GRE and PF problem
Giovanni P. Tirloni
gpt at tirloni.org
Thu Jul 14 20:56:07 GMT 2005
Alex Povolotsky wrote:
>> When a packet comes from 1.2.3.4 to your external interface you can't
>> determine if it's destined to 192.168.0.1 or 192.168.0.2 if both
>> initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have
>> ports like UDP or TCP to make (de)multiplexing possible, AFAIK.
>>
>> http://www.networksorcery.com/enp/protocol/gre.htm
>>
> Cool. I did not know that ICMP doesn't work through nat. It always
> worked for me. Moreover, as far as I remember, GRE worked with
> IPFW/NATD, and SOMETIMES it works with pf.
I don't know how PF keeps tracks of ICMP packets but there must be a
way for it to distinguish between a packet destined to 192.168.0.1 or 0.2.
We all know ICMP works behind NAT. You don't need to play like that here.
Looking at the GRE header I simply can't find a way to keep track of
it and my experiences with some xDSL/cable routers permit me to say
that I haven't found anyone that would let me establish more than one
PPTP connection behind NAT.
But then I'm no networking/pf/kernel guru to keep talking about this.
--
Giovanni P. Tirloni / gpt at tirloni.org / PGP: 0xD0315C26
More information about the freebsd-net
mailing list