Quoting stephen <[EMAIL PROTECTED]>:
On 4/13/05, Vlad GALU <[EMAIL PROTECTED]> wrote:On 4/13/05, stephen <[EMAIL PROTECTED]> wrote: > On 4/13/05, Vlad GALU <[EMAIL PROTECTED]> wrote: > > On 4/13/05, stephen <[EMAIL PROTECTED]> wrote: > > You're not allowing any ipencap traffic on your tun interface. One > > more thing: you have "block in on $ext_if all" twice. > > > > Ah yeah... I do have it correct in my pf.conf, it was because i was > replacing all the variables back to what they should be.. must've lost > concentration as I was sending this mail just as my ride home arrived. > > Can you tell me more about allowing ipencap please? > gif interfaces use an encapsulation named "ipencap" (grep ipencap /etc/protocols, you'll see it mentioned there). All you have to do is to permit that type of protocol to flow in and out your tun interface. this should do it.
ok, we're making progress! I added the rules:
pass in on $ext_if inet proto ipencap from any to any keep state pass out on $ext_if inet proto ipencap from any to any keep state
I dont think I'd need the keep state as I'm passing all in and out, but through it in there anyway..
Thu Apr 14 09:37:23 [EMAIL PROTECTED]:/home/stephen# ping -c 3 10.0.89.254 PING 10.0.89.254 (10.0.89.254): 56 data bytes
--- 10.0.89.254 ping statistics --- 3 packets transmitted, 0 packets received, 100% packet loss
Thu Apr 14 09:37:47 [EMAIL PROTECTED]:/home/stephen# ping -c 3 www.iol.co.za PING www.iol.co.za (196.30.168.79): 56 data bytes 64 bytes from 196.30.168.79: icmp_seq=0 ttl=58 time=48.192 ms 64 bytes from 196.30.168.79: icmp_seq=1 ttl=58 time=46.719 ms 64 bytes from 196.30.168.79: icmp_seq=2 ttl=58 time=49.637 ms
--- www.iol.co.za ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 46.719/48.183/49.637/1.191 ms
I've now gone from 'operation not permitted' to no ping response when pinging 10.0.89.254 (end point of tunnel). doesn't look like an icmp issue as I can ping www.iol.co.za via tun0 w/o a problem.
Just wondering if this could have something to do with what you are seeing
The gif device does not translate ICMP messages for the outer header into
the inner header.From the gif man page. I've never used gif so this is a learning opportunity ;)
Good luck,
ed
_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
