Pfsense can't reply icmp data package on gre interface



  • hi,all
       i have been built gre tunnel successful.but i can't finish it now.please help me!

    i set a rule on WAN interface to allow access peer pfsense by any protocol.

    tcpdump 'proto GRE'
       07:45:11.273303 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 668, length 64
    07:45:12.299614 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 669, length 64
    07:45:13.318679 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 670, length 64
    07:45:14.342119 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 671, length 64
    07:45:15.363934 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 672, length 64
    07:45:16.383495 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 673, length 64

    pf -ss
           all gre 124.207.103.134 <- 220.231.27.136       NO_TRAFFIC:SINGL

    And then, #pfctl -d to stop pf
         07:47:48.703967 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 822, length 64
    07:47:48.704018 IP 124.207.103.134 > 220.231.27.136: GREv0, length 88: IP beijing124-gw-backup.localdomain > 192.168.95.1: ICMP echo reply, id 54537, seq 822, length 64
    07:47:49.724780 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 823, length 64
    07:47:49.724824 IP 124.207.103.134 > 220.231.27.136: GREv0, length 88: IP beijing124-gw-backup.localdomain > 192.168.95.1: ICMP echo reply, id 54537, seq 823, length 64
    07:47:50.746968 IP 220.231.27.136 > 124.207.103.134: GREv0, length 88: IP 192.168.95.1 > beijing124-gw-backup.localdomain: ICMP echo request, id 54537, seq 824, length 64
    07:47:50.747022 IP 124.207.103.134 > 220.231.27.136: GREv0, length 88: IP beijing124-gw-backup.localdomain > 192.168.95.1: ICMP echo reply, id 54537, seq 824, length 64
          i can resolve it though echo "set skip on {gre0}|pfctl -mf -"
          but, i can't resolve it via web interface.  how to change pfsene, i can use gre tunnel normally


  • Rebel Alliance Developer Netgate

    Did you add firewall rules on the GRE tab that shows up after you enable GRE?

    I was able to get responses last time I built a GRE tunnel and added rules, but GIF tunnels didn't reply (though that may have been related to the bridging I was doing, which worked great with the GIF tunnel but not GRE…



  • thx for your reply,  i can't change my firewall rule.because , i can't find gre tab. my firmware at  "built on Sun Oct 10 21:21:46 EDT 2010
    FreeBSD 8.1-RELEASE-p1".  i can‘t upgrade my firmware. the version Dec 8 carp stats always stay at "init"


  • Rebel Alliance Developer Netgate

    So upgrade to a current snapshot - CARP is fine, has been for several days now.



  • thx i will test current version. i hope i can import current configuration to the new version.


Locked