From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 00:00:55 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DBD516A4CE for ; Mon, 10 Nov 2003 00:00:55 -0800 (PST) Received: from mail.latnet.lv (mail.latnet.lv [159.148.108.13]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A99543F3F for ; Mon, 10 Nov 2003 00:00:53 -0800 (PST) (envelope-from ac-lists@latnet.lv) Received: (qmail 19374 invoked by uid 64014); 10 Nov 2003 08:00:51 -0000 Received: from ac-lists@latnet.lv by mail by uid 64011 with qmail-scanner-1.16 (clamscan: 0.54. Clear:. Processed in 0.750409 secs); 10 Nov 2003 08:00:51 -0000 Received: from unknown (HELO artis) (159.148.107.1) by mail.latnet.lv with SMTP; 10 Nov 2003 08:00:50 -0000 From: "Artis Caune" To: "'Luigi Rizzo'" Date: Mon, 10 Nov 2003 09:59:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcOkWsQR5BVxSiSNRvmpLbAFblGCpQArLJ0w In-Reply-To: <20031106033919.A65661@xorpc.icir.org> X-Qmail-Scanner-Message-ID: <106845125152619344@mail> Message-Id: <20031110080053.5A99543F3F@mx1.FreeBSD.org> cc: freebsd-ipfw@freebsd.org Subject: RE: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 08:00:55 -0000 "-Nq" speed up a little bit, thanks We need individual pipes for each client, because they are different organizations and pay different price for different speed pipes. (international traffic) We have /16 prefix ;) We use "or" blocks for organizations with more than one IP. So I belive our rules design is not ok, but we can do nothing about it! we use "skipto" to devide our /16 prefix in pieces: add 2 skipto 100 all from any to 159.148.0.0/24 add 2 skipto 200 all from any to 159.148.1.0/24 ... add 2 skipto N all from any to 159.148.255.0/24 This is just example, wee need more planning. pf can load 50000 rules in about 5-7sec. ipfw need about 25-35min to load 30000 rules. -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Luigi Rizzo Sent: ceturtdiena, 2003. gada 6. novembri 13:39 To: Artis Caune Cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time most likely, because you are not using "-n", the printing code will use the nameserver to try and resolve addresses, and if halfway through you are limiting/blocking access to the nameserver you incur in timeouts. To tell the truth i suspect you have a quite poorly designed ruleset if you are adding individual rules and pipes for each client. Almost surely you should make use of masks in pipes, and address sets in rules, to reduce the size of your ruleset to something manageable and efficient. cheers luigi On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > Hello, > > We have about 10000-20000 pipes for > different subnets, and it takes very long > time to load them - about 10-15min. > > 92.8% interrupt, 0.0% idle > > strange that things slow down when count > reaches 2000-2500 rules. > > is there something we can do to speed things up? > > rules are added like: > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > ipfw pipe 1 config bw 30Kbytes/s queue 10 > ... > soo 'ipfw' is invoked '2 x client_count' !!! > > maybe ipfw need feature like: > ipfw -f /etc/rc.firewall > > > > # FreeBSD-4.9, IPFW2, > # HZ=2000, DEVICE_POLLING, > # 1G RAM, 2.4xeon on Intel server board > > > > > > ..... > Artis > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 00:18:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E70216A4CE for ; Mon, 10 Nov 2003 00:18:02 -0800 (PST) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F9B043FB1 for ; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.3) with ESMTP id hAA8I1Fw068785; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id hAA8I1fc068784; Mon, 10 Nov 2003 00:18:01 -0800 (PST) (envelope-from rizzo) Date: Mon, 10 Nov 2003 00:18:01 -0800 From: "'Luigi Rizzo'" To: Artis Caune Message-ID: <20031110001801.A67328@xorpc.icir.org> References: <20031106033919.A65661@xorpc.icir.org> <20031110080053.5A99543F3F@mx1.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20031110080053.5A99543F3F@mx1.FreeBSD.org>; from ac-lists@latnet.lv on Mon, Nov 10, 2003 at 09:59:29AM +0200 cc: freebsd-ipfw@freebsd.org Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 08:18:02 -0000 On Mon, Nov 10, 2003 at 09:59:29AM +0200, Artis Caune wrote: > "-Nq" speed up a little bit, thanks > > We need individual pipes for each client, > because they are different organizations > and pay different price for different speed > pipes. (international traffic) We have /16 prefix ;) i understand that, what i meant is that i believe you only have a handful (say S) of different speeds and a handful (say L) of prefix lengths, so you could just create 2*S*L pipes with masks and pass traffic for the various clients to these pipes. This would make your ruleset a lot more efficient. > we use "skipto" to devide our /16 prefix in pieces: > add 2 skipto 100 all from any to 159.148.0.0/24 > add 2 skipto 200 all from any to 159.148.1.0/24 > ... > add 2 skipto N all from any to 159.148.255.0/24 > > This is just example, wee need more planning. > > > pf can load 50000 rules in about 5-7sec. > ipfw need about 25-35min to load 30000 rules. hmm... i believe you should really follow the suggestion that someone else posted and use the ipfw [-cnNqS] [-p preproc [preproc-flags]] pathname command format to load all rules at once. cheers luigi > > > > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] > On Behalf Of Luigi Rizzo > Sent: ceturtdiena, 2003. gada 6. novembri 13:39 > To: Artis Caune > Cc: freebsd-ipfw@freebsd.org > Subject: Re: loading lot of rules takes very long time > > most likely, because you are not using "-n", the printing > code will use the nameserver to try and resolve addresses, and > if halfway through you are limiting/blocking access to the > nameserver you incur in timeouts. > > To tell the truth i suspect you have a quite poorly designed > ruleset if you are adding individual rules and pipes for each > client. Almost surely you should make use of masks in pipes, > and address sets in rules, to reduce the size of your ruleset > to something manageable and efficient. > > cheers > luigi > > > On Thu, Nov 06, 2003 at 01:04:31PM +0200, Artis Caune wrote: > > Hello, > > > > We have about 10000-20000 pipes for > > different subnets, and it takes very long > > time to load them - about 10-15min. > > > > 92.8% interrupt, 0.0% idle > > > > strange that things slow down when count > > reaches 2000-2500 rules. > > > > is