From owner-freebsd-pf@FreeBSD.ORG Fri Sep 9 22:21:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9DD0106566C; Fri, 9 Sep 2011 22:21:16 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6BFE68FC08; Fri, 9 Sep 2011 22:21:16 +0000 (UTC) Received: by yxk36 with SMTP id 36so2400267yxk.13 for ; Fri, 09 Sep 2011 15:21:15 -0700 (PDT) Received: by 10.150.254.16 with SMTP id b16mr2467157ybi.94.1315606875511; Fri, 09 Sep 2011 15:21:15 -0700 (PDT) Received: from papi.localnet ([186.212.242.15]) by mx.google.com with ESMTPS id u13sm6177496anf.14.2011.09.09.15.21.11 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 09 Sep 2011 15:21:14 -0700 (PDT) From: Mario Lobo To: "Torsten Kersandt" Date: Fri, 9 Sep 2011 19:21:16 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <201109091646.15327.lobo@bsd.com.br> <201109091853.09133.lobo@bsd.com.br> <033101cc6f3c$4dfc8f20$e9f5ad60$@net> In-Reply-To: <033101cc6f3c$4dfc8f20$e9f5ad60$@net> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109091921.16542.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Sep 2011 22:21:17 -0000 On Friday 09 September 2011 19:03:27 Torsten Kersandt wrote: > Hi > TUN and NG connections are not present at the time you start your server > and rules for such interfaces are not applicable to PF You're right, but on the client end that is trying to conect to that server behind a pf firewall, nat rules DO apply, and on my tests I can see for sure that when I take NAT out of the picture, the VPN tunnel is established. > > The is there the if up and if down functions of MPD come into place unless > you use IP Address/network specific rules. > One server I have in the if-up script: > > /etc/rc.d/pf resync > /sbin/pfctl -t if_pptp -T add ${4} I do all that! in fact even go beyond and use the linkup/down scripts to create a log on the server of which user(s) is(are) conected to the VPN, from which public IP, with which ng interface, at what time/date they logged in and and logged out. > > And it works perfectly fine including on the secondary MPD instance (bound > to IP address) allowing usage as default gateway functions. > Like I said before: "The FBSD+pf work VPN Server is working fine. My colleagues can connect to it from their homes (NATted cable modems or 3G modems) without problems." > Other than that I think you will have to go down the bridging line. > I may be corrected bu others :-) > > Regards > Torsten > Thanks again, Torsten. I think this issue seems to lie deeper that just pf rules and link scripts -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE) > > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] On > Behalf Of Mario Lobo > Sent: 09 September 2011 22:53 > To: freebsd-pf@freebsd.org > Cc: freebsd-questions@freebsd.org > Subject: Re: VPN problem > > On Friday 09 September 2011 18:11:47 Torsten Kersandt wrote: > > HI Mario > > I don't know what the experts are suggesting but I use a table for the > > VPN addresses > > To allow nat but block them frm using the server as gateway ("use as > > default gateway" disabled in windows) > > I add the rules dynamically using mpd if-up and if-down scripts > > > > All I have in my rules is GRE pass anywhere and nat to and from > > where ever > > > > Regards > > Torsten > > Thanks for replying, Torsten but the problem is way before all these things > that you mentioned. I'm wildly guessing here but the problem seems to be > inside the NAT mechanism of PF. At least the working/not working situations > point to that direction. > > If I don't find a solution to that soon I am gonna have no choice but to > switch to IPFW, which I would not like to do because the queuing mechanisms > of > pf are extremely useful and handy to my networks. > > By the way, I also do each item that you mentioned in your post. > > The funny thing is that there was a time (maybe a couple csups ago) that > this > problem didn't occur, and I am totally unable to say which csup brought > this > > issue in. Remeber there are 