Date: Tue, 23 Jun 2009 05:14:53 GMT From: Alexander <mene@ya.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/135948: pf not natting gre protocol Message-ID: <200906230514.n5N5ErmS023961@www.freebsd.org> Resent-Message-ID: <200906230520.n5N5K1Nl069860@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 135948 >Category: kern >Synopsis: pf not natting gre protocol >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jun 23 05:20:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Alexander >Release: 7.2-RELEASE FreeBSD >Organization: dancer >Environment: FreeBSD ns1.xxxx.xx 7.2-RELEASE FreeBSD 7.2-RELEASE #2: Tue Jun 23 11:02:21 NOVST 2009 root@xx.xxxx.xx:/usr/obj/usr/src/sys/GENERIC i386 >Description: 7.2 release updated by src (from 7.1prerelease) i'm trying connect from local network to external pptp server. Phase checking login and password is stoped by timeout. pf not worked with multiplie connections gre, i know. But on this server running one mpd pptp client to another server1. And from local i try connect to external server2. killall mpd5, has no results. Protocol outed from me not natted. Also i'm tryed rebuild kernel without IPFIREWALL - no results tcpdump and my configs: kernel changed options: kernel-config #options INET6 #options SCTP device pf device pfsync device pflog options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT options DUMMYNET options NETGRAPH options NETGRAPH_VJC options NETGRAPH_PPP options NETGRAPH_SOCKET options NETGRAPH_CISCO options NETGRAPH_ECHO options NETGRAPH_FRAME_RELAY options NETGRAPH_HOLE options NETGRAPH_KSOCKET options NETGRAPH_LMI options NETGRAPH_RFC1490 options NETGRAPH_TTY options NETGRAPH_ASYNC options NETGRAPH_ETHER options NETGRAPH_IFACE options NETGRAPH_TEE options NETGRAPH_UI options NETGRAPH_PPTPGRE options NETGRAPH_PPPOE options NETGRAPH_MPPC_ENCRYPTION options NETGRAPH_BPF /etc/pf.conf tomsk_if="rl0" tomsk_gw="192.168.22.11" tomsk_ip="192.168.22.22" scrub in all nat on $tomsk_if from 172.22.3.3 to any -> ($tomsk_if) nat on $tomsk_if proto gre from any to any -> ($tomsk_if) pass in quick pass out quick tcpdump -ni rl0 11:49:43.247209 IP 192.168.22.22.52676 > 213.183.96.29.1723: S 2598945743:2598945743(0) win 65535 <mss 1260,nop,nop,sackOK> 11:49:43.272521 IP 213.183.96.29.1723 > 192.168.22.22.52676: S 3289213647:3289213647(0) ack 2598945744 win 65535 <mss 1260,sackOK,eol> 11:49:43.272793 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 1:157(156) ack 1 win 65535: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp] 11:49:43.291500 IP 213.183.96.29.1723 > 192.168.22.22.52676: P 1:157(156) ack 157 win 65535: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp] 11:49:43.291654 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 157:325(168) ack 157 win 65379: pptp CTRL_MSGTYPE=OCRQ CALL_ID(32768) CALL_SER_NUM(60053) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp] 11:49:43.310932 IP 213.183.96.29.1723 > 192.168.22.22.52676: P 157:189(32) ack 325 win 65535: pptp CTRL_MSGTYPE=OCRP CALL_ID(62486) PEER_CALL_ID(32768) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(131072) 11:49:43.311393 IP 213.183.96.29 > 192.168.22.22: GREv1, call 32768, seq 0, length 39: LCP, Conf-Request (0x01), id 1, length 25 11:49:43.315766 IP 192.168.22.22.52676 > 213.183.96.29.1723: P 325:349(24) ack 189 win 65347: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(62486) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff) 11:49:43.319020 IP 172.22.3.3 > 213.183.96.29: GREv1, call 62486, seq 0, length 37: LCP, Conf-Request (0x01), id 0, length 23 11:49:43.335801 IP 213.183.96.29 > 192.168.22.22: GREv1, call 32768, seq 1, ack 0, length 27: LCP, Conf-Reject (0x04), id 0, length 9 11:49:43.434641 IP 213.183.96.29.1723 > 192.168.22.22.52676: . ack 349 win 65535 11:49:45.304695 IP 172.22.3.3 > 213.183.96.29: GREv1, call 62486, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23 sorry for my english language if this problem not solved? where is im reading official document for IPFIREWALL NAT in kernel mode. i'm use second freebsd 7.2 server and try connect on him, but so no result. p.s. server two not using mpd and any other vpn connections. But i try connect pptp client from local and 10% connections successed, not change config and 90% gre not natted. What is this. I read reports for multiplie connectinos and trying use frickin pptp proxy, but no result so. i think gre not aver using pf rules or pf ignore him :( >How-To-Repeat: allways >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200906230514.n5N5ErmS023961>