View Single Post
  #1   (View Single Post)  
Old 17th April 2010
DNAeon DNAeon is offline
Shell Scout
 
Join Date: Sep 2008
Location: Bulgaria
Posts: 138
Default FreeBSD + MPD + PF

Hello,

I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out.

Here's what I've got so far - mpd5.5 is already installed from ports.
The mpd daemon runs on the same box that is the external firewall, and clients connect to it.

/usr/local/etc/mpd5/mpd.conf
Code:
startup:
        # configure mpd users
        set user administrator admin
        set user administrator
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_server

pptp_server:
        set ippool add pool1 10.1.16.50 10.1.16.60

# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges <external-ip-here>/24 ippool pool1
        set ipcp dns 10.1.16.1

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
# Configure PPTP
        set pptp self <external-ip-here>
# Allow to accept calls
        set link enable incoming
/usr/local/etc/mpd5/mpd.secret
Code:
testuser     testuser
In the above configuration:
  • <external-ip-here> -> my publicly accessible IP
  • 10.1.16.50 - 10.1.16.60 -> the IP range for clients
  • 10.1.16.1 -> the gateway internal's IP

In /etc/pf.conf I've added these rules:

In pf.conf I have this:
Code:
# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"

# --- IP given by the ISP ---
ip_addr = "<external-ip-here>"

# --- protocols on external interface ---
EXT_PROTOS = "{ icmp }"

# --- allow pptp connections on the external interface ---
PPTP_SERVICES = "{ 1723 47 }"

# --- hosts with internet access ---
table <allowed> { 10.1.16.0/20 }

# --- OPTIONS section ---
set skip on lo0

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state

# --- EXTERNAL interface ---

# --- pass incoming connections on external interface for these protocols ---
pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state 

pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state 

pass out quick on $ext_if inet from any to any keep state
The clients are able to connect to the pptp server successfully - they get address from the ip pool - 10.1.16.50-60/20

But they cannot ping any system from the internal network - 10.1.16.0/20

If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1.

The other problem is that each time a client connects a new ng device is configured for them.

1st client -> ng0
2nd client -> ng1
etc...

I've tried adding these rules to PF as well just to test, but that doesn't help.

Code:
pass in quick on ng0 inet from any to any keep state
pass out quick on ng0 inet from any to any keep state
Now I'm stuck.. How can I configure PF, so that each time a new client is connected a new entry for ng is added and removed upon disconnect in PF?

The other strange issue from the mpd daemon I get is this:
Code:
B-1] system: command "/usr/sbin/arp" returned 256
The complete log from the daemon is attached to thread.

If I use tcpdump I can see the icmp echo request from the client only on the ng device, so it's not blocked anywhere else.

Do you an idea where/what I'm missing?

Thanks,
DNAeon


mpd-daemon.txt
__________________
"I never think of the future. It comes soon enough." - A.E

Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org
Reply With Quote