Date: Thu, 14 Jul 2005 22:19:25 +0400 From: Alex Povolotsky <tarkhil@webmail.sub.ru> To: "Giovanni P. Tirloni" <gpt@tirloni.org> Cc: freebsd-net@freebsd.org Subject: Re: GRE and PF problem Message-ID: <42D6ACAD.3030708@webmail.sub.ru> In-Reply-To: <42D65FE4.2030801@tirloni.org> References: <42D536EC.5030500@webmail.sub.ru> <9f9a8c4005071322311907b4b@mail.gmail.com> <42D60832.9090206@webmail.sub.ru> <42D65FE4.2030801@tirloni.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Giovanni P. Tirloni wrote: > Alex Povolotsky wrote: > >> compunction wrote: >> >>> GRE needs to pass bidirectional. You will need a binat to make it >>> work. I have not found a firewall that will allow GRE to work with a >>> many to one nat. >>> >>> >> >> The most painful thing is that pf's nat works for GRE - SOMETIMES :-( >> >> The only thing firewall needs to implement for natting GRE is >> creation of two rules (forward and back) for GRE packet, just like it >> does for ICMP. >> >> I'm not a firewall writer, but as far as I understand general >> procedural programming, it cannot be THAT complicated. > > > When a packet comes from 1.2.3.4 to your external interface you can't > determine if it's destined to 192.168.0.1 or 192.168.0.2 if both > initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have > ports like UDP or TCP to make (de)multiplexing possible, AFAIK. > > http://www.networksorcery.com/enp/protocol/gre.htm > Cool. I did not know that ICMP doesn't work through nat. It always worked for me. Moreover, as far as I remember, GRE worked with IPFW/NATD, and SOMETIMES it works with pf. Alex.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42D6ACAD.3030708>