|
FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
FreeBSD + MPD + PF
Hello,
I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out. Here's what I've got so far - mpd5.5 is already installed from ports. The mpd daemon runs on the same box that is the external firewall, and clients connect to it. /usr/local/etc/mpd5/mpd.conf Code:
startup: # configure mpd users set user administrator admin set user administrator # configure the console set console self 127.0.0.1 5005 set console open # configure the web server set web self 0.0.0.0 5006 set web open default: load pptp_server pptp_server: set ippool add pool1 10.1.16.50 10.1.16.60 # Create clonable bundle template named B create bundle template B set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp # Specify IP address pool for dynamic assigment. set ipcp ranges <external-ip-here>/24 ippool pool1 set ipcp dns 10.1.16.1 # The five lines below enable Microsoft Point-to-Point encryption # (MPPE) using the ng_mppc(8) netgraph node type. set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless # Create clonable link template named L create link template L pptp # Set bundle template to use set link action bundle B # Multilink adds some overhead, but gives full 1500 MTU. set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap # We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1460 # Configure PPTP set pptp self <external-ip-here> # Allow to accept calls set link enable incoming Code:
testuser testuser
In /etc/pf.conf I've added these rules: In pf.conf I have this: Code:
# --- MACROS section --- ext_if = "re0" int_if = "fxp0" # --- IP given by the ISP --- ip_addr = "<external-ip-here>" # --- protocols on external interface --- EXT_PROTOS = "{ icmp }" # --- allow pptp connections on the external interface --- PPTP_SERVICES = "{ 1723 47 }" # --- hosts with internet access --- table <allowed> { 10.1.16.0/20 } # --- OPTIONS section --- set skip on lo0 # --- SCRUB section --- scrub in all # --- TRANSLATION (NAT/RDR) section --- nat on $ext_if from <allowed> to any -> $ip_addr # --- FILTER RULES --- # --- default policy --- block log all # --- antispoof protection --- antispoof quick for $ext_if inet antispoof quick for $int_if inet # --- INTERNAL interface --- pass in quick on $int_if inet from <allowed> to any keep state pass out quick on $int_if inet from any to any keep state # --- EXTERNAL interface --- # --- pass incoming connections on external interface for these protocols --- pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state pass out quick on $ext_if inet from any to any keep state But they cannot ping any system from the internal network - 10.1.16.0/20 If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1. The other problem is that each time a client connects a new ng device is configured for them. 1st client -> ng0 2nd client -> ng1 etc... I've tried adding these rules to PF as well just to test, but that doesn't help. Code:
pass in quick on ng0 inet from any to any keep state pass out quick on ng0 inet from any to any keep state The other strange issue from the mpd daemon I get is this: Code:
B-1] system: command "/usr/sbin/arp" returned 256 If I use tcpdump I can see the icmp echo request from the client only on the ng device, so it's not blocked anywhere else. Do you an idea where/what I'm missing? Thanks, DNAeon mpd-daemon.txt
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
Hello again,
Seems that this issue has already been fixed in RELENG_8. To fix the issue: http://lists.freebsd.org/pipermail/f...il/025128.html Regards, DNAeon
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
re
first post on this forum, hi to everyone...
