Problems with gif tunnels
I've just installed an ADSL line, and I'm trying to route a class C network. For some reason the ISP does this kind of routing via a GRE tunnel, and I'm having the devil's own job getting it to work. Here's the current situation: 1. ADSL line is up and running. I have a /30 with the following addresses: 150.101.14.9gateway address 150.101.14.10 local address 2. To this line, I want to install a tunnel for 192.109.197.0/24. The ISP tells me to set up a tunnel between the local address (150.101.14.10) and their tunnel address 203.16.215.227. According to recent (5.x) documentation, this should be done with: ifconfig gif0 tunnel 150.101.14.10 203.16.215.227 up 3. Obviously I also need to have IP forwarding enabled. So I do all this and get: xl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=9RXCSUM,VLAN_MTU inet 192.109.197.143 netmask 0xff00 broadcast 192.109.197.255 inet6 fe80::204:75ff:fefa:a80%xl0 prefixlen 64 scopeid 0x1 ether 00:04:75:fa:0a:80 media: Ethernet autoselect (10baseT/UTP) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::202:44ff:fe59:7076%rl0 prefixlen 64 scopeid 0x2 inet 150.101.14.10 netmask 0xfffc broadcast 150.101.14.11 ether 00:02:44:59:70:76 media: Ethernet autoselect (10baseT/UTP) status: active gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1452 tunnel inet 150.101.14.10 -- 203.16.215.227 inet6 fe80::204:75ff:fefa:a80%gif0 prefixlen 64 scopeid 0x5 DestinationGatewayFlagsRefs Use Netif Expire default150.101.14.9 UGS 07rl0 150.101.14.8/30link#2 UC 00rl0 150.101.14.9 00:90:1a:40:09:98 UHLW22rl0903 192.109.197link#1 UC 00xl0 192.109.197.13500:10:4b:66:1e:e9 UHLW0 6757xl0 1056 192.109.197.13700:50:da:cf:07:35 UHLW099336xl0 1188 192.109.197.255ff:ff:ff:ff:ff:ff UHLWb 034521xl0 203.16.215.227 150.101.14.9 UGHS14rl0 net.inet.ip.forwarding: 1 I then get somebody from the other end to ping me: 17:49:10.228597 IP 203.16.215.227 150.101.14.10: IP 192.83.231.16 192.109.197.145: icmp 64: echo request seq 6908 17:49:11.229188 IP 203.16.215.227 150.101.14.10: IP 192.83.231.16 192.109.197.145: icmp 64: echo request seq 6909 But that's all. Nothing goes out. I've tried this on different systems, and I know somebody else who is using what looks like an identical configuration with this ISP, and it works fine. I've tried different systems, one and two NICs, 4.x and 5.x, all with the same (non)result. What am I missing? Greg -- The virus contained in this message was not detected. When replying to this message, please copy the original recipients. If you don't, I may ignore the reply or reply to the original recipients. For more information, see http://www.lemis.com/questions.html Finger [EMAIL PROTECTED] for PGP public key. See complete headers for address and phone numbers. pgpEYeilL3skL.pgp Description: PGP signature
Packet filtering with pf and gif tunnels.
Hi, I am wondering what sequence a packet goes through when it is passing through a gif tunnel. I have the following interface and gif tunnel (with the equivalent being on the same subnet at the other side): fxp0: a.a.a.a/24 gif0: a.a.a.a - a.a.a.b (192.168.0.1/32 - 192.168.0.2/32) My question is really what order does the packet go pass through my firewall (pf) in? i.e., is it: in on fxp0 from a.a.a.b to a.a.a.a (unencapsulated) in on gif0 from 192.168.0.2 to 192.168.0.1 or does it just magically ``appear'' on gif0 straight away? Now I write it out I am assuiming that it passes through pf twice (first on fxp0 and secondly on gif0); if this is in fact the case, what sensible rule might I add to allow this encapsulated traffic from a.a.a.b? Currently I have pf configured as follows: pass all pass quick proto icmp block in on fxp0 pass out on fxp0 keep state pass in on fxp0 proto tcp from any to fxp0 port 22 keep state The reason I ask this question is that for my tunnel endpoints to ping each other, a.a.a.a must be doing so (a.a.a.b has no firewall). Thank you, -Lewis Thompson. -- I was so much older then, I'm younger than that now. --Bob Dylan, 1964. -| msn:[EMAIL PROTECTED] | jabber:[EMAIL PROTECTED] | url:www.lewiz.org |- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Packet filtering with pf and gif tunnels.
