DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th January 2013
bertj bertj is offline
New User
 
Join Date: Jan 2013
Posts: 2
Thanked 0 Times in 0 Posts
Default Traffic between two vpn networks

Hello All,
I am looking for some help on an issue with have two vpn networks.
my current system layout


I unable to route traffic from the VPN user on 10.8.0.34 to the Web server on the local lan 10.7.1.2.

The VPN server 10.8.0.1 can ping the 10.7.1.2 address fine but the user cannot.
I have tried everything and my brain is falling apart lol.

the PF.conf for the first bsd openvpn box (10.8.0.1)

Code:
#Variables
########################
ext_if="sis0" #Internet
srv_if="sis1" #Server link
drc_if="sis2" #DRAC link
vps_if="tun0" #VPN interface that runs as server (for user connection)
vpc_if="tun1" #VPN interface that runs as client (for server connection)
ovpn=1194

#Initial set up
########################
#set skip on lo
#scrub in
#Redirects & NAT
########################
#Redirect traffic over FSP VPN from FSP to the server
#rdr pass on $vps_if from any to any  -> 192.168.1.2
#rdr pass on $vps_if from any to any  -> 10.8.0.30 
pass out on tun0 from 10.8.0.34/32 to any nat-to 10.9.0.5 

#Direct traffic over the FAD VPN from the server to the FADs network
nat pass on $vpc_if from $vps_if:network to 10.8.254/0 -> $vpc_if

#Direct telnet over FAD connection to DRAC
#rdr pass on $vpc_if proto tcp from any to any port 23 -> 192.168.2.2
#RULES
########################
#block all

#External Interface
#Allow VPN connection in
pass in on $ext_if proto udp from any to any port $ovpn
#Allow SSH in from Evidence Talks
#pass in on $ext_if proto tcp from $et to any port ssh
pass in on $ext_if proto tcp from any to any port ssh
#Allow all out
pass out on $ext_if all

#Server Interface
pass on $srv_if all

#DRAC Interface
pass on $drc_if all

#VPN Server interface
pass on $vps_if all

#VPN client interface
pass on $vpc_if all
And now the pf.conf for the last bsd openvpn box (10.9.0.1)
Code:
## Configuration
#####################
#Interfaces
ext_if="em0"     #Interface to internet
int_if="em1"     #Internal inteface to network
#Ports
ovpn="1194"
rdp="3389"
#Port sets
allowed_web_server_ports="{" $rdp mysql "}"
#IPs
web_ip="10.7.1.2" #Web server IP
web_ports="{ http https }" #allowed ports on web server
RULES
########################
set skip on lo
#block all

# HTTP/S allowed and forwarded to web server
#Redirect HTTP/S to web server
pass in on $ext_if proto tcp from any 			to any port $web_ports 				rdr-to $web_ip

#Allow RDP and MySQL and redirect to web server - only From ETL
pass in on $ext_if proto tcp from $etl_source_ips 	to any port $allowed_web_server_ports 	rdr-to $web_ip 
#NAT traffic from web server to internet
pass out on $int_if from $web_ip to any nat-to $ext_if

# Allow OpenVPN connections
pass in quick on $ext_if proto udp from any to any port $ovpn #VPN

# Allow ssh connections from Evidence Talks
pass in on $ext_if proto tcp from $etl_source_ips to any port ssh

#Allow all out
pass out on $ext_if all

#Internal Interface - allow anything
pass on $int_if all
If any one could shed some light on the issue i would be a very happy man

Last edited by J65nko; 28th January 2013 at 12:38 PM. Reason: [code] and [/code] tags ;)
Reply With Quote
  #2   (View Single Post)  
Old 28th January 2013
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

Hello, and welcome!

I'd like to help. Could you provide more info? This could be a routing issue, or this could be a packet forwarding issue, and I'd like to see if we can rule both out. If both of those possiblities are eliminated, it may be an OpenVPN configuration issue. I have not used OpenVPN in many, many years, so I won't be able to help with that. The VPNs I manage are either IPSec tunnels, or for some clients L2TP tunnels with IPSec transport (L2TP/IPSec).

You described that there is successful two-way interconnection between 10.8.0.1 and 10.7.1.2, but no success with 10.8.0.34 and 10.7.1.2.
  • I could see this as a routing problem, if 10.8.0.34 and 10.8.0.1 are on different subnets. You have not described your netmasks for your 10.8 addresses, so this is a possibility -- the 10.9 device would need to have a routing table entry added to route to the second 10.8 subnet.
  • I could see this as a packet forwarding problem, if you have not enabled the IPv4 packet forwarding sysctl on OpenBSD. This is easy to check; you would have edited /etc/sysctl.conf and uncommented the net.inet.ip.forwarding sysctl to set it to 1 on boot.

Last edited by jggimi; 28th January 2013 at 01:27 PM. Reason: clarity, typo
Reply With Quote
  #3   (View Single Post)  
Old 28th January 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,148
Thanked 182 Times in 149 Posts
Default

Start simple
First try to get a simple ping working from the laptop to that webserver. I never really used OpenVPN so it will need some adjustments, but I hope you get the idea.

Code:
int_if = re0
ext_if = lo2 # just for testing on my single NIC machine

vpn_laptop = 10.8.0.34
www_server = 10.7.1.2

# --- default policy
# prevent pollution of our pflog0 with NTP packets
block quick inet proto udp from any to any port ntp
block log all

# --- EXTERNAL INTERFACE

# --- NAT rule 
match out inet from ! egress to any  nat-to egress

pass out quick on $ext_if tagged PING  

# --- INTERNAL INTERFACE
# allow incoming SSH
pass in quick on $int_if inet proto tcp from $vpn_laptop to $int_if  port ssh

# allow incoming ping and tag it!
pass in quick on $int_if inet  proto icmp from $vpn_laptop to $www_server icmp-type echoreq  tag PING
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 30th January 2013
bertj bertj is offline
New User
 
Join Date: Jan 2013
Posts: 2
Thanked 0 Times in 0 Posts
Default Thanks for the Help

Hey guys thanks for the help on this.
im going to check the routing at some point tonight.

And TCPdump has helped. i know it makes it down the tun0 adapter and is being passed to tun1 going out but that's as far as i can trace it.

i will digest and report
Reply With Quote
  #5   (View Single Post)  
Old 31st January 2013
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,686
Thanked 214 Times in 189 Posts
Default

Ah, I just noticed I'd given OpenBSD advice, above. Mea culpa. In FreeBSD, packet forwarding is managed by the gateway_enable flag in /etc/rc.conf.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Giving Two Seperate Networks Internet With PF EverydayDiesel OpenBSD Security 3 21st January 2013 09:13 PM
Attacking networks using electromagnetic interference J65nko News 0 17th January 2013 05:33 PM
Introduction to TCP/IP networks jggimi Guides 18 7th September 2012 12:37 PM
The unknown /etc/networks file J65nko Guides 5 22nd January 2010 03:38 AM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM


All times are GMT. The time now is 10:10 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick