Date: Thu, 14 Jul 2005 17:56:04 -0300 From: "Giovanni P. Tirloni" <gpt@tirloni.org> To: Alex Povolotsky <tarkhil@webmail.sub.ru> Cc: freebsd-net@freebsd.org Subject: Re: GRE and PF problem Message-ID: <42D6D164.30000@tirloni.org> In-Reply-To: <42D6ACAD.3030708@webmail.sub.ru> References: <42D536EC.5030500@webmail.sub.ru> <9f9a8c4005071322311907b4b@mail.gmail.com> <42D60832.9090206@webmail.sub.ru> <42D65FE4.2030801@tirloni.org> <42D6ACAD.3030708@webmail.sub.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Povolotsky wrote: >> When a packet comes from 1.2.3.4 to your external interface you can't >> determine if it's destined to 192.168.0.1 or 192.168.0.2 if both >> initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have >> ports like UDP or TCP to make (de)multiplexing possible, AFAIK. >> >> http://www.networksorcery.com/enp/protocol/gre.htm >> > Cool. I did not know that ICMP doesn't work through nat. It always > worked for me. Moreover, as far as I remember, GRE worked with > IPFW/NATD, and SOMETIMES it works with pf. I don't know how PF keeps tracks of ICMP packets but there must be a way for it to distinguish between a packet destined to 192.168.0.1 or 0.2. We all know ICMP works behind NAT. You don't need to play like that here. Looking at the GRE header I simply can't find a way to keep track of it and my experiences with some xDSL/cable routers permit me to say that I haven't found anyone that would let me establish more than one PPTP connection behind NAT. But then I'm no networking/pf/kernel guru to keep talking about this. -- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42D6D164.30000>