3 FBSDs involved here. > > > -----Original Message----- > > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] > > On > > > Behalf Of Mario Lobo > > Sent: 09 September 2011 20:46 > > To: freebsd-pf@freebsd.org > > Cc: freebsd-questions@freebsd.org > > Subject: VPN problem > > > > Hi; > > > > I've been having this problem establishing a VPN behind a FreeBSD > > 8-STABLE with pf. > > > > I have this scenario: > > > > > > home LAN ---- FBSD+pf home ---- INTERNET --- FBSD+pf work --- work LAN > > > > MPD VPN server > > > > nat rules on FBSD+pf home: > > nat on $ext_if from $int_if:network to any -> ($ext_if) port 1024:65535 > > # nat on $ext_if from any to any -> ($ext_if) port 1024:65535 > > > > obs- it makes no difference which nat rule I use. The problem persists. > > > > These are the first 5 pf rules on FBSD+pf home: > > # pass quick all > > pass quick on lo0 all > > > > # my whole home lan is free > > pass in quick on $int_if from $int_if:network to any > > > > #--- Allow networks to see themselves and dns > > pass quick from $int_if:network to $int_if:network > > > > #--- Allow vpns from anywhere to anywhere > > pass in quick log on $int_if proto gre from any to any keep state > > pass in quick log on $int_if proto tcp from any to any port pptp flags > > > > S/SA > > keep state > > > > > > > > On any attempt to connect to the FBSD+pf work VPN Server from home LAN, > > I get this (even if I uncomment pass quick all): > > > > #>mpd5 > > Multi-link PPP daemon for FreeBSD > > > > process 98799 started, version 5.5 (root@Papi 16:55 3-Sep-2011) > > CONSOLE: listening on 127.0.0.1 5005 > > web: listening on 127.0.0.1 5006 > > [B1] Bundle: Interface ng0 created > > [L1] [L1] Link: OPEN event > > [L1] LCP: Open event > > [L1] LCP: state change Initial --> Starting > > [L1] LCP: LayerStart > > [L1] PPTP call successful > > [L1] Link: UP event > > [L1] LCP: Up event > > [L1] LCP: state change Starting --> Req-Sent > > [L1] LCP: SendConfigReq #1 > > [L1] ACFCOMP > > [L1] PROTOCOMP > > [L1] ACCMAP 0x000a0000 > > [L1] MRU 1486 > > [L1] MAGICNUM 2d08ae01 > > > > [snip..] > > > > [L1] LCP: SendConfigReq #10 > > [L1] ACFCOMP > > [L1] PROTOCOMP > > [L1] ACCMAP 0x000a0000 > > [L1] MRU 1486 > > [L1] MAGICNUM 2d08ae01 > > [L1] LCP: parameter negotiation failed > > [L1] LCP: state change Req-Sent --> Stopped > > [L1] LCP: LayerFinish > > [L1] PPTP call terminated > > [L1] Link: DOWN event > > [L1] LCP: Close event > > [L1] LCP: state change Stopped --> Closed > > [L1] LCP: Down event > > [L1] LCP: state change Closed --> Initial > > > > > > BUT, on the 9th or 10th attempt, without touching any setting anywhere, > > the > > > VPN MAY BE established. out of nothing ! Machines (Windows, Unix, > > whatever) > > > behind both FBSD+pfs ALSO have the same problem when trying to close VPN > > tunnels to outside sites. > > > > Sometimes, opening an ssh session from my workstation to FBSD+pf work may > > "help" in establishing the VPN. > > > > The FBSD+pf work VPN Server is working fine. My colleagues can connect to > > it > > > > from their homes (NATted cable modems or 3G modems) without problems. I > > am the > > only one behind a FBSD+pf router. > > > > > > I installed MPD5 on FBSD+pf home, and copied mpd.conf from my home > > workstation > > to it. > > > > > > Without touching a single setting on mpd.conf, the VPN is established > > from FBSD+pf home (as a client) to FBSD+pf work WITHOUT any hiccups on > > EVERY > > > > SINGLE attempt! even I bring it up/down 200 times! > > > > And yet, if the FBSD+pf combo is out of the way, (i.e. no NAT!, as is the > > case > > of FBSD+pf home as a client) or if I let my cable modem do the > > NAT/routing, > > > the problem is GONE!. > > > > > > FreeBSD work > > FreeBSD 8.2-STABLE #0: Mon Aug 22 14:50:42 BRT 2011 amd64 > > > > FreeBSD Home > > FreeBSD FreeBSD 8.2-STABLE #0: Wed May 18 16:53:26 BRT 2011 i386 > > > > Any suggestions? > > > > Thanks, > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"