about the proxy arp bug, i didnt even consider this to be relevant to my problem. So yeah i guess there is a problem in my pf configuration. Here is my mpd.conf:
Code:
startup:
set console self 127.0.0.1 5005
set console open
set web self 0.0.0.0 5006
set web open
default:
load pptp_server
pptp_server:
set ippool add pool1 10.0.0.50 10.0.0.100
create bundle template MYVPN
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
set ipcp ranges 10.0.0.1/32 ippool pool1
set ipcp dns 10.0.0.1
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
create link template MYVPN pptp
set link action bundle MYVPN
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
set link keep-alive 10 60
set link mtu 1460
set pptp self MY_WAN_IP
set link enable incoming
and my mpd.links:
Code:
pptp1:
set link type pptp
set pptp enable incoming
set pptp disable originate
In the above configuration:
* MY_WAN_IP -> my public IP
* 10.0.0.50 - 10.0.0.100 -> the IP range for clients
* 10.0.0.1 -> the gateway internal's IP
my pf.conf:
Code:
external="em0"
internal="em1"
local="em3"
ipv6="stf0"
pptp="ng0"
intranal="10.0.0.0/24"
intranallocal="10.0.1.0/24"
services="{ 21, 25, 53, 50, 60, 70, 80, 110, 443, 995, 2525 }"
portsopen="{ 47, 2525, 1723, 10000, 10001 }"
ircportsopen="{ 10001 }"
irc="{ IPS }"
ipsopen="{ IPS }"
ip6sopen="{ IPS6 }"
blockaniipji="{ IPS }"
ports="{ 21 }"
icmp_types="echoreq"
set block-policy drop
set loginterface $external
set skip on lo0
scrub in all
scrub on $internal
scrub on $external random-id max-mss 1452 reassemble tcp fragment reassemble
nat on $external from $intranal to any -> ($external)
nat on $external from $intranallocal to any -> ($external)
rdr on $external proto tcp from any to $external port 60606 -> 10.0.0.2 port 60606
# START - XTREAMER - FTP
rdr on $external proto tcp from any to $external port 10002 -> 10.0.0.5 port 21
rdr on $external proto tcp from any to $external port 10003 -> 10.0.0.5 port 80
rdr on $external proto tcp from any to $external port 1024:1050 -> 10.0.0.5
# END - EXTREAMER - FTP
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
#rdr on $internal proto tcp from any to any port 21 -> 127.0.0.1 port 21
block in log quick on $external inet proto tcp from any to any flags FUP/FUP
block in log quick on $external proto tcp from any to any flags SAFRPU/SAFRPU
block in log quick on $external proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $external proto tcp from any to any flags SF/SF
block in log quick on $external proto tcp from any to any flags SR/SR
block in inet proto icmp all icmp-type $icmp_types
block in log quick on $external proto tcp from $blockaniipji to $external
#pass in inet proto icmp icmp-type $icmp_types from $internal to any keep state
#pass inet proto icmp icmp-type $icmp_types from any to $external keep state
#block return-rst in quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto udp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto icmp from any to any
block in log all
block out log all
anchor "ftp-proxy/*"
antispoof quick for { lo $internal }
antispoof quick for { lo $local }
pass in on $pptp inet from any to any
pass out on $pptp inet from any to any
pass in proto gre all keep state
pass out proto gre all keep state
# IP-TV ZA MREZO #
pass in on $external inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $external inet proto udp to 224.0.0.0/4
pass out on $external inet proto igmp from $external to 224.0.0.0/4 allow-opts
pass in on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass in on $internal inet proto udp from 10.0.0.0/24
pass out on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass out on $internal inet proto udp to 224.0.0.0/4
# KONEC IP-TV ZA MREZO #
# START OF IPV6
pass in on $ipv6 inet6 from any to any keep state
#pass in on $external inet proto ipv6 from any to $external keep state
pass in on $internal inet proto ipv6 from any to any keep state
pass out on $ipv6 all
pass out on $external inet proto ipv6 from $external to any keep state
pass in on lo all
pass out on lo all
# END OF IPV6
# START - XTREAMER - FTP
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 21 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 80 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
pass out quick on $internal inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
# END - XTREAMER - FTP
# START OF PORT FORWARDING THROUGH NAT
pass out on $internal inet proto tcp from any to 10.0.0.2 port 60606 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 21 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 80 keep state
# END OF PORT FORWARDING THROUGH NAT
pass out on $external inet proto udp all keep state
pass out on $external inet proto icmp from any to any keep state
pass out on $external inet proto tcp from any to any
pass out on lo inet proto tcp from any to any port 953 keep state
pass in on lo inet proto tcp from any to any port 953 keep state
# WEBMAIL
pass in on lo inet proto tcp from any to any port 143 keep state
pass out on lo inet proto tcp from any to any port 143 keep state
pass out on lo inet proto tcp from any to any port 25 keep state
pass in on lo inet proto tcp from any to any port 25 keep state
# END OF WEBMAIL
pass in on $external proto tcp from any to any port > 49151 keep state
pass in on $external inet proto udp from any to any port domain keep state
pass in on $internal inet from $intranal to any modulate state
pass in on $local inet from $intranallocal to any modulate state
pass out on $internal inet from $intranal to any modulate state
pass out on $local inet from $intranallocal to any modulate state
pass in on $external inet proto tcp from $ipsopen to $external port $portsopen keep state
#pass in quick on $external inet6 proto tcp from $ip6sopen to $external port $portsopen keep state
pass in on $external inet proto tcp from any to $external port $services keep state
pass in on $external inet proto tcp from $irc to $external port 113 keep state
pass in on $external inet proto tcp from any to $external user proxy keep state
# IGMP IP-TV
pass in on $internal inet proto igmp from any to any allow-opts
pass in on $external proto tcp from any to 10.0.1.2 flags S/SA keep state
antispoof for $external
antispoof for $ipv6
antispoof for $local
antispoof for $internal
i know that this pf config is messy, and sure there are some misconfigures in it, i didnt had time to retest everything and get the syntax 100%...
the things i added for mpd and pptp are:
Code:
pass in on $pptp inet from any to any
pass out on $pptp inet from any to any
pass in proto gre all keep state
pass out proto gre all keep state
So the problem is that clients are able to connect to the pptp server, they get address from the pool - 10.0.0.50-100, but they cannot ping any system from the internal network - 10.0.0.0/24 unless i disable the PF, then the clients can ping the gateway 10.0.0.1 and samba starts working too...
thanks for the quick response DNAeon in hope to find the pf config bug..