Date: Mon, 26 Nov 2007 02:37:00 +1100 From: Jerahmy Pocott <quakenet1@optusnet.com.au> To: Roger Olofsson <raggen@passagen.se> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Difficulties establishing VPN tunnel with IPNAT Message-ID: <AADC85EE-9C53-459E-9E6E-F1A701BDC7D9@optusnet.com.au> In-Reply-To: <47498012.9000201@passagen.se> References: <7BB1A732-4F07-499E-A183-22776FEEEE90@optusnet.com.au> <47482C2C.6010700@passagen.se> <894E3C92-2C45-4FC2-8C56-D4B303F0349F@optusnet.com.au> <4748A115.1010002@passagen.se> <57A2907C-0660-458C-B254-3C893B4532CB@optusnet.com.au> <47498012.9000201@passagen.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26/11/2007, at 1:00 AM, Roger Olofsson wrote: > Hello Jerahmy, (sorry for top-posting, btw). > > Gre is protocol 47. In your firewall rules you only allow/block > protocols tcp/udp/icmp. If you want to use PPTP you will need to > allow both the port and the protocol for it. I put: pass out quick on fxp1 proto gre from any to any keep state This allowed the PPTP connection to establish, how ever trying to use apps over that connection resulted in: fxp1 (block all rule) b x.x.x.x -> 10.0.0.3 PR gre len 20 (53) (frag 57516:33@552) IN bad NAT By placing to rule: pass in quick on fxp1 proto gre from any to any and allowing frags everything started working properly, but allowing all gre traffic in doesn't seem like a good idea.. Is there any way to make this work without putting static ip address rules or allowing all traffic? > In your original question you mentioned having problems with CVS. > From the looks of it, you redirect CVS to 10.0.0.2, meaning that > all users on that machine can use CVS. The redirect rule is supposed to redirect connections to CVS on the external interface to 10.0.0.2 on the internal lan, where the CVS server is actually running. Cheers, J.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AADC85EE-9C53-459E-9E6E-F1A701BDC7D9>