|
|
|||||||
| FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD. |
|
|
Thread Tools | Display Modes |
17th April 2010
|
|||
|
|||
FreeBSD + MPD + PF
Hello,
I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out. Here's what I've got so far - mpd5.5 is already installed from ports. The mpd daemon runs on the same box that is the external firewall, and clients connect to it. /usr/local/etc/mpd5/mpd.conf Code:
startup:
# configure mpd users
set user administrator admin
set user administrator
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load pptp_server
pptp_server:
set ippool add pool1 10.1.16.50 10.1.16.60
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges <external-ip-here>/24 ippool pool1
set ipcp dns 10.1.16.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap eap
set link enable chap
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self <external-ip-here>
# Allow to accept calls
set link enable incoming
Code:
testuser testuser
In /etc/pf.conf I've added these rules: In pf.conf I have this: Code:
# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"
# --- IP given by the ISP ---
ip_addr = "<external-ip-here>"
# --- protocols on external interface ---
EXT_PROTOS = "{ icmp }"
# --- allow pptp connections on the external interface ---
PPTP_SERVICES = "{ 1723 47 }"
# --- hosts with internet access ---
table <allowed> { 10.1.16.0/20 }
# --- OPTIONS section ---
set skip on lo0
# --- SCRUB section ---
scrub in all
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr
# --- FILTER RULES ---
# --- default policy ---
block log all
# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# --- INTERNAL interface ---
pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state
# --- EXTERNAL interface ---
# --- pass incoming connections on external interface for these protocols ---
pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state
pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
But they cannot ping any system from the internal network - 10.1.16.0/20 If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1. The other problem is that each time a client connects a new ng device is configured for them. 1st client -> ng0 2nd client -> ng1 etc... I've tried adding these rules to PF as well just to test, but that doesn't help. Code:
pass in quick on ng0 inet from any to any keep state pass out quick on ng0 inet from any to any keep state The other strange issue from the mpd daemon I get is this: Code:
B-1] system: command "/usr/sbin/arp" returned 256 If I use tcpdump I can see the icmp echo request from the client only on the ng device, so it's not blocked anywhere else. Do you an idea where/what I'm missing? Thanks, DNAeon mpd-daemon.txt
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org 
|
| Thread Tools | |
| Display Modes | |
|
|
Threaded Mode