Re: ipip (gif) tunnels and npf

To: tech-net%netbsd.org@localhost
Subject: Re: ipip (gif) tunnels and npf
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Mon, 19 Jun 2017 15:38:49 -0000 (UTC)

john%ziaspace.com@localhost (John Klos) writes:

>When I have the internal <-> other side endpoints in gif behind npf, I see 
>the packets leaving the public interface looking like this:

>01:20:16.772680 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 0, length 64 (ipip-proto-4)
>01:20:17.777222 IP 10.0.100.97 > 74.118.183.200: IP 192.80.49.79 > 192.80.49.78: ICMP echo request, id 3384, seq 1, length 64 (ipip-proto-4)

>They're clearly not rewritten.


NAT should look at packets on the outgoing interface and these
should be rewritten, wether they are e.g. IP+TCP or IP+IP packets
shouldn't matter.

Some thing like this:

ext_if = pppoe0
ext_ip = inet4($ext_if)
private_net = { 10.0.100.0/24 }

map $ext_if dynamic $private_net -> $ext_ip

should work also for tunnel packets.


-- 
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."

References:
- ipip (gif) tunnels and npf
  - From: John Klos

Prev by Date: ipip (gif) tunnels and npf
Next by Date: Re: ipip (gif) tunnels and npf
Previous by Thread: ipip (gif) tunnels and npf
Next by Thread: Re: ipip (gif) tunnels and npf
Indexes:

Home | Main Index | Thread Index | Old Index