On Sun, 9 Jan 2005 00:23:55 +, Lewis Thompson [EMAIL PROTECTED] wrote: Hi, I am wondering what sequence a packet goes through when it is passing through a gif tunnel. I have the following interface and gif tunnel (with the equivalent being on the same subnet at the other side): fxp0: a.a.a.a/24 gif0: a.a.a.a - a.a.a.b (192.168.0.1/32 - 192.168.0.2/32) My question is really what order does the packet go pass through my firewall (pf) in? i.e., is it: in on fxp0 from a.a.a.b to a.a.a.a (unencapsulated) in on gif0 from 192.168.0.2 to 192.168.0.1 or does it just magically ``appear'' on gif0 straight away? Now I write it out I am assuiming that it passes through pf twice (first on fxp0 and secondly on gif0); if this is in fact the case, what sensible rule might I add to allow this encapsulated traffic from a.a.a.b? Currently I have pf configured as follows: pass all pass quick proto icmp block in on fxp0 pass out on fxp0 keep state pass in on fxp0 proto tcp from any to fxp0 port 22 keep state The reason I ask this question is that for my tunnel endpoints to ping each other, a.a.a.a must be doing so (a.a.a.b has no firewall). Thank you, -Lewis Thompson. For some debugging strategies in a similar case with IPSEC see http://www.bsdforums.org/forums/showthread.php?s=threadid=18601 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: gif tunnels?
On Fri, 21 Feb 2003, Krassimir Slavchev wrote: Hello All, I have: Private Net 1 Firewall 1Firewall 2 Private Net 2 --- --- | 10.1.0.0/24 || FBSD 4.7 |--//--| FBSD 4.7 || 10.2.0.0/24 | --- --- |__tunnel__| I want to configure tunnel between Private Net 1 and Private Net 2 and can not get tunnel to work when Public IP of Firewall 1 and Firewall 2 are from same subnet. If public IPs of my firewalls are from different subnets all works fine. On Firewall 1 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.1 x.y.z.2 # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 On Firewall 2 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.2 x.y.z.1 # ifconfig gif0 inet 10.255.255.2 10.255.255.1 netmask 255.255.255.252 # route add -net 10.1.0.0/24 10.255.255.1 Is there any way to get this to work? Your concept is right, I think your syntax is wrong. I use this sytnax: # ifconfig gif0 create # gifconfig gif0 tunnel x.y.z.1 x.y.z.2 # ifconfig gif0 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 Pay close attention to the tunnel keyword on line 2 above. Also, make sure gateway_enable=YES is in /etc/rc.conf. Nick Rogness [EMAIL PROTECTED] - How many people here have telekenetic powers? Raise my hand. -Emo Philips To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: gif tunnels?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Krassimir Slavchev Sent: Friday, February 21, 2003 12:21 AM To: [EMAIL PROTECTED] Subject: gif tunnels? Hello All, I have: Private Net 1 Firewall 1Firewall 2 Private Net 2 --- --- | 10.1.0.0/24 || FBSD 4.7 |--//--| FBSD 4.7 || 10.2.0.0/24 | --- --- |__tunnel__| I want to configure tunnel between Private Net 1 and Private Net 2 and can not get tunnel to work when Public IP of Firewall 1 and Firewall 2 are from same subnet. If public IPs of my firewalls are from different subnets all works fine. On Firewall 1 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.1 x.y.z.2 # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 On Firewall 2 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.2 x.y.z.1 # ifconfig gif0 inet 10.255.255.2 10.255.255.1 netmask 255.255.255.252 # route add -net 10.1.0.0/24 10.255.255.1 Is there any way to get this to work? You may want to check out http://www.nullplusone.com/vpn .It describes a slightly different situation. Here there is a link from the 192.168.0.0/24 to 10.1.1.0/24. Thanks in advance Hope this site is some help To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: gif tunnels?
