From owner-freebsd-pf@FreeBSD.ORG Thu Jan 18 19:55:15 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DAF1016A415 for ; Thu, 18 Jan 2007 19:55:15 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by mx1.freebsd.org (Postfix) with ESMTP id 5BFEC13C428 for ; Thu, 18 Jan 2007 19:55:14 +0000 (UTC) (envelope-from sullrich@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so278170nfc for ; Thu, 18 Jan 2007 11:55:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rdVtdUprc06Xz1+WUTh4BzU9MbZV6oOOHMqpFB0db5nTlffNr4Yk3+2MoRgiU7A6QwUqhGsZyPHIwLBn6uWQDcIFFf4++pqilg4GW3CnsqRNSrrfMbNYHV+qUL3rhlCuguujLpwRibGkK6q4GPkwVKPwqtG7OefUJfPfB8SvDU4= Received: by 10.82.183.19 with SMTP id g19mr338704buf.1169150113193; Thu, 18 Jan 2007 11:55:13 -0800 (PST) Received: by 10.82.184.15 with HTTP; Thu, 18 Jan 2007 11:55:12 -0800 (PST) Message-ID: Date: Thu, 18 Jan 2007 14:55:12 -0500 From: "Scott Ullrich" To: FreeBSD In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: Subject: Re: Using scrub + rdr gre does not work as expected X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Jan 2007 19:55:16 -0000 On 1/17/07, Scott Ullrich wrote: > Hi, > > We are trying to track down an issue when using the Frickin PPTP > proxy. When we use "scrub in all random-id fragment reassemble" the > GRE traffic fails to get rdr'd properly. If we remove the scrub > directive the traffic flows as it should. Here is a look at the state > list both ways: > > With scrub: > > self gre 192.168.10.198 <- 192.168.10.1 MULTIPLE:MULTIPLE > self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC > self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE > > Without scrub: > > self gre 127.0.0.1 <- 192.168.10.1 <- 192.168.1.199 NO_TRAFFIC:SINGLE > > Also, why is the IP address changing in these states? We are only > using .199 here as a test. > > Anyone have an idea? This works okay on OpenBSD 3.6. I am told by > the Frickin PPTP author that it works ok on 6.0 but it appears broken > on 6.2. > > FreeBSD pfsense.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 > 15:32:48 EST 2007 > sullrich@default.domain.com:/usr/obj.pfSense/usr/src/sys/pfSense.6 > i386 > > Thanks in advance! > Here is an update to this. We tried to skip scrubbing on lo0 with "set skip on lo0" but the problem persists. For some reason PF is using the wrong IP address in the states list: # pfctl -ss | grep gre self gre 192.168.10.198 <- 192.168.10.1 NO_TRAFFIC:SINGLE self gre 192.168.1.199 -> 192.168.10.1 SINGLE:NO_TRAFFIC self gre 192.168.10.1 -> 192.168.1.199 MULTIPLE:MULTIPLE NOTE: 198 is not even an active host on this network. The host does not exist at all. This seems like a bug.