there something we can do to speed things up? > > > > rules are added like: > > ipfw -q add 1 pipe 1 src-ip 1.1.1.1 out via em0 > > ipfw pipe 1 config bw 30Kbytes/s queue 10 > > ... > > soo 'ipfw' is invoked '2 x client_count' !!! > > > > maybe ipfw need feature like: > > ipfw -f /etc/rc.firewall > > > > > > > > # FreeBSD-4.9, IPFW2, > > # HZ=2000, DEVICE_POLLING, > > # 1G RAM, 2.4xeon on Intel server board > > > > > > > > > > > > ..... > > Artis > > > > > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 07:58:58 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBD2416A4CF for ; Mon, 10 Nov 2003 07:58:58 -0800 (PST) Received: from tenebras.com (dnscache.tenebras.com [66.92.188.165]) by mx1.FreeBSD.org (Postfix) with SMTP id 919F943FB1 for ; Mon, 10 Nov 2003 07:58:57 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 65584 invoked from network); 10 Nov 2003 15:58:57 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 10 Nov 2003 15:58:57 -0000 Message-ID: <3FAFB5C0.6070509@tenebras.com> Date: Mon, 10 Nov 2003 07:58:56 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org References: <20031110080053.5A99543F3F@mx1.FreeBSD.org> In-Reply-To: <20031110080053.5A99543F3F@mx1.FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 15:58:59 -0000 Artis Caune wrote: > So I belive our rules design is not ok, but we can > do nothing about it! Because you need the eggs? > ipfw need about 25-35min to load 30000 rules. 30000? I'm suspicious of any ruleset with more than 300. I suppose if this is just an academic exercise, have fun. From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 10 11:02:03 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7D1F16A4CE for ; Mon, 10 Nov 2003 11:02:03 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2763F43FAF for ; Mon, 10 Nov 2003 11:02:03 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hAAJ23FY050886 for ; Mon, 10 Nov 2003 11:02:03 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hAAJ22sj050880 for ipfw@freebsd.org; Mon, 10 Nov 2003 11:02:02 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 10 Nov 2003 11:02:02 -0800 (PST) Message-Id: <200311101902.hAAJ22sj050880@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: ipfw@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2003 19:02:03 -0000 Current FreeBSD problem reports Critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/03/23] kern/50216 ipfw kernel panic on 5.0-current when use ipfw 1 problem total. Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2002/12/27] kern/46557 ipfw ipfw pipe show fails with lots of queues o [2003/04/22] kern/51274 ipfw ipfw2 create dynamic rules with parent nu f [2003/04/24] kern/51341 ipfw ipfw rule 'deny icmp from any to any icmp 3 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw Add an option to ipfw to log gid/uid of w o [2002/12/07] kern/46080 ipfw [PATCH] logamount in ipfw2 does not defau o [2002/12/10] kern/46159 ipfw ipfw dynamic rules lifetime feature o [2002/12/27] kern/46564 ipfw IPFilter and IPFW processing order is not o [2003/02/11] kern/48172 ipfw ipfw does not log size and flags o [2003/03/10] kern/49086 ipfw [patch] Make ipfw2 log to different syslo o [2003/03/12] bin/49959 ipfw ipfw tee port rule skips parsing next rul o [2003/04/09] bin/50749 ipfw ipfw2 incorrectly parses ports and port r o [2003/08/25] kern/55984 ipfw [patch] time based firewalling support fo 9 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 11 01:36:13 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F5D916A4CE for ; Tue, 11 Nov 2003 01:36:13 -0800 (PST) Received: from Alpha.Sonnit.DK (alpha.sonnit.dk [217.157.39.2]) by mx1.FreeBSD.org (Postfix) with SMTP id D6D1C43FB1 for ; Tue, 11 Nov 2003 01:36:11 -0800 (PST) (envelope-from gjs@sonnit.dk) Received: (qmail 66972 invoked by uid 1000); 11 Nov 2003 09:36:09 -0000 From: "Gorm J. Siiger" Date: Tue, 11 Nov 2003 10:36:09 +0100 To: freebsd-ipfw@freebsd.org Message-ID: <20031111093609.GI94551@SonnIT.DK> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: ipfw FWD, NAT and routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Nov 2003 09:36:13 -0000 Hi I'm experimenting with a dual ISP setup using NAT, as eacy ISP has provided me with a subnet of official IP adresses. Network setup: -------- -------- | ISP1 | | ISP2 | -------- -------- | | | -------- | -----| FW |---- -------- | | -------- |Server| -------- ISP1 LAN : 20.0.0.0/29 ISP2 LAN : 21.0.0.0/29 Server LAN : 10.0.0.0/24 Server IP on ISP1: 20.0.0.2 Server IP on LAN: 10.0.0.2 Server IP on ISP2: 21.0.0.2 Server IP on LAN: 10.0.0.3 The default gateway for the FW box is ISP1 I can connect to the whole world via ISP1 from the server with source IP 10.0.0.2 but when I try to connect to a host via ISP2 from source 10.0.0.3 the TCP connection is very slow, and there is a lot of retransmissions. If I change the FW's default gateway to ISP2 it works like a charm. Any suggestions on how to fix this problem. /usr/local/etc/natd.conf use_sockets unregistered_only yes alias_address 20.0.0.6 redirect_address 10.0.0.2 20.0.0.2 redirect_address 10.0.0.3 21.0.0.2 /etc/rc.firewall ${fwcmd} add 400 divert natd all from any to any via ${isp0if} ${fwcmd} add 405 divert natd all from any to any via ${isp1if} ${fwcmd} add 505 fwd 21.0.0.0 ip from 21.0.0.0/29 to any -- Gorm J. Siiger - SonnIT From owner-freebsd-ipfw@FreeBSD.ORG Tue Nov 11 16:30:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7D216A4CE for ; Tue, 11 Nov 2003 16:30:48 -0800 (PST) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C45F43FDF for ; Tue, 11 Nov 2003 16:30:48 -0800 (PST) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 72F8F2F966; Tue, 11 Nov 2003 19:31:11 -0500 (EST) Date: Tue, 11 Nov 2003 19:31:11 -0500 From: Haesu To: freebsd-ipfw@freebsd.org Message-ID: <20031112003111.GA74121@scylla.towardex.com> References: <20031110080053.5A99543F3F@mx1.FreeBSD.org> <3FAFB5C0.6070509@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FAFB5C0.6070509@tenebras.com> User-Agent: Mutt/1.4.1i Subject: Re: loading lot of rules takes very long time X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2003 00:30:48 -0000 30,000 rules? I hope you are only using one_pass in sysctl var or making good use of skipto after packet passes thru the queue or other measures... I want to see how much pps you can put up with vanila 30k rules :( Besides, good luck if someone DoSes an IP that goes thru long searches.. -hc -- Haesu C. TowardEX Technologies, Inc. Consulting, colocation, web hosting, network design and implementation http://www.towardex.com | haesu@towardex.com Cell: (978)394-2867 | Office: (978)263-3399 Ext. 170 Fax: (978)263-0033 | POC: HAESU-ARIN On Mon, Nov 10, 2003 at 07:58:56AM -0800, Michael Sierchio wrote: > Artis Caune wrote: > > >So I belive our rules design is not ok, but we can > >do nothing about it! > > Because you need the eggs? > > >ipfw need about 25-35min to load 30000 rules. > > 30000? I'm suspicious of any ruleset with more than 300. > I suppose if this is just an academic exercise, have fun. > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 12 14:43:42 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B43C816A4CE for ; Wed, 12 Nov 2003 14:43:42 -0800 (PST) Received: from smtp07.wxs.nl (smtp07.wxs.nl [195.121.6.