PF + route-to + gif weird behavior (bug ?)
Schmurfy
schmurfy at gmail.com
Mon Jun 27 18:51:49 UTC 2011
On 27 June 2011 16:47, Damien Fleuriot <ml at my.gd> wrote:
> On 6/27/11 12:50 PM, Schmurfy wrote:
> > Hi,
> > I just came across a problem with route-to and gif interfaces.
> > First, here is my rc.conf:
> >
> > # Router
> > ifconfig_em0="inet 10.11.12.212/24"
> > defaultrouter="10.11.12.253"
> > gateway_enable="YES"
> >
> > static_routes="gif_endpoint"
> > route_visp="10.11.20.1/32 10.11.12.213"
> >
>
> I'd like to point out you declare a gif_endpoint static route, but it
> doesn't exist.
> Similarly a route called route_visp exists but is not declared as a
> static route.
>
>
>
Sorry for that, in fact the real declaration was:
static_routes="visp"
not sure how I ended up with the wrong line in my first version xD
>
> > pf_enable="YES"
> > pf_rules="/etc/pf.conf"
> > pflog_enable="YES"
> >
> > # IPIP tunnels
> > gif_interfaces="gif1001"
> >
> > ifconfig_em0_alias0="inet 10.11.20.2/32"
> > ifconfig_em0_alias1="inet 192.168.254.1/32"
> > gifconfig_gif1001="10.11.20.2 10.11.20.1"
> > ifconfig_gif1001="inet 1.2.3.1 1.2.3.2 netmask 255.255.255.252"
> >
> >
> >
> >
> >
> > What I wanted to do is to redirect incoming connections on the external
> > interface (em0) on a specific address to a gif tunnel, my problem is that
> > the packet is redirected so that part works but the packet exiting the
> em0
> > interfaces (the gif tunnel is also using em0) has a wrong ipip header:
> the
> > source address is the first address assigned to em0 instead of the alias
> > added for the gif tunnel.
>
> This looks like a case where you'd like to NAT then.
>
> Use PF to say you'll be NATing, so that you can force the correct IP ?
>
>
I am not sure I understand what you mean here, could you show me how you
would do this ?
You would NAT with the IPIP tunnel local address ?
I did not said it in my first message but I tried the same ruleset on
OpenBSD 4.9 (with the syntax changes) and everything works as expected
there, the packets redirected into the gif tunnel (with route-to) exists on
the physical network with the correct IPIP header.
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list