tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ipip (gif) tunnels and npf (John Klos) writes:

>When I have the internal <-> other side endpoints in gif behind npf, I see 
>the packets leaving the public interface looking like this:

>01:20:16.772680 IP > IP > ICMP echo request, id 3384, seq 0, length 64 (ipip-proto-4)
>01:20:17.777222 IP > IP > ICMP echo request, id 3384, seq 1, length 64 (ipip-proto-4)

>They're clearly not rewritten.

NAT should look at packets on the outgoing interface and these
should be rewritten, wether they are e.g. IP+TCP or IP+IP packets
shouldn't matter.

Some thing like this:

ext_if = pppoe0
ext_ip = inet4($ext_if)
private_net = { }

map $ext_if dynamic $private_net -> $ext_ip

should work also for tunnel packets.

                                Michael van Elst
                                "A potential Snark may lurk in every tree."

Home | Main Index | Thread Index | Old Index