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0EDF43FDD for ; Wed, 12 Nov 2003 14:43:41 -0800 (PST) (envelope-from akruijff@www.kruijff.org) Received: from kruij557.speed.planet.nl (ipd50a97ba.speed.planet.nl [213.10.151.186]) by smtp07.wxs.nl (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTP id <0HO900FXXGGS37@smtp07.wxs.nl> for freebsd-ipfw@freebsd.org; Wed, 12 Nov 2003 23:43:41 +0100 (MET) Received: from Alex.lan (localhost [127.0.0.1]) by kruij557.speed.planet.nl (8.12.9p2/8.12.9) with ESMTP id hACMhhHG002872; Wed, 12 Nov 2003 23:43:43 +0100 (CET envelope-from akruijff@Alex.lan) Received: (from akruijff@localhost) by Alex.lan (8.12.9p2/8.12.9/Submit) id hACMhgqQ002871; Wed, 12 Nov 2003 23:43:42 +0100 (CET envelope-from akruijff) Date: Wed, 12 Nov 2003 23:43:41 +0100 From: Alex de Kruijff In-reply-to: <20031111093609.GI94551@SonnIT.DK> To: "Gorm J. Siiger" Message-id: <20031112224341.GF963@dds.nl> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.4.1i References: <20031111093609.GI94551@SonnIT.DK> cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw FWD, NAT and routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Nov 2003 22:43:42 -0000 On Tue, Nov 11, 2003 at 10:36:09AM +0100, Gorm J. Siiger wrote: > Hi > > I'm experimenting with a dual ISP setup using NAT, as eacy ISP has provided > me with a subnet of official IP adresses. > > Network setup: > > -------- -------- > | ISP1 | | ISP2 | > -------- -------- > | | > | -------- | > -----| FW |---- > -------- > | > | > -------- > |Server| > -------- > > ISP1 LAN : 20.0.0.0/29 > ISP2 LAN : 21.0.0.0/29 > Server LAN : 10.0.0.0/24 > Server IP on ISP1: 20.0.0.2 > Server IP on LAN: 10.0.0.2 > Server IP on ISP2: 21.0.0.2 > Server IP on LAN: 10.0.0.3 > > The default gateway for the FW box is ISP1 > > I can connect to the whole world via ISP1 from the server with source IP > 10.0.0.2 but when I try to connect to a host via ISP2 from source 10.0.0.3 > the TCP connection is very slow, and there is a lot of retransmissions. > > If I change the FW's default gateway to ISP2 it works like a charm. > > Any suggestions on how to fix this problem. I don't understand what you wan't to achieve, rigth now. Do you want ISP2 to be used only when the clients open the IP in the 21/29 range? Adding to /etc/rc.conf to set the routes up defaultroute="ISP1_GATEWAY" static_routes="isp2" route_isp2="-net 21.0.0.0 ISP2_GATEWAY" If you only have one server that uses two IP's then forget about using natd. Natd is for sharing a IP adress with multiple computers. > /usr/local/etc/natd.conf > use_sockets > unregistered_only yes > alias_address 20.0.0.6 > redirect_address 10.0.0.2 20.0.0.2 > redirect_address 10.0.0.3 21.0.0.2 Read the section about alias_address of the manual natd. This tell you way your having problems. If you do need natd, because you have server behing you gateway, then you need to have one running on if_isp1 and one on if_isp2 with unique configuration files. You need two write your own scripts that do this and place then in /etc/local/etc/rc.d/, since this can not be done from rc.conf. > /etc/rc.firewall > ${fwcmd} add 400 divert natd all from any to any via ${isp0if} > ${fwcmd} add 405 divert natd all from any to any via ${isp1if} > ${fwcmd} add 505 fwd 21.0.0.0 ip from 21.0.0.0/29 to any Please read the section about forward of the manual ipfw. You seem to have a wrong idee about what to put afther the fwd action. 21.0.0.0 isn't a valid adress. If you need a specilised firewall then I would advice against modifing rc.firewall and use another configfile instead. The reason behing it is that this file could be overriden if you update you OS. You can do this by adding this to rc.conf: firewall_enable="YES" firewall_type="/etc/firewall.conf" This file sould contain something like: add 100 skipto 10000 ip from any to any via if_isp1 add 200 skipto 20000 ip from any to any via if_isp2 add 300 skipto 30000 ip from any to any via if_local add 400 allow ip from any to any via lo0 add 500 deny ip from any to any # Now the firewall is still simple. But if your needs grow the rules # grow in number. Splitting this up early cuts the number of rules # pakkets have to go thoug with out the need to do so. add 10100 divert natd1 ip from any to any add 19999 allow ip from any to any add 20100 divert natd2 ip from any to any add 29999 allow ip from any to any add 30100 fwd ISP2_address from 10.0.0.3 to any add 39999 allow ip from any to any -- Alex Articles based on solutions that I use: http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/ From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 02:47:19 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B37F716A4CE for ; Thu, 13 Nov 2003 02:47:19 -0800 (PST) Received: from mail.evip.pl (mail.evip.com.pl [212.244.157.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 323F443FBD for ; Thu, 13 Nov 2003 02:47:18 -0800 (PST) (envelope-from w@evip.pl) Received: from drwebc by mail.evip.pl with drweb-scanned (Exim 4.22) id 1AKF0P-000JK0-Dj for freebsd-ipfw@freebsd.org; Thu, 13 Nov 2003 11:47:17 +0100 Received: from w by mail.evip.pl with local (Exim 4.22) id 1AKF0P-000JJu-Aq for freebsd-ipfw@freebsd.org; Thu, 13 Nov 2003 11:47:17 +0100 Date: Thu, 13 Nov 2003 11:47:17 +0100 From: Wiktor Niesiobedzki To: freebsd-ipfw@freebsd.org Message-ID: <20031113104717.GK231@mail.evip.