7 Feb 2009 11:50:06 +0000 (UTC) (envelope-from awd@awdcomp.net) Received: from getafix.abdulla ([192.168.202.99]) by home.awdcomp.net with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LVl3c-0006SE-Db; Sat, 07 Feb 2009 21:39:16 +1030 Message-ID: <498D6BBE.3050901@awdcomp.net> Date: Sat, 07 Feb 2009 21:38:46 +1030 From: Andrew User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: Sebastiaan van Erk References: <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> <4989FBD6.1030801@sebster.com> In-Reply-To: <4989FBD6.1030801@sebster.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Report: Spam detection software, running on the system "gateway.abdulla", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see The administrator of that system for details. Content preview: Howdy, If you (or others watching this list) ever need to go back to the pptp route then consider using net/frickin which is a pptp proxy :) I'm using it successfully with redirection. [...] Content analysis details: (-1.4 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.4 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Score: -13 (-) Cc: Greg Hennessy , freebsd-pf@freebsd.org Subject: Re: GRE not natted on FreeBSD 7.1-p2 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Feb 2009 11:50:07 -0000 Howdy, If you (or others watching this list) ever need to go back to the pptp route then consider using net/frickin which is a pptp proxy :) I'm using it successfully with redirection. rdr on $int_if proto tcp from $lnet to any port 1723 -> 127.0.0.1 port 1724 rdr on $int_if proto gre from $lnet to any -> 127.0.0.1 Cheers cya Andrew Sebastiaan van Erk wrote: > Greg Hennessy wrote: >> Sebastiaan van Erk wrote: >>> >>> >>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if >>> >> This is the nub of the problem, 'hide' NAT breaks GRE. >> >> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE >> call id header to track each session in a manner analagous to >> rewriting the source port of a 'hide' natted tcp/udp session. >> >> The last time I looked, Daniel, Henning et al have not added that >> facility to PF as of yet. >> >> You can statically translate the flow instead which should sort the >> problem. > >> Greg > > Thanks for the reply, > > I have a feeling that my "upstream" ADSL modem has a similar issue, > because what I did was use multiple "external" addresses on my pf > machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange > behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get > GRE packets back on 192.168.1.3 from the ADSL modem, which presumably > still had an old NAT rule from a recent session via the .3 address). > > In the end I took the plunge and kicked PPTP out of the equation (since > all the remote servers are managed by me anyway), and converted > everthing to OpenVPN with bridging. All my problems have vaporized and > I've learned quite a bit in the process. > > Regards, > Sebastiaan >