about that theme DNAeon im having the exact same problems with 8.0-STABLE. the goal is to get a vpn connection to access samba, so the thing is that everything works if i disable the firewall, but if pf is on, although there is nothing blocking from pf when i tcpdump pflog0 i cant ping from the remote to the local lan ip of the server, the other way around works. sure i cant access sambas network when pf is on, when its off theres no problem at all. i kinda cant figure this out because pflog0 is not showing me any blocking from his side. some help .. thanks |
|
|||
Quote:
The proxy arp issues were fixed in RELENG_8 and 8.1-RELEASE, so your issue should be more like a configuration problem. Can you show your mpd.conf and PF rules? Regards,
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
re
about the proxy arp bug, i didnt even consider this to be relevant to my problem. So yeah i guess there is a problem in my pf configuration. Here is my mpd.conf:
Code:
startup: set console self 127.0.0.1 5005 set console open set web self 0.0.0.0 5006 set web open default: load pptp_server pptp_server: set ippool add pool1 10.0.0.50 10.0.0.100 create bundle template MYVPN set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp set ipcp ranges 10.0.0.1/32 ippool pool1 set ipcp dns 10.0.0.1 set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless create link template MYVPN pptp set link action bundle MYVPN set link enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 set link mtu 1460 set pptp self MY_WAN_IP set link enable incoming Code:
pptp1: set link type pptp set pptp enable incoming set pptp disable originate * MY_WAN_IP -> my public IP * 10.0.0.50 - 10.0.0.100 -> the IP range for clients * 10.0.0.1 -> the gateway internal's IP my pf.conf: Code:
external="em0" internal="em1" local="em3" ipv6="stf0" pptp="ng0" intranal="10.0.0.0/24" intranallocal="10.0.1.0/24" services="{ 21, 25, 53, 50, 60, 70, 80, 110, 443, 995, 2525 }" portsopen="{ 47, 2525, 1723, 10000, 10001 }" ircportsopen="{ 10001 }" irc="{ IPS }" ipsopen="{ IPS }" ip6sopen="{ IPS6 }" blockaniipji="{ IPS }" ports="{ 21 }" icmp_types="echoreq" set block-policy drop set loginterface $external set skip on lo0 scrub in all scrub on $internal scrub on $external random-id max-mss 1452 reassemble tcp fragment reassemble nat on $external from $intranal to any -> ($external) nat on $external from $intranallocal to any -> ($external) rdr on $external proto tcp from any to $external port 60606 -> 10.0.0.2 port 60606 # START - XTREAMER - FTP rdr on $external proto tcp from any to $external port 10002 -> 10.0.0.5 port 21 rdr on $external proto tcp from any to $external port 10003 -> 10.0.0.5 port 80 rdr on $external proto tcp from any to $external port 1024:1050 -> 10.0.0.5 # END - EXTREAMER - FTP nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" #rdr on $internal proto tcp from any to any port 21 -> 127.0.0.1 port 21 block in log quick on $external inet proto tcp from any to any flags FUP/FUP block in log quick on $external proto tcp from any to any flags SAFRPU/SAFRPU block in log quick on $external proto tcp from any to any flags SAFRU/SAFRU block in log quick on $external proto tcp from any to any flags SF/SF block in log quick on $external proto tcp from any to any flags SR/SR block in inet proto icmp all icmp-type $icmp_types block in log quick on $external proto tcp from $blockaniipji to $external #pass in inet proto icmp icmp-type $icmp_types from $internal to any keep state #pass inet proto icmp icmp-type $icmp_types from any to $external keep state #block return-rst in quick on sis0 proto tcp from any to any #block return-icmp(port-unr) in log quick on sis0 proto udp from any to any #block return-icmp(port-unr) in log quick on sis0 proto tcp from any to any #block return-icmp(port-unr) in log quick on sis0 proto icmp from any to any block in log all block out log all anchor "ftp-proxy/*" antispoof quick for { lo $internal } antispoof quick for { lo $local } pass in on $pptp inet from any to any pass out on $pptp inet from any to any pass in proto gre all keep state pass out proto gre all keep state # IP-TV ZA MREZO # pass in on $external inet proto igmp to 224.0.0.0/4 allow-opts pass in on $external inet proto udp to 224.0.0.0/4 pass out on $external inet proto igmp from $external to 224.0.0.0/4 allow-opts pass in on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts pass in on $internal inet proto udp from 10.0.0.0/24 pass out on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts pass out on $internal inet proto udp to 224.0.0.0/4 # KONEC IP-TV ZA MREZO # # START OF IPV6 pass in on $ipv6 inet6 from any to any keep state #pass in on $external inet proto ipv6 from any to $external keep state pass in on $internal inet proto ipv6 from any to any keep state pass out on $ipv6 all pass out on $external inet proto ipv6 from $external to any keep state pass in on lo all pass out on lo all # END OF IPV6 # START - XTREAMER - FTP pass in quick on $external inet proto tcp from any to 10.0.0.5 port 21 flags S/SAFR synproxy state pass in quick on $external inet proto tcp from any to 10.0.0.5 port 80 flags S/SAFR synproxy state pass in quick on $external inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state pass out quick on $internal inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state # END - XTREAMER - FTP # START OF PORT FORWARDING THROUGH NAT pass out on $internal inet proto tcp from any to 10.0.0.2 port 60606 keep state pass out on $internal inet proto tcp from any to 10.0.0.5 port 21 keep state pass out on $internal inet proto tcp from any to 10.0.0.5 port 80 keep state # END OF PORT FORWARDING THROUGH NAT pass out on $external inet proto udp all keep state pass out on $external inet proto icmp from any to any keep state pass out on $external inet proto tcp from any to any pass out on lo inet proto tcp from any to any port 953 keep state pass in on lo inet proto tcp from any to any port 953 keep state # WEBMAIL pass in on lo inet proto tcp from any to any port 143 keep state pass out on lo inet proto tcp from any to any port 143 keep state pass out on lo inet proto tcp from any to any port 25 keep state pass in on lo inet proto tcp from any to any port 25 keep state # END OF WEBMAIL pass in on $external proto tcp from any to any port > 49151 keep state pass in on $external inet proto udp from any to any port domain keep state pass in on $internal inet from $intranal to any modulate state pass in on $local inet from $intranallocal to any modulate state pass out on $internal inet from $intranal to any modulate state pass out on $local inet from $intranallocal to any modulate state pass in on $external inet proto tcp from $ipsopen to $external port $portsopen keep state #pass in quick on $external inet6 proto tcp from $ip6sopen to $external port $portsopen keep state pass in on $external inet proto tcp from any to $external port $services keep state pass in on $external inet proto tcp from $irc to $external port 113 keep state pass in on $external inet proto tcp from any to $external user proxy keep state # IGMP IP-TV pass in on $internal inet proto igmp from any to any allow-opts pass in on $external proto tcp from any to 10.0.1.2 flags S/SA keep state antispoof for $external antispoof for $ipv6 antispoof for $local antispoof for $internal the things i added for mpd and pptp are: Code:
pass in on $pptp inet from any to any pass out on $pptp inet from any to any pass in proto gre all keep state pass out proto gre all keep state thanks for the quick response DNAeon in hope to find the pf config bug.. |
|
|||
Hi,
Here's what you can try as well. 1) Mine mpd.conf file is almost the same as yours, except that I don't have mpd.links 2) pf.conf configuration What I understood is that your mpd5 daemon is running on your external IP, right? Your internal network is 10.0.0.0/24 which also includes the ip pool for mpd - 10.0.0.50 - 10.0.0.100. Upon a new pptp connection mpd will automatically create a new ngX interface associated to that specific connection - in your PF configuration you are limited to only one pptp connection, so instead of allowing that specific ng0 interface, allow the ip pool from mpd.conf. Here are some parts from my pf.conf that you might find useful to fit into your configuration: Code:
# --- MACROS section --- ext_if = "re0" int_if = "fxp0" # --- pptp services --- PPTP_SERVICES = "{ 1723 47 }" # --- hosts with internet access --- table <allowed> { 10.0.0.0/24 } # --- OPTIONS section --- set skip on lo0 # --- SCRUB section --- scrub in all # --- TRANSLATION (NAT/RDR) section --- nat on $ext_if from <allowed> to any -> ($ext_if) # --- FILTER RULES --- # --- default policy --- block log all # --- antispoof protection --- antispoof quick for $ext_if inet antispoof quick for $int_if inet # --- INTERNAL interface --- pass in quick on $int_if inet from <allowed> to any keep state pass out quick on $int_if inet from any to any keep state # --- EXTERNAL interface --- # --- pass incoming pptp connections to the pptp server --- pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state pass out quick on $ext_if inet from any to any keep state My setup differs with yours with only one more thing, and that is that my pptp server runs on the internal network, so I just have an additional rdr rule to pass the traffic. Let me know if that works for you. Regards,
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
re
Yes, the mpd5 deamon is running on my external ip. So i fixed now the issue by assigning the pool 10.1.0.1/24 to mpd5 and referring nat to the interface so that internet works as well as samba. I guess that my pf config redirects something on the 10.0.0.1/24 lan so that something is not routing right. Ill take a look on that later and report.
Now i have an additional problem, now my slackware wants to use that vpn as the primary internet connection. Its the same with windows 7, i tried to assing a higher metric to the vpn connection but still its the primary on the internet usage. As i want to use my local connection and not the vpn as the primary internet connection, any idea how to fix that on linux & windows. Regards, |
|
|||
Quote:
As to Linux, you might need these options for your ppp configuration: Code:
# Try to get the name server addresses from the ISP. usepeerdns # Use this connection as the default route. defaultroute What would happen when a client wants to connect to your Samba machine, and you are using a private domain name for example - then the clients DNS server does not know anything about it, and thus you won't be able to connect to it. If your clients use the DNS server that from the VPN connection, it will be a bit slower, but for sure that DNS server will know more Regards,
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
|
|||
Quote:
|
|
|