Hello,
I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out.
Here's what I've got so far - mpd5.5 is already installed from ports.
The mpd daemon runs on the same box that is the external firewall, and clients connect to it.
/usr/local/etc/mpd5/mpd.conf
Code:
startup:
# configure mpd users
set user administrator admin
set user administrator
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load pptp_server
pptp_server:
set ippool add pool1 10.1.16.50 10.1.16.60
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges <external-ip-here>/24 ippool pool1
set ipcp dns 10.1.16.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self <external-ip-here>
# Allow to accept calls
set link enable incoming
/usr/local/etc/mpd5/mpd.secret
In the above configuration:
- <external-ip-here> -> my publicly accessible IP
- 10.1.16.50 - 10.1.16.60 -> the IP range for clients
- 10.1.16.1 -> the gateway internal's IP
In /etc/pf.conf I've added these rules:
In pf.conf I have this:
Code:
# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"
# --- IP given by the ISP ---
ip_addr = "<external-ip-here>"
# --- protocols on external interface ---
EXT_PROTOS = "{ icmp }"
# --- allow pptp connections on the external interface ---
PPTP_SERVICES = "{ 1723 47 }"
# --- hosts with internet access ---
table <allowed> { 10.1.16.0/20 }
# --- OPTIONS section ---
set skip on lo0
# --- SCRUB section ---
scrub in all
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr
# --- FILTER RULES ---
# --- default policy ---
block log all
# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# --- INTERNAL interface ---
pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state
# --- EXTERNAL interface ---
# --- pass incoming connections on external interface for these protocols ---
pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state
pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
The clients are able to connect to the pptp server successfully - they get address from the ip pool - 10.1.16.50-60/20
But they cannot ping any system from the internal network - 10.1.16.0/20
If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1.
The other problem is that each time a client connects a new
ng device is configured for them.
1st client -> ng0
2nd client -> ng1
etc...
I've tried adding these rules to PF as well just to test, but that doesn't help.
Code:
pass in quick on ng0 inet from any to any keep state
pass out quick on ng0 inet from any to any keep state
Now I'm stuck.. How can I configure PF, so that each time a new client is connected a new entry for
ng is added and removed upon disconnect in PF?
The other strange issue from the mpd daemon I get is this:
Code:
B-1] system: command "/usr/sbin/arp" returned 256
The complete log from the daemon is attached to thread.
If I use tcpdump I can see the icmp echo request from the client only on the
ng device, so it's not blocked anywhere else.
Do you an idea where/what I'm missing?
Thanks,
DNAeon
mpd-daemon.txt