Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 07 Feb 2009 21:38:46 +1030
From:      Andrew <awd@awdcomp.net>
To:        Sebastiaan van Erk <sebster@sebster.com>
Cc:        Greg Hennessy <Greg.Hennessy@nviz.net>, freebsd-pf@freebsd.org
Subject:   Re: GRE not natted on FreeBSD 7.1-p2
Message-ID:  <498D6BBE.3050901@awdcomp.net>
In-Reply-To: <4989FBD6.1030801@sebster.com>
References:  <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net> <4989FBD6.1030801@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Howdy,

If you (or others watching this list) ever need to go back to the pptp 
route then consider using net/frickin  which is a pptp proxy :)

I'm using it successfully with redirection.

rdr on $int_if proto tcp from $lnet to any port 1723 -> 127.0.0.1 port 1724
rdr on $int_if proto gre from $lnet to any -> 127.0.0.1

Cheers
cya
Andrew

Sebastiaan van Erk wrote:
> Greg Hennessy wrote:
>> Sebastiaan van Erk wrote:
>>>
>>>
>>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>>>
>> This is the nub of the problem, 'hide' NAT breaks GRE.
>>
>> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE 
>> call id header to track each session in a manner analagous to 
>> rewriting the source port of a 'hide' natted tcp/udp session.
>>
>> The last time I looked, Daniel, Henning et al have not added that 
>> facility to PF as of yet.
>>
>> You can statically translate the flow instead which should sort the 
>> problem.
> 
>> Greg
> 
> Thanks for the reply,
> 
> I have a feeling that my "upstream" ADSL modem has a similar issue, 
> because what I did was use multiple "external" addresses on my pf 
> machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange 
> behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get 
> GRE packets back on 192.168.1.3 from the ADSL modem, which presumably 
> still had an old NAT rule from a recent session via the .3 address).
> 
> In the end I took the plunge and kicked PPTP out of the equation (since 
> all the remote servers are managed by me anyway), and converted 
> everthing to OpenVPN with bridging. All my problems have vaporized and 
> I've learned quite a bit in the process.
> 
> Regards,
> Sebastiaan
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?498D6BBE.3050901>