Hi, I've been testing ospfd over gif and gre tunnels, and since changing mQy ipsec setup, I've noticed a weird problem possibly related to pf.
In a nutshell, with a pf.conf file containing only the word "pass", when pf is enabled, my router can't forward DNS replies from the gre/ipsec tunnel to the originating interface, yet it works fine after pfctl -d. With tcpdump, I can see that the dns reply is encapulated in the enc0 interface, with or without pf enabled. However, if I sniff the originating interface, I don't see the reply when pf is enabled. The setup up is shown at http://www.cl-is.com/ospf-test-setup.gif. I am trying to nslookup www.google.com from 10.80.1.10 Here's some tcpdump output from the router enc0 i/f at 10.80.1.2 showing the encapsulated reply in the ipsec/gre tunnel: (authentic,confidential): SPI 0xf4002231: 192.168.100.3 > 62.xxx.xxx.123: gre 192.168.100.3 > 172.21.5.2: [] 10.80.1.10.41081 > 212.23.3.1.53: 28993+[|domain] (ttl 63, id 56742, len 60) (ttl 64, id 42337, len 84) (ttl 64, id 36445, len 104, bad cksum 0!) (authentic,confidential): SPI 0xe0be3b36: 62.xxx.xxx.123 > 192.168.100.3: gre 172.21.5.2 > 192.168.100.3: [] 212.23.3.1.53 > 10.80.1.10.41081: 28993[|domain] (DF) (ttl 56, id 0, len 240) (DF) (ttl 64, id 39961, len 264) (DF) (ttl 53, id 62493, len 284) Here's the request and reply at the 10.80.1.2 interface when pf is disabed: 10.80.1.10.44820 > 212.23.8.1.53: [udp sum ok] 57645+ A? www.google.com. (32) (ttl 64, id 42326, len 60) 212.23.8.1.53 > 10.80.1.10.44820: 57645 3/0/0 www.google.com. CNAME www.l.google.com., www.l.google.com.[|domain] (DF) (ttl 55, id 0, len 112) With pf enabled, the enc0 traffic has the dns reply; it just doesn't show up in the 10.80.1.2 interface and so the client never receives it. Anyone got a clue what could be wrong? I am using -current. PS. I have just found out that I can fix my problem by using "set skip on gre0" before the "pass" rule, but I'd have thought that "pass" alone would be enough. Is that expected behaviour? Cheers, Stephen Marley -- [EMAIL PROTECTED]
