FreeBSD + MPD + PF

[DNAeon]

Hello,

I'm trying to setup a pptp server on my FreeBSD 8.0 box using mpd, hope you can help me out.

Here's what I've got so far - mpd5.5 is already installed from ports.
The mpd daemon runs on the same box that is the external firewall, and clients connect to it.

/usr/local/etc/mpd5/mpd.conf

Code:

startup:
        # configure mpd users
        set user administrator admin
        set user administrator
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_server

pptp_server:
        set ippool add pool1 10.1.16.50 10.1.16.60

# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges <external-ip-here>/24 ippool pool1
        set ipcp dns 10.1.16.1

# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap eap
        set link enable chap
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
# Configure PPTP
        set pptp self <external-ip-here>
# Allow to accept calls
        set link enable incoming

/usr/local/etc/mpd5/mpd.secret

Code:

testuser     testuser

In the above configuration:

• <external-ip-here> -> my publicly accessible IP
• 10.1.16.50 - 10.1.16.60 -> the IP range for clients
• 10.1.16.1 -> the gateway internal's IP

In /etc/pf.conf I've added these rules:

In pf.conf I have this:

Code:

# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"

# --- IP given by the ISP ---
ip_addr = "<external-ip-here>"

# --- protocols on external interface ---
EXT_PROTOS = "{ icmp }"

# --- allow pptp connections on the external interface ---
PPTP_SERVICES = "{ 1723 47 }"

# --- hosts with internet access ---
table <allowed> { 10.1.16.0/20 }

# --- OPTIONS section ---
set skip on lo0

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ip_addr

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state

# --- EXTERNAL interface ---

# --- pass incoming connections on external interface for these protocols ---
pass in quick on $ext_if inet proto $EXT_PROTOS from any to $ext_if keep state 

pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state 

pass out quick on $ext_if inet from any to any keep state

The clients are able to connect to the pptp server successfully - they get address from the ip pool - 10.1.16.50-60/20

But they cannot ping any system from the internal network - 10.1.16.0/20

If I disable PF -> the clients can only ping the gateway's internal IP - 10.1.