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: Wiktor Niesiobedzki Subject: Uid keyword matches only on loopack interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 10:47:19 -0000 Hi, After setting my firewall I saw that only few packets match the uid keyword. >From my trival test came out that only loopack traffic can be matched. Is there some bug lying in here? The simple rule: 00395 0 0 count log tcp from any to any uid root Will match only: Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:80 127.0.0.1:50780 out via lo0 Nov 13 11:41:23 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 127.0.0.1:80 in via lo0 Nov 13 11:41:25 portal kernel: ipfw: 395 Count TCP 127.0.0.1:50780 127.0.0.1:80 out via lo0 That kind of traffic. Any traffic going by other interface is not counted. uname -a FreeBSD portal 5.1-CURRENT FreeBSD 5.1-CURRENT #1: Tue Nov 11 10:15:12 CET 2003 root@portal:/home/usr/obj/home/usr/src/sys/PORTAL i386 /sys/netinet/ip_fw2.c: $FreeBSD: src/sys/netinet/ip_fw2.c,v 1.43 2003/11/07 23:26:57 sam Exp $ Cheers, Wiktor Niesiobedzki From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 09:46:28 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E831316A4CE; Thu, 13 Nov 2003 09:46:28 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id AE7ED43FE3; Thu, 13 Nov 2003 09:46:26 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADHkP5G018531; Thu, 13 Nov 2003 12:46:25 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 12:46:25 -0500 Message-ID: From: Vincent Goupil To: "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 12:46:24 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 17:46:29 -0000 I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial = to the same VPN server. 4 with different IP and the one with the alias_address. I supposed = that only one person at a time can use the alias_address with the IPSec VPN = (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for = the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the = incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 12:23:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2826916A4CE; Thu, 13 Nov 2003 12:23:48 -0800 (PST) Received: from mta4.adelphia.net (mta4.adelphia.net [68.168.78.184]) by mx1.FreeBSD.org (Postfix) with ESMTP id B34EE43FA3; Thu, 13 Nov 2003 12:23:46 -0800 (PST) (envelope-from tscrum@1wisp.com) Received: from wolf ([68.235.82.98]) by mta4.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id <20031113202350.YLNS19804.mta4.adelphia.net@wolf>; Thu, 13 Nov 2003 15:23:50 -0500 From: "Thomas S. Crum" To: "'Vincent Goupil'" , , , Date: Thu, 13 Nov 2003 15:23:47 -0500 Organization: 1WISP, Inc. Message-ID: <000701c3aa24$0e11fbb0$6252eb44@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 In-reply-to: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300 Importance: Normal Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 20:23:48 -0000 It's my understanding that certain IPSEC does not encrypt the entire packet, leaving the header to be mangled by nat or whatever and refused by the IPSEC machine that you are connecting to. I believe therein your problem lies. Best, Tom -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org] On Behalf Of Vincent Goupil Sent: Thursday, November 13, 2003 12:46 PM To: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: IPSec VPN & NATD (problem with alias_address vs redirect_address) I setup a firewall with ipfw2 and natd on freebsd 4.9 release. I have mapped my subnet with alias_address I have mapped 4 private ip address with 4 public ip address Everything is working fine (web, email, ftp, etc..) for outgoing and incoming connexion for anyone on my network. With this configuration, 5 person at a time (on my network) could dial to the same VPN server. 4 with different IP and the one with the alias_address. I supposed that only one person at a time can use the alias_address with the IPSec VPN (I think, tell me if I'm wrong) I have authorized AH and ESP to pass through my firewall. Also incoming UDP 500 I'm able to use the VPN for the people mapped with alias_address. I can't use the VPN with the people using the redirect_address. Is there any problem with the redirect_address directive with natd for the protocol 51 and 51. Is there any other way to have these 5 people at the same time to communicate to the same vpn server ? I though that I could use the redirect_address to do that. So the incoming connexion to the VPN server appear from a different IP source address. Vincent Goupil Administrateur r=E9seau / Network administrator _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 13:16:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C439F16A4CF; Thu, 13 Nov 2003 13:16:05 -0800 (PST) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74DD143F3F; Thu, 13 Nov 2003 13:16:03 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc13) with ESMTP id <2003111321160201500q5553e>; Thu, 13 Nov 2003 21:16:02 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hADLGLsb026811; Thu, 13 Nov 2003 13:16:21 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hADLGKhn026810; Thu, 13 Nov 2003 13:16:20 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Thu, 13 Nov 2003 13:16:20 -0800 From: "Crist J. Clark" To: Vincent Goupil Message-ID: <20031113211620.GB25920@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: "'freebsd-isp@freebsd.org'" cc: "'freebsd-ipfw@freebsd.org'" cc: "'freebsd-net@freebsd.org'" Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Crist J. Clark" List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:16:06 -0000 On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Thu Nov 13 13:55:05 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1C1716A4CE; Thu, 13 Nov 2003 13:55:05 -0800 (PST) Received: from mtl.alis.com (mtl.alis.com [199.84.165.