netbsd-users: Re: pptp client behind NAT

Subject: Re: pptp client behind NAT - transfer hangs up
To: Egervary Gergely <egervary@expertlan.hu>
From: Quentin Garnier <cube@cubidou.net>
List: netbsd-users
Date: 01/08/2005 21:36:54
--AKuaMbydVAlrc5ow
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 08, 2005 at 08:12:07PM +0100, Egervary Gergely wrote:
> >>I've tried with ``pass-everything'' and it's the same. :(
> >
> >You mean 'pass in all / pass out all'?
> >
> >Specificly, PPTP needs the GRE protocol (IP proto 47).  It's not related=
 to
> >either UDP or TCP, it is very specific.
>=20
> yes, I have `pass in proto gre` / `pass out proto gre`
> (without gre it's not possible to connect to the PPTP server at all)
>=20
> >There should be a line for the GRE protocol that would look like this:
> >
> >MAP 10.0.1.1  <- -> 193.224.190.1  [195.70.36.136]
> >
> >Also, add -v to have a bit more of information.
> >
> >Yes, that probably is the sign that GRE packets get blocked.  You can
> >check that incoming GRE packets arrive with 'tcpdump -i <outbound iface>
> >proto gre'.
>=20
> bah... I played with `ipnat -l` a bit, and yes... there's a line for the
> gre mapping like this...
>=20
> MAP 10.0.1.1  <- -> 193.224.190.1  [195.70.36.136]
>=20
> ... only for a moment after the connection was established, and while=20
> the client is sending data, not more.
>=20
> (I only did `ping'-tests, and it's hard to catch when there's no=20
> continous data transfer)
>=20
> Any idea?

Try 'keep state' rules in ipf, e.g.

pass in proto gre keep state
pass out proto gre keep state

--=20
Quentin Garnier - cube@cubidou.net - cube@NetBSD.org
"Commala-come-five! / Even when the shadows rise!
To see the world and walk the world / Makes ya glad to be alive."
Susannah's Song, The Dark Tower VI, Stephen King, 2004.

--AKuaMbydVAlrc5ow
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iQEVAwUBQeBEZdgoQloHrPnoAQJngwf8Chx34h+aJcQJCz59mGw36ee0AaTb/Gfv
1r+GDgPCKDj4xRufH4Nc6dfxegkQWA8y2WIErqsT+VGVfMRyXrEX/wGY+9bimBBe
InLiqwKoMZYa1XVhwDBPllku5il+uFgpFTY6fkI6ZffQqqB5S6j7UI6b1XGOeHsl
v+Frz6vuQAGVTjRZNeZG5H4Guv6b1yBn/UosYuBeXdhfyJtu5UrWuEMZvx5Eeiuc
Bs/4ZZeq/J5V4SPfl+XUodZkMLrZXa7KqckwMv+ytl2cqIcjSAWnln2d4kxzmnkG
hoqhgq1OrKzot4+1eyyLJsE2pD/PcUbpHO+A2WCogK4a1tmqmZxk7Q==
=8VdX
-----END PGP SIGNATURE-----

--AKuaMbydVAlrc5ow--