Date: Tue, 11 Jun 2002 15:06:31 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: John Nielsen <hackers@jnielsen.net> Cc: hackers@FreeBSD.ORG Subject: Re: gif(4) tunnel through MSN DSL modem Message-ID: <Pine.BSF.4.21.0206111455300.41533-100000@cody.jharris.com> In-Reply-To: <015301c2117d$0db539c0$0900a8c0@max>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 11 Jun 2002, John Nielsen wrote:
> Hi folks,
>
> I tried this on -questions without any luck, so I'm hoping for a better
> response here . :)
>
> I remotely administer a FreeBSD 4.5 machine that is connected to the
> internet through and MSN DSL modem. This modem does NAT (for a single
> client) rather than bridging the connection. So the FreeBSD machine
> thinks its public address is 192.168.1.2 (when in reality the modem is
> the only device with a public address). This machine is itself doing
> NAT, acting as a firewall and gateway for a private network.
Why run nat on the internal machine? No need to do nat
twice. Just do basic routing between interfaces unless you need
this functionality.
>
> I would like to establish a gif(4) tunnel between this machine and my
> firewall here in order to link the two private networks into one
> virtual network. I have done this before with two machines that were
> directly connected to the internet, but in this case the DSL modem on
> the far end seems to be fouling things up. The modem seems to be
> passing everything through, but I haven't gotten gif to work.
>
> Any ideas? Here's what I've tried--this is how I'd set it up if the
> DSL modem weren't in the way.
>
Are you receiving any packets on the remote BSD machine that are
of type ipencap? Either log it via ipfw log or use a packet
sniffer (like tcpdump or snort) to evaluate these packets.
> [excerpts from rc.conf on far (DSL) end]
> # Private interface
> ifconfig_xl0="inet 192.168.6.1 netmask 255.255.255.0"
> # "Public" interface -- 192.168.1.2 netmask 255.255.255.252"
> ifconfig_ed0="DHCP"
> gif_interfaces="gif0"
> gifconfig_gif0="DSL.public.ip myend.public.ip"
> ifconfig_gif0="192.168.6.1 192.168.0.1"
> static_routes="john"
> route_john="-net 192.168.0 -interface gif0"
>
> [excerpts from rc.conf on this {my) end]
> # Private interface
> ifconfig_ep0="inet 192.168.0.1 netmask 255.255.255.0"
> # Public interface
> ifconfig_ed0="DHCP"
> gif_interfaces="gif0"
> gifconfig_gif0="myend.public.ip DSL.public.ip"
> ifconfig_gif0="192.168.0.1 192.168.6.1"
> static_routes="DSL"
> route_DSL="-net 192.168.6 -interface gif0"
>
> I've tried both the modem's (real) public address and 192.168.1.1 (the
> public interface's address) for DSL.public.ip, but neither seems to
> work. Can this be made to work? Can gif be hacked so it will work?
You will need to use the DSL's public IP probably.
>
> I can't justify switching to a more expensive provider just so this
> tunnel will work, since it will mostly be a convenience for me and not
> the client. As far as I know, there's no way to modify any settings on
> the DSL modem itself. I do have full access to both FreeBSD machines.
> Again, any suggestions or even a detailed description of why this
> won't work would be appreciated.
>
My best guess would be that the modem is doing some anti-spoofing
between it's interfaces to prevent packets coming from the inside
having it's outside IP. You will be able to tell if NO ipencap
packets are received on the remote BSD machine.
On the other hand, If you are receiving these ipencap packets on
the remote side, something else is going on (like nat
interrupting).
Nick Rogness <nick@rogness.net>
- Don't mind me...I'm just sniffing your packets
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0206111455300.41533-100000>