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id C146043FE1; Thu, 13 Nov 2003 13:55:03 -0800 (PST) (envelope-from vgoupil@alis.com) Received: from alis-2k.alis.domain (alis-2k.alis.com [199.84.165.130]) by mtl.alis.com (8.12.8p2/8.12.8) with ESMTP id hADLt25G022315; Thu, 13 Nov 2003 16:55:02 -0500 (EST) (envelope-from vgoupil@alis.com) Received: by alis-2k.alis.domain with Internet Mail Service (5.5.2653.19) id ; Thu, 13 Nov 2003 16:55:02 -0500 Message-ID: From: Vincent Goupil To: "'Crist J. Clark'" , "'freebsd-ipfw@freebsd.org'" , "'freebsd-net@freebsd.org'" , "'freebsd-isp@freebsd.org'" Date: Thu, 13 Nov 2003 16:55:01 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="ISO-8859-1" X-Spam-Checker-Version: SpamAssassin 2.53 (1.174.2.15-2003-03-30-exp) Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Nov 2003 21:55:06 -0000 But if I use this config file for natd: unregistered_only use_sockets log log_denied redirect_address 192.168.1.50 208.x.y.120 redirect_address 192.168.1.51 208.x.y.121 redirect_address 192.168.1.52 208.x.y.122 redirect_address 192.168.1.53 208.x.y.123 alias_address 208.x.y.124 With this setup, I should be able to do 5 VPN IPSec connection at the same time. Since, the ESP packet coming on 208.x.y.120 is mapped directly to 192.168.1.50 and so on for the others using the redirect_address directive. I also understand that I can use only one computer at a time for the others using the alias_address (the rest of the network). I'm currently using this setup. I can do only IPSec with the 192.168.1.10-25 witch is mapped by the alias_address. The computer using the IP from 208.x.y.120-123 can't use the VPN and I don't know why. Vincent -----Original Message----- From: Crist J. Clark [mailto:cristjc@comcast.net] Sent: 13 novembre, 2003 16:16 To: Vincent Goupil Cc: 'freebsd-ipfw@freebsd.org'; 'freebsd-net@freebsd.org'; 'freebsd-isp@freebsd.org' Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_address) On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > > I have mapped my subnet with alias_address > I have mapped 4 private ip address with 4 public ip address > > Everything is working fine (web, email, ftp, etc..) for outgoing and > incoming connexion for anyone on my network. > > With this configuration, 5 person at a time (on my network) could dial to > the same VPN server. > 4 with different IP and the one with the alias_address. I supposed that > only one person at a time can use the alias_address with the IPSec VPN (I > think, tell me if I'm wrong) [snip] Nope, that's right. You can have only one machine behind natd(8) using ESP at a time (you could actually have one AH and one ESP at the same time, but since NAT breaks AH, what's the point?). The reason within natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all that it enters into its translation table is, IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr The obvious problem is that you can only have one mapping like this. If you had more than one, when you receive a packet of IPproto from IPdst_addr, to which internal machine do you send it? Now, that's why natd(8) has problems. Why not add a feature to natd(8) to get around it? Because there is no way to get around the problem. ESP packets have this nice SPI field that one could potentially use to map the traffic between multiple machines behind NAT to a single VPN end point on the other side, but there is no practical way for the NAT box to learn the SPI of incoming packets. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 01:22:50 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A05B16A4CE; Fri, 14 Nov 2003 01:22:50 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1F0B43FE5; Fri, 14 Nov 2003 01:22:47 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAE9M8UQ065683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Nov 2003 10:22:08 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAE9M835051462; Fri, 14 Nov 2003 10:22:08 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id KAA17257; Fri, 14 Nov 2003 10:22:06 +0100 (MET) Message-Id: <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031113211620.GB25920@blossom.cjclark.org> from "Crist J. Clark" at "Nov 13, 2003 10:16:20 pm" To: cjc@freebsd.org Date: Fri, 14 Nov 2003 10:22:06 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 09:22:50 -0000 Crist J. Clark: >On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: >> I setup a firewall with ipfw2 and natd on freebsd 4.9 release. >> >> I have mapped my subnet with alias_address >> I have mapped 4 private ip address with 4 public ip address >> >> Everything is working fine (web, email, ftp, etc..) for outgoing and >> incoming connexion for anyone on my network. >> >> With this configuration, 5 person at a time (on my network) could dial to >> the same VPN server. >> 4 with different IP and the one with the alias_address. I supposed that >> only one person at a time can use the alias_address with the IPSec VPN (I >> think, tell me if I'm wrong) >[snip] > >Nope, that's right. You can have only one machine behind natd(8) using >ESP at a time (you could actually have one AH and one ESP at the same >time, but since NAT breaks AH, what's the point?). The reason within >natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all >that it enters into its translation table is, > > IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr > >The obvious problem is that you can only have one mapping like >this. If you had more than one, when you receive a packet of IPproto >from IPdst_addr, to which internal machine do you send it? > >Now, that's why natd(8) has problems. Why not add a feature to natd(8) >to get around it? Because there is no way to get around the >problem. ESP packets have this nice SPI field that one could >potentially use to map the traffic between multiple machines behind >NAT to a single VPN end point on the other side, but there is no >practical way for the NAT box to learn the SPI of incoming packets. Certainly there is. This is actually implemented in most modern VPN devices. They do NAT translation according to SPI. The alternative is to encapsulate IPSec traffic in UDP (using port 4500) packets which can be neatly NATted. In Cisco IOS speak: cisco(config)#crypto ipsec nat-transparency ? spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT udp-encapsulation UDP encapsulation of IPsec protocols cisco(config)# The core issue is that FreeBSD does neither support SPI-based NAT, nor does it support UDP-encapsulated IPSec. Helge From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 08:36:38 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BD5716A4CE; Fri, 14 Nov 2003 08:36:38 -0800 (PST) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3919D43FE0; Fri, 14 Nov 2003 08:36:37 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (rwcrmhc11) with ESMTP id <2003111416363601300hutqre>; Fri, 14 Nov 2003 16:36:36 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAEGatsb062096; Fri, 14 Nov 2003 08:36:55 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAEGasev062095; Fri, 14 Nov 2003 08:36:54 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 14 Nov 2003 08:36:54 -0800 From: "Crist J. Clark" To: Helge Oldach Message-ID: <20031114163654.GB61960@blossom.cjclark.org> References: <20031113211620.GB25920@blossom.cjclark.org> <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311140922.KAA17257@galaxy.hbg.de.ao-srv.