Date: Sat, 10 Sep 2011 18:08:10 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Mario Lobo <lobo@bsd.com.br> Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem Message-ID: <20110910160810.GB29437@insomnia.benzedrine.cx> In-Reply-To: <201109101042.53575.lobo@bsd.com.br> References: <201109101042.53575.lobo@bsd.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Sep 10, 2011 at 10:42:53AM -0300, Mario Lobo wrote: > Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 > Sep 10 10:27:49 lobos last message repeated 83 times > Sep 10 10:28:59 lobos last message repeated 283 times This looks as if you're not allowing the packet out after NAT, so each subsequent packet also causes a pf_map_addr() call, instead of creating a state entry. Make sure you have a rule like pass out on $ext_if from ($ext_if) ... Do you see any state entry related to your VPN connection? Run pfctl -vvss after the connection attempt. It helps debugging if you add block log as the very first rule, then make sure all other block rules (if any) also have 'log'. Then reproduce the problem while running tcpdump -s 1600 -nvvveeetttpi pflog0 Now you'll see any packet being dropped by pf. Do you see any? Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110910160810.GB29437>