On 03.11.2003, at 21:06, Christopher M. Iarocci wrote:
> Here is my status.cgi at the moment I was trying to ping from
> (remote network) to 192.168.2.3 (local network). I can ping the
> way without a problem. I can ping from the remote networks to my Lan
OK. Seems like the pass rules for ipencap and decrypted packets are no
longer hit, and as such they don't create any entries in the state
table, so the packet cannot be sent out via the LAN interface.
There's only one possible explanation: FreeBSD 4.9. There has been a
change to sys/netinet/ip_input.c since FreeBSD 4.8:
So apparently, if the IPSEC_FILTERGIF kernel option is not set (it
isn't in m0n0wall at the moment), packets are treated differently than
before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it
comes in via WAN, but not after it has been decrypted.
I put that option back in and made a new generic-pc image (I assume
that's what you're using):
Could you try it and tell us if it works?