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 16:36:38 -0000 On Fri, Nov 14, 2003 at 10:22:06AM +0100, Helge Oldach wrote: > Crist J. Clark: > >On Thu, Nov 13, 2003 at 12:46:24PM -0500, Vincent Goupil wrote: > >> I setup a firewall with ipfw2 and natd on freebsd 4.9 release. > >> > >> I have mapped my subnet with alias_address > >> I have mapped 4 private ip address with 4 public ip address > >> > >> Everything is working fine (web, email, ftp, etc..) for outgoing and > >> incoming connexion for anyone on my network. > >> > >> With this configuration, 5 person at a time (on my network) could dial to > >> the same VPN server. > >> 4 with different IP and the one with the alias_address. I supposed that > >> only one person at a time can use the alias_address with the IPSec VPN (I > >> think, tell me if I'm wrong) > >[snip] > > > >Nope, that's right. You can have only one machine behind natd(8) using > >ESP at a time (you could actually have one AH and one ESP at the same > >time, but since NAT breaks AH, what's the point?). The reason within > >natd(8) is that accept for a few protocols (TCP, UDP, ICMP, etc.), all > >that it enters into its translation table is, > > > > IPproto: IPsrc_addr-IPdst_addr -> IPalias_addr-IPdst_addr > > > >The obvious problem is that you can only have one mapping like > >this. If you had more than one, when you receive a packet of IPproto > >from IPdst_addr, to which internal machine do you send it? > > > >Now, that's why natd(8) has problems. Why not add a feature to natd(8) > >to get around it? Because there is no way to get around the > >problem. ESP packets have this nice SPI field that one could > >potentially use to map the traffic between multiple machines behind > >NAT to a single VPN end point on the other side, but there is no > >practical way for the NAT box to learn the SPI of incoming packets. > > Certainly there is. Nope, there isn't a general way to do it. > This is actually implemented in most modern VPN > devices. They do NAT translation according to SPI. The alternative is to > encapsulate IPSec traffic in UDP (using port 4500) packets which can be > neatly NATted. It's not actually very neat. Most vendor kludges to do this are not interoperable. The IETF draft for it isn't widely implemented AFAIK. > In Cisco IOS speak: > > cisco(config)#crypto ipsec nat-transparency ? > spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT Not sure what that is going to accomplish. The inbound SPI and outbound SPI are, in general, completely indpendent values. The whole problem is that there is no way to know what the incoming (from the external VPN end point to the one behind the NAT device) SPI is going to be. There are heuristics a NAT device could use to guess (when a new SPI shows up at the doorstep, it's to the host that most recently had some IKE activity), but it's just that, a guess. (And if two systems start up or rekey at the same time, you're hosed when guessing by key traffic. Worse yet, there is no requirement to use IKE to setup IPsec SAs, so then what's a NAT box to do?) > udp-encapsulation UDP encapsulation of IPsec protocols > cisco(config)# > > The core issue is that FreeBSD does neither support SPI-based NAT, 'Cause unless you have a hacked up IPsec implementation that uses the same SPI both directions, it is useless. > nor > does it support UDP-encapsulated IPSec. I'll post some instructions on how to do this (not compliant with the draft below). But that still is not a panecea, http://ietf.org/internet-drafts/draft-ietf-ipsec-nat-reqts-06.txt http://ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-06.txt NAT is evil. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 09:23:48 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCA5216A4CE; Fri, 14 Nov 2003 09:23:47 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0298743FE5; Fri, 14 Nov 2003 09:23:46 -0800 (PST) (envelope-from helge.oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAEHN3UQ089189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 14 Nov 2003 18:23:03 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: from galaxy.hbg.de.ao-srv.com (galaxy.hbg.de.ao-srv.com [161.89.20.4])ESMTP id hAEHN335075842; Fri, 14 Nov 2003 18:23:03 +0100 (CET) (envelope-from helge.oldach@atosorigin.com) Received: (from hmo@localhost) by galaxy.hbg.de.ao-srv.com (8.9.3p2/8.9.3/hmo30mar03) id SAA19138; Fri, 14 Nov 2003 18:22:55 +0100 (MET) Message-Id: <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> In-Reply-To: <20031114163654.GB61960@blossom.cjclark.org> from "Crist J. Clark" at "Nov 14, 2003 5:36:54 pm" To: cjclark@alum.mit.edu Date: Fri, 14 Nov 2003 18:22:55 +0100 (MET) From: Helge Oldach X-Address: Atos Origin GmbH, Friesenstraße 13, D-20097 Hamburg, Germany X-Phone: +49 40 7886 7464, Fax: +49 40 7886 9464, Mobile: +49 160 4782517 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 17:23:48 -0000 Crist J. Clark: >> >ESP packets have this nice SPI field that one could >> >potentially use to map the traffic between multiple machines behind >> >NAT to a single VPN end point on the other side, but there is no >> >practical way for the NAT box to learn the SPI of incoming packets. >> Certainly there is. > >Nope, there isn't a general way to do it. Agreed, there is no *general* trick. But the hacks I have described work very well in many business environments. >> This is actually implemented in most modern VPN >> devices. They do NAT translation according to SPI. The alternative is to >> encapsulate IPSec traffic in UDP (using port 4500) packets which can be >> neatly NATted. > >It's not actually very neat. Most vendor kludges to do this are not >interoperable. The IETF draft for it isn't widely implemented AFAIK. As I said, must modern VPN devices have it. As a minimum, virtually any el-cheapo DSL router supports ESP-NAT for a single device (assuming that all SPIs belong to a single internal address). But many also support SPI-aware NAT. >> In Cisco IOS speak: >> >> cisco(config)#crypto ipsec nat-transparency ? >> spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT > >Not sure what that is