Re: GRE and PF problem

• Previous message: Giovanni P. Tirloni: "Re: GRE and PF problem"
• In reply to: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Next in thread: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Reply: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Thu, 14 Jul 2005 22:19:25 +0400
To: "Giovanni P. Tirloni" <gpt@tirloni.org>

Giovanni P. Tirloni wrote:

> Alex Povolotsky wrote:
>
>> compunction wrote:
>>
>>> GRE needs to pass bidirectional. You will need a binat to make it
>>> work. I have not found a firewall that will allow GRE to work with a
>>> many to one nat.
>>>
>>>
>>
>> The most painful thing is that pf's nat works for GRE - SOMETIMES :-(
>>
>> The only thing firewall needs to implement for natting GRE is
>> creation of two rules (forward and back) for GRE packet, just like it
>> does for ICMP.
>>
>> I'm not a firewall writer, but as far as I understand general
>> procedural programming, it cannot be THAT complicated.
>
>
> When a packet comes from 1.2.3.4 to your external interface you can't
> determine if it's destined to 192.168.0.1 or 192.168.0.2 if both
> initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have
> ports like UDP or TCP to make (de)multiplexing possible, AFAIK.
>
> http://www.networksorcery.com/enp/protocol/gre.htm
>
Cool. I did not know that ICMP doesn't work through nat. It always
worked for me. Moreover, as far as I remember, GRE worked with
IPFW/NATD, and SOMETIMES it works with pf.

Alex.

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

• Previous message: Giovanni P. Tirloni: "Re: GRE and PF problem"
• In reply to: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Next in thread: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Reply: Giovanni P. Tirloni: "Re: GRE and PF problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: GRE and PF problem ... >> initiated a GRE tunnel to 1.2.3.4. ... I did not know that ICMP doesn't work through nat. ... way for it to distinguish between a packet destined to 192.168.0.1 or 0.2. ... (freebsd-net) Re: GRE and PF problem ... >> GRE needs to pass bidirectional. ... > The only thing firewall needs to implement for natting GRE is creation ... > of two rules for GRE packet, just like it does for ICMP. ... (freebsd-net)