----- Original Message ----- From: "Nick Rogness" <[EMAIL PROTECTED]> To: "John Nielsen" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, June 11, 2002 2:06 PM Subject: Re: gif(4) tunnel through MSN DSL modem
> On Tue, 11 Jun 2002, John Nielsen wrote: > > > > I remotely administer a FreeBSD 4.5 machine that is connected to the > > internet through and MSN DSL modem. This modem does NAT (for a single > > client) rather than bridging the connection. So the FreeBSD machine > > thinks its public address is 192.168.1.2 (when in reality the modem is > > the only device with a public address). This machine is itself doing > > NAT, acting as a firewall and gateway for a private network. > > Why run nat on the internal machine? No need to do nat > twice. Just do basic routing between interfaces unless you need > this functionality. The DSL modem will only do nat for one address--namely 192.168.1.2. There are four machines that use this connection, hence nat on the FreeBSD box as well. > > I would like to establish a gif(4) tunnel between this machine and my > > firewall here in order to link the two private networks into one > > virtual network. I have done this before with two machines that were > > directly connected to the internet, but in this case the DSL modem on > > the far end seems to be fouling things up. The modem seems to be > > passing everything through, but I haven't gotten gif to work. > > > > Any ideas? Here's what I've tried--this is how I'd set it up if the > > DSL modem weren't in the way. > > > Are you receiving any packets on the remote BSD machine that are > of type ipencap? Either log it via ipfw log or use a packet > sniffer (like tcpdump or snort) to evaluate these packets. No. That's certainly a problem. They don't appear to be getting in OR out through the modem. <snip> > > I've tried both the modem's (real) public address and 192.168.1.1 (the > > public interface's address) for DSL.public.ip, but neither seems to > > work. Can this be made to work? Can gif be hacked so it will work? > > You will need to use the DSL's public IP probably. > > > > I can't justify switching to a more expensive provider just so this > > tunnel will work, since it will mostly be a convenience for me and not > > the client. As far as I know, there's no way to modify any settings on > > the DSL modem itself. I do have full access to both FreeBSD machines. > > Again, any suggestions or even a detailed description of why this > > won't work would be appreciated. > > > My best guess would be that the modem is doing some anti-spoofing > between it's interfaces to prevent packets coming from the inside > having it's outside IP. You will be able to tell if NO ipencap > packets are received on the remote BSD machine. Could you elaborate on this? Since that does seem to be the problem (or at least a strong candidate), what would I have to do to work around this? I don't suppose it's possible to create a gif tunnel inside an ssh tunnel, is it? > On the other hand, If you are receiving these ipencap packets on > the remote side, something else is going on (like nat > interrupting). No ipencap packets on either side so far... JN To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