going to accomplish. The inbound SPI and >outbound SPI are, in general, completely indpendent values. The whole >problem is that there is no way to know what the incoming (from the >external VPN end point to the one behind the NAT device) SPI is going >to be. Correct. Cisco requires that you use IKE in order to make it work. Basically this is NAT for ESP, and the SPI-NAT table is being built up using IKE cookie matching. There is no heuristics involved. >> udp-encapsulation UDP encapsulation of IPsec protocols >> cisco(config)# >> >> The core issue is that FreeBSD does neither support SPI-based NAT, > >'Cause unless you have a hacked up IPsec implementation that uses the >same SPI both directions, it is useless. Nothing that works well and has noticeable exposure is useless. This definitely has both. Not with FreeBSD, though. It does work with Windows 2000 SP4, to put a name up... So it's definitely out there. >> nor >> does it support UDP-encapsulated IPSec. > >I'll post some instructions on how to do this (not compliant with the >draft below). But that still is not a panecea, Thank you, this is very interesting. >NAT is evil. Of course. But it's also a fact of life... Helge From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 12:12:34 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E79516A4CE; Fri, 14 Nov 2003 12:12:34 -0800 (PST) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id A43A544017; Fri, 14 Nov 2003 12:12:31 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc12) with ESMTP id <2003111420123001200s535ue>; Fri, 14 Nov 2003 20:12:30 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAEKCmsb062924; Fri, 14 Nov 2003 12:12:48 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAEKCkrn062923; Fri, 14 Nov 2003 12:12:46 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Fri, 14 Nov 2003 12:12:46 -0800 From: "Crist J. Clark" To: Helge Oldach Message-ID: <20031114201246.GA62521@blossom.cjclark.org> References: <20031114163654.GB61960@blossom.cjclark.org> <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200311141722.SAA19138@galaxy.hbg.de.ao-srv.com> User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 20:12:34 -0000 On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > Crist J. Clark: [snip] > >> This is actually implemented in most modern VPN > >> devices. They do NAT translation according to SPI. The alternative is to > >> encapsulate IPSec traffic in UDP (using port 4500) packets which can be > >> neatly NATted. > > > >It's not actually very neat. Most vendor kludges to do this are not > >interoperable. The IETF draft for it isn't widely implemented AFAIK. > > As I said, must modern VPN devices have it. As a minimum, virtually any > el-cheapo DSL router supports ESP-NAT for a single device (assuming that > all SPIs belong to a single internal address). But many also support > SPI-aware NAT. FreeBSD natd(8) will work fine for a single VPN end point behind a many-to-one mapping. In fact, it will work fine for arbitrarily many VPN end points behind NAT as long as each one has a unique address at the other end. > >> In Cisco IOS speak: > >> > >> cisco(config)#crypto ipsec nat-transparency ? > >> spi-matching Match inbound SPI to outbound SPI for IPsec aware NAT > > > >Not sure what that is going to accomplish. The inbound SPI and > >outbound SPI are, in general, completely indpendent values. The whole > >problem is that there is no way to know what the incoming (from the > >external VPN end point to the one behind the NAT device) SPI is going > >to be. > > Correct. Cisco requires that you use IKE in order to make it work. > Basically this is NAT for ESP, and the SPI-NAT table is being built up > using IKE cookie matching. There is no heuristics involved. The IKE cookies, the IKE-SPI, do not have anything to do with IPsec protocol SPIs. The cookies can be used to perform NAT tricks with IKE traffic, but not IPsec (unless there are proprietary vendor kludges to make the IPsec SPIs derivatives of the IKE-SPI). > >> udp-encapsulation UDP encapsulation of IPsec protocols > >> cisco(config)# > >> > >> The core issue is that FreeBSD does neither support SPI-based NAT, > > > >'Cause unless you have a hacked up IPsec implementation that uses the > >same SPI both directions, it is useless. > > Nothing that works well and has noticeable exposure is useless. This > definitely has both. Not with FreeBSD, though. It does work with Windows > 2000 SP4, to put a name up... So it's definitely out there. Two different ESP end points behind many-to-one NAT connected to a single ESP end point on the other side of the NAT? I'd be very curious to get the documentation on how they are cheating to get that to work. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 17:16:02 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B76F16A4CE for ; Fri, 14 Nov 2003 17:16:02 -0800 (PST) Received: from hotmail.com (bay2-f156.bay2.hotmail.com [65.54.247.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8DA143F93 for ; Fri, 14 Nov 2003 17:16:01 -0800 (PST) (envelope-from rosbiff@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 14 Nov 2003 17:16:01 -0800 Received: from 80.11.70.2 by by2fd.bay2.hotmail.msn.com with HTTP; Sat, 15 Nov 2003 01:16:01 GMT X-Originating-IP: [80.11.70.2] X-Originating-Email: [rosbiff@hotmail.com] From: "Proviste Alain" To: freebsd-ipfw@freebsd.org Date: Sat, 15 Nov 2003 01:16:01 +0000 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: X-OriginalArrivalTime: 15 Nov 2003 01:16:01.0779 (UTC) FILETIME=[088FFC30:01C3AB16] Subject: Qos X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 01:16:02 -0000 Hi, I went through most of the documentation and i coudn t fond anything on that question... I wanted to know how to give a higher priority to packets arriving from the net to a specific port, i explaine myself ... i want to be able to play a game and to download a the same time without network slowdowns ... thanks _________________________________________________________________ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp From owner-freebsd-ipfw@FreeBSD.ORG Fri Nov 14 22:55:33 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B5F916A4CE; Fri, 14 Nov 2003 22:55:33 -0800 (PST) Received: from mizar.origin-it.net (mizar.origin-it.net [194.8.96.