Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 04 Feb 2009 21:34:30 +0100
From:      Sebastiaan van Erk <sebster@sebster.com>
To:        Greg Hennessy <Greg.Hennessy@nviz.net>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: GRE not natted on FreeBSD 7.1-p2
Message-ID:  <4989FBD6.1030801@sebster.com>
In-Reply-To: <4989E220.2070606@nviz.net>
References:  <49882A91.3050307@sebster.com> <4989E220.2070606@nviz.net>
index | next in thread | previous in thread | raw e-mail 

[-- Attachment #1 --]
Greg Hennessy wrote:
> Sebastiaan van Erk wrote:
>>
>>
>> nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
>>
> This is the nub of the problem, 'hide' NAT breaks GRE.
> 
> To successfully do 'Many:1' NAT of GRE requires a rewrite of the GRE 
> call id header to track each session in a manner analagous to rewriting 
> the source port of a 'hide' natted tcp/udp session.
> 
> The last time I looked, Daniel, Henning et al have not added that 
> facility to PF as of yet.
> 
> You can statically translate the flow instead which should sort the 
> problem.

> Greg

Thanks for the reply,

I have a feeling that my "upstream" ADSL modem has a similar issue, 
because what I did was use multiple "external" addresses on my pf 
machine (192.168.1.2, 192.168.1.3, etc) and I was getting really strange 
behavior (that is, when starting a PPTP session on 192.168.1.2 I'd get 
GRE packets back on 192.168.1.3 from the ADSL modem, which presumably 
still had an old NAT rule from a recent session via the .3 address).

In the end I took the plunge and kicked PPTP out of the equation (since 
all the remote servers are managed by me anyway), and converted 
everthing to OpenVPN with bridging. All my problems have vaporized and 
I've learned quite a bit in the process.

Regards,
Sebastiaan


[-- Attachment #2 --]
0	*H
010	+0	*H
	Q00lS|
6$1-~j0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*H
	sebster@sebster.com0"0
	*H
0
Va\bEnݚa<M8ʄ^tv>x73bohi2oqS_¶Bm^p*I	x"9pt!jar#)n)^?'z<).+Ѐ4igR'UP*\Ւ,?.;?fBܯTzM IDվCK*3Yŧ
mcaztxʐsq/00.0U0sebster@sebster.com0U00
	*H
KT4W6ӽq]
tS` %f1G:HbzJj$EjE'JV~-VbVnJZE/`@@04!+T:c	پf`$Z=1#|oG[OBRG00lS|
6$1-~j0
	*H
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080630135157Z
090630135157Z0h10Uvan Erk10U*
Sebastiaan10USebastiaan van Erk1"0 	*H
	sebster@sebster.com0"0
	*H
0
Va\bEnݚa<M8ʄ^tv>x73bohi2oqS_¶Bm^p*I	x"9pt!jar#)n)^?'z<).+Ѐ4igR'UP*\Ւ,?.;?fBܯTzM IDվCK*3Yŧ
mcaztxʐsq/00.0U0sebster@sebster.com0U00
	*H
KT4W6ӽq]
tS` %f1G:HbzJj$EjE'JV~-VbVnJZE/`@@04!+T:c	پf`$Z=1#|oG[OBRG0?0
0
	*H
010	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*H
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA00
	*H
0Ħ<UsUNʙZhup[v:aQP
0cZ,p+Z?qV˯<6$*+w=+>@dקe*TH<a@dr`00U00CU<0:08642http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 010UPrivateLabel2-1380
	*H
HP.
fgCL!6-6/P p<ab:~t%Pb'qW%ݩ9 Oe_N4[5MwV!x!5$F]_eO1q0m0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0	+0	*H
	1	*H
0	*H
	1
090204203430Z0#	*H
	1V,K$R{mCPX0_	*H
	1R0P0	`He0
*H
0*H
0
*H
@0+0
*H
(0	+71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0*H
	1xv0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAS|
6$1-~j0
	*H
.IS5E=ham~_s\I$ e2ݞ?$d}eyufRvmzLH-M)`@>fC:T|L{S&;Si4J#-ks0v=gp^kDH$öG,;%Q0Y>#s}lī-'~#5<mمHb~G@KtðJrE
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4989FBD6.1030801>