Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Sep 2011 10:42:53 -0300
From:      Mario Lobo <lobo@bsd.com.br>
To:        Daniel Hartmeier <daniel@benzedrine.cx>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: VPN  problem
Message-ID:  <201109101042.53575.lobo@bsd.com.br>

next in thread | raw e-mail | index | archive | help
On Saturday 10 September 2011 02:45:38 Daniel Hartmeier wrote:
> On Fri, Sep 09, 2011 at 04:46:15PM -0300, Mario Lobo wrote:

> More details in an old thread
> http://lists.freebsd.org/pipermail/freebsd-pf/2006-November/002834.html
> 
> If this is not the problem, you'll have to provide more details, like
> tcpdump on the pf NAT box (on both external and internal interfaces)
> while trying to establish a connection, run pfctl -vvss, pfctl -si
> before and after, use 'set debug misc' and watch /var/log/messages, etc.
> 

Daniel;

I put set debug misc on pf.conf.

As soon as I made my first attempt to connect, I got this:

Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 
Sep 10 10:27:49 lobos last message repeated 83 times
Sep 10 10:28:59 lobos last message repeated 283 times

Sep 10 10:28:59 lobos kernel: pf: NAT proxy port allocation (1024-65535) 
failed
Sep 10 10:29:00 lobos kernel: pf_map_addr: selected address 177.17.68.103
Sep 10 10:29:15 lobos last message repeated 22 times
Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 174.122.209.54:110 
174.122.209.54:110 10.10.10.2:20941 [lo=2747216958 high=2747223832 win=4105 
modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mod
Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 10.10.10.2:20941 
177.17.68.103:27334 174.122.209.54:110 [lo=2747216958 high=2747223832 win=4105 
modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mo
Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 10.10.10.2:20941 
177.17.68.103:27334 174.122.209.54:110 [lo=2747216958 high=2747223832 win=4105 
modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mo
Sep 10 10:29:16 lobos kernel: pf_map_addr: selected address 177.17.68.103
Sep 10 10:29:47 lobos last message repeated 71 times
Sep 10 10:30:02 lobos last message repeated 114 times


I had 

nat on $ext_if from any to any -> ($ext_if) port 1024:65535

replaced with

nat on $ext_if from any to any -> ($ext_if)

tried to connect again and and got:

Sep 10 10:30:02 lobos kernel: pf: NAT proxy port allocation (50001-65535) 
failed
Sep 10 10:30:02 lobos kernel: pf_map_addr: selected address 177.17.68.103
Sep 10 10:30:33 lobos last message repeated 373 times
Sep 10 10:31:36 lobos last message repeated 559 times
Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 10.10.10.2:13369 
177.17.68.103:51153 189.17.94.162:1723 [lo=3293828711 high=3293894229 
win=65535 modulator=0] [lo=4058414752 high=4058480270 win=65535 modulat
Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 189.17.94.162:1723 
189.17.94.162:1723 10.10.10.2:13369 [lo=3293828711 high=3293894229 win=65535 
modulator=0] [lo=4058414752 high=4058480270 win=65535 modulato
Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 189.17.94.162:1723 
189.17.94.162:1723 10.10.10.2:13369 [lo=3293828711 high=3293894229 win=65535 
modulator=0] [lo=4058414752 high=4058480270 win=65535 modulato
Sep 10 10:31:37 lobos kernel: pf_map_addr: selected address 177.17.68.103
Sep 10 10:32:08 lobos last message repeated 227 times


Both attempts failed.


Can you make something out of this?

-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201109101042.53575.lobo>