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id D397F43F85; Fri, 14 Nov 2003 22:55:31 -0800 (PST) (envelope-from Helge.Oldach@atosorigin.com) Received: from matar.hbg.de.int.atosorigin.com (dehsfw3e.origin-it.net [194.8.96.68])hAF6soUQ023422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 15 Nov 2003 07:54:51 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: from dehhx004.hbg.de.int.atosorigin.com (dehhx004.hbg.de.int.atosorigin.com [161.90.164.40]) ESMTP id hAF6so35007855; Sat, 15 Nov 2003 07:54:50 +0100 (CET) (envelope-from Helge.Oldach@atosorigin.com) Received: by dehhx004.hbg.de.int.atosorigin.com with Internet Mail Service (5.5.2657.72) id ; Sat, 15 Nov 2003 07:54:50 +0100 Message-ID: From: "Oldach, Helge" To: "'cjclark@alum.mit.edu'" Date: Sat, 15 Nov 2003 07:54:40 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: RE: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 06:55:33 -0000 From: Crist J. Clark [mailto:cristjc@comcast.net] > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > Nothing that works well and has noticeable exposure is useless. This > > definitely has both. Not with FreeBSD, though. It does work with Windows > > 2000 SP4, to put a name up... So it's definitely out there. > > Two different ESP end points behind many-to-one NAT connected to a > single ESP end point on the other side of the NAT? I'd be very curious > to get the documentation on how they are cheating to get that to work. You have posted a reference already. W2k SP4 supports UDP encapsulation of IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% market share. Note that an MS employee has co-authored one of the IETF drafts you had mentioned. This is apparently not just coincidence... I do well understand that there is no general solution. However, FreeBSD is definitely behind what is available on the commercial market today. Call it "cheating" - but it's out there and it works. I would rather prefer to see a feature that doesn't solve a 100% case than to see nothing because we feel that a "general specification" is missing. Helge From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 15 10:23:56 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67C0216A4CE; Sat, 15 Nov 2003 10:23:56 -0800 (PST) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0B3343FD7; Sat, 15 Nov 2003 10:23:54 -0800 (PST) (envelope-from cristjc@comcast.net) Received: from blossom.cjclark.org (12-234-156-182.client.attbi.com[12.234.156.182]) by comcast.net (sccrmhc13) with ESMTP id <2003111518235301600kc4vue>; Sat, 15 Nov 2003 18:23:53 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.9p2/8.12.8) with ESMTP id hAFIOCsb002059; Sat, 15 Nov 2003 10:24:12 -0800 (PST) (envelope-from cristjc@comcast.net) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.9p2/8.12.9/Submit) id hAFIO9lk002057; Sat, 15 Nov 2003 10:24:10 -0800 (PST) (envelope-from cristjc@comcast.net) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to cristjc@comcast.net using -f Date: Sat, 15 Nov 2003 10:24:09 -0800 From: "Crist J. Clark" To: "Oldach, Helge" Message-ID: <20031115182409.GA2001@blossom.cjclark.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-URL: http://people.freebsd.org/~cjc/ cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cjclark@alum.mit.edu List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Nov 2003 18:23:56 -0000 On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > From: Crist J. Clark [mailto:cristjc@comcast.net] > > On Fri, Nov 14, 2003 at 06:22:55PM +0100, Helge Oldach wrote: > > > Nothing that works well and has noticeable exposure is useless. This > > > definitely has both. Not with FreeBSD, though. It does work with Windows > > > 2000 SP4, to put a name up... So it's definitely out there. > > > > Two different ESP end points behind many-to-one NAT connected to a > > single ESP end point on the other side of the NAT? I'd be very curious > > to get the documentation on how they are cheating to get that to work. > > You have posted a reference already. W2k SP4 supports UDP encapsulation of > IPSec. And yes, it works fine, and reliably. Further, all of Cisco's and > Checkpoints VPN gear support IPSec-over-UDP as well. This alone is >70% > market share. Oh, yeah, I know of UDP or TCP encapsulation tricks that work. I have dealt with several of these implementations too. I thought that you were implying that there were working NAT implementations that could deal with ESP in these circumstances. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org From owner-freebsd-ipfw@FreeBSD.ORG Sat Nov 15 19:01:18 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 172A416A4CE; Sat, 15 Nov 2003 19:01:18 -0800 (PST) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id A468E43FD7; Sat, 15 Nov 2003 19:01:15 -0800 (PST) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id EFAD3651F7; Sat, 15 Nov 2003 07:20:15 +0000 (GMT) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 06312-04-7; Sat, 15 Nov 2003 07:20:15 +0000 (GMT) Received: from saboteur.dek.spc.org (unknown [82.147.19.91]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 01205651F1; Sat, 15 Nov 2003 07:20:14 +0000 (GMT) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 575815; Sat, 15 Nov 2003 07:20:10 +0000 (GMT) Date: Sat, 15 Nov 2003 07:20:10 +0000 From: Bruce M Simpson To: "Oldach, Helge" Message-ID: <20031115072010.GA72782@saboteur.dek.spc.org> Mail-Followup-To: "Oldach, Helge" , "'cjclark@alum.mit.edu'" , freebsd-isp@freebsd.org, freebsd-ipfw@freebsd.org, vgoupil@alis.com, freebsd-net@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-isp@freebsd.org cc: freebsd-ipfw@freebsd.org cc: "'cjclark@alum.mit.edu'" cc: vgoupil@alis.com cc: freebsd-net@freebsd.org Subject: Re: IPSec VPN & NATD (problem with alias_address vs redirect_addr ess) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Nov 2003 03:01:18 -0000 On Sat, Nov 15, 2003 at 07:54:40AM +0100, Oldach, Helge wrote: > I do well understand that there is no general solution. However, FreeBSD > is definitely behind what is available on the commercial market today. Call > it "cheating" - but it's out there and it works. I would rather prefer to > see > a feature that doesn't solve a 100% case than to see nothing because we feel > that a "general specification" is missing. I'm in agreement here. The fact alone that hundreds of DSL providers are blocking tunneling and VPN protocols should be enough. So far, though, our provider passes ESP, so I'm not in a hurry to implement this myself. BMS