|
FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
FreeBSD + MPD + PF
Hello,
I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out. Here's what I've got so far - mpd5.5 is already installed from ports. The mpd daemon runs on the same box that is the external firewall, and clients connect to it. /usr/local/etc/mpd5/mpd.conf Code:
startup: # configure mpd users set user administrator admin set user administrator # configure the console set console self 127.0.0.1 5005 set console open # configure the web server set web self 0.0.0.0 5006 set web open default: load pptp_server pptp_server: set ippool add pool1 10.1.16.50 10.1.16.60 # Create clonable bundle template named B create bundle template B set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp # Specify IP address pool for dynamic assigment. set ipcp ranges <external-ip-here>/24 ippool pool1 set ipcp dns 10.1.16.1 # The five lines below enable Microsoft Point-to-Point encryption # (MPPE) using the ng_mppc(8) netgraph node type. set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless # Create clonable link template named L create link template L pptp # Set bundle template to use set link action bundle B # Multilink adds some overhead, but gives full 1500 MTU. set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap # We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1460 # Configure PPTP set pptp self <external-ip-here> # Allow to accept calls set link enable incoming Code:
testuser testuser
In /etc/pf.conf I've added these rules: In pf.conf I have this: Code:
# --- MACROS section --- ext_if = "re0" int_if = "fxp0" # --- IP given by the ISP --- ip_addr = "<external-ip-here>" # --- protocols on external interface --- EXT_PROTOS = "{ icmp }" # --- allow pptp connections on the external interface --- PPTP_SERVICES = "{ 1723 47 }" # --- hosts with internet access --- table <allowed> { 10.1.16.0/20 } # --- OPTIONS section --- set skip on lo0 # --- SCRUB section --- scrub in all # --- TRANSLATION (NAT/RDR) section --- nat on $ext_if from <allowed> to any -> $ip_addr # --- FILTER RULES --- # --- default policy --- block log all # --- antispoof protection --- antispoof quick for $ext_if inet antispoof quick for $int_if inet # --- INTERNAL interface --- pass in quick on $int_if inet from <allowed> to any keep state pass out quick on $int_if inet from any to any keep state # --- EXTERNAL interface --- # --- pass incoming connections on external interface for these protocols --- pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state pass out quick on $ext_if inet from any to any keep state But they cannot ping any system from the internal network - 10.1.16.0/20 If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1. The other problem is that each time a client connects a new ng device is configured for them. 1st client -> ng0 2nd client -> ng1 etc... I've tried adding these rules to PF as well just to test, but that doesn't help. Code:
pass in quick on ng0 inet from any to any keep state pass out quick on ng0 inet from any to any keep state The other strange issue from the mpd daemon I get is this: Code:
B-1] system: command "/usr/sbin/arp" returned 256 If I use tcpdump I can see the icmp echo request from the client only on the ng device, so it's not blocked anywhere else. Do you an idea where/what I'm missing? Thanks, DNAeon mpd-daemon.txt
__________________
"I never think of the future. It comes soon enough." - A.E Useful links: FreeBSD Handbook | FreeBSD Developer's Handbook | The Porter's Handbook | PF User's Guide | unix-heaven.org |
Thread Tools | |
Display Modes | |
|
|