I have a similar configuration, what are your internal router/firewall ip's? From your diagram, I would think something like 10.1.0.1 and 10.2.0.1 ?? so where you have: # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 My config would have: # ifconfig gif0 10.1.0.1 10.2.0.1 netmask 0x Hope that helps, I run VPN tunnels to two separate boxes with similar configurations, forming kinda of a triangle VPN if you will. David Aaron Burke wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Krassimir Slavchev Sent: Friday, February 21, 2003 12:21 AM To: [EMAIL PROTECTED] Subject: gif tunnels? Hello All, I have: Private Net 1 Firewall 1Firewall 2 Private Net 2 --- --- | 10.1.0.0/24 || FBSD 4.7 |--//--| FBSD 4.7 || 10.2.0.0/24 | --- --- |__tunnel__| I want to configure tunnel between Private Net 1 and Private Net 2 and can not get tunnel to work when Public IP of Firewall 1 and Firewall 2 are from same subnet. If public IPs of my firewalls are from different subnets all works fine. On Firewall 1 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.1 x.y.z.2 # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 On Firewall 2 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.2 x.y.z.1 # ifconfig gif0 inet 10.255.255.2 10.255.255.1 netmask 255.255.255.252 # route add -net 10.1.0.0/24 10.255.255.1 Is there any way to get this to work? You may want to check out http://www.nullplusone.com/vpn .It describes a slightly different situation. Here there is a link from the 192.168.0.0/24 to 10.1.1.0/24. Thanks in advance Hope this site is some help To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message -- David Cramblett To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
gif tunnels?
Hello All, I have: Private Net 1 Firewall 1Firewall 2 Private Net 2 --- --- | 10.1.0.0/24 || FBSD 4.7 |--//--| FBSD 4.7 || 10.2.0.0/24 | --- --- |__tunnel__| I want to configure tunnel between Private Net 1 and Private Net 2 and can not get tunnel to work when Public IP of Firewall 1 and Firewall 2 are from same subnet. If public IPs of my firewalls are from different subnets all works fine. On Firewall 1 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.1 x.y.z.2 # ifconfig gif0 inet 10.255.255.1 10.255.255.2 netmask 255.255.255.252 # route add -net 10.2.0.0/24 10.255.255.2 On Firewall 2 I do: # ifconfig gif0 create # gifconfig gif0 x.y.z.2 x.y.z.1 # ifconfig gif0 inet 10.255.255.2 10.255.255.1 netmask 255.255.255.252 # route add -net 10.1.0.0/24 10.255.255.1 Is there any way to get this to work? Thanks in advance To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
HEADS UP: Re: Ifconfig config of gif tunnels
Hi, On Sun, 13 Oct 2002 16:36:16 +0100 chris scott [EMAIL PROTECTED] said: c.scott I've just cvsed up and made world to freebsd 4.7 stable, without a hitch. c.scott However when I rebooted my machine the vpn tunnel which it was running c.scott wouldnt come back up. After a while of checking configs and poking around I c.scott found it was because the gif interfaces were cinfigured and not up. A simple c.scott ifconfig gif0 up fixed this. I have never had to do this before as when I c.scott have created gif interfaces the device was automatically up, this doesnt c.scott seem to be the case anymore. Is this a new feature or a bug? Doing up gif device automatically was a bug, and it was corrected. /etc/rc.network was changed to do up gif tunnel during setup. Please don't forget to do mergemaster. Sincerely, -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] ume@{,jp.}FreeBSD.org http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message