i connected my server to the internet using a novatel u727.
clients can ping google, but when surfing the status stops at "waiting for google.com".
it looks to me like i can send but not receive packets.
packet forwarding and filtering are enabled.
prior to this experiment:
internet-----dc0(ext_if)------>re0(int_if)-----switch------clients
i was expecting to simply change "dc0" to "tun0" in my pf.conf, then just:
Code:
# ppp -ddial sprint ; pfctl -d ; pfctl -e
and have everything more or less work the same.
i read in the tun manpage:
Quote:
Both layer 3 and layer 2 tunneling is supported. Layer 3 tunneling is
the default mode; to enable layer 2 tunneling mode the link0 flag needs
to be set with ifconfig(8), or by setting up a hostname.if(5) configura-
tion file for netstart(8). In layer 2 mode the tun interface is simulat-
ing an Ethernet network interface.
|
and thought maybe this was my problem, that tun0 was defaulting to a layer 3 tunnel 9or is this barking up the wrong tree?), so i attempted to set a link0 flag a la:
Code:
# ifconfig tun0 link0
but then ifconfig tun0 shows the connection's been dropped (NO CARRIER).
the next sentence in man tun is:
Quote:
...Note that setting or unsetting the link0 flag causes tun to
lose any configuration settings, and that it is not advisable to use the
flag with any other parameters.
|
but i thought i was following this advice. is the order of operation backwards? should it be:
Code:
# ifconfig tun0 link0 ; ppp -ddial sprint
my pf.conf is 99% from the faq soho example:
Code:
# macros
ext_if="tun0" # Novatel U727 via Sprint
#ext_if="dc0" # On-board card
#int_if="ral0" # Wireless access point
int_if="re0" # Realtek gigabit card
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# FTP proxy rules
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
rdr-to 127.0.0.1 port 8021
# match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
packet forwarding is on:
Code:
# grep \^net /etc/sysctl.conf
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
ppp.conf:
Code:
default:
set log Phase Chat LCP IPCP CCP tun command
sprint:
set device /dev/cuaU0
set speed 230400
set dial "ABORT NO\\sCARRIER ABORT BUSY TIMEOUT 15 \
\"\" ATZ OK ATQ0V1E1S0=0&C1&D2+FCLASS=0 OK \
ATDT#777 CONNECT"
set login
set timeout 0
enable dns
add default HISADDR
set ifaddr 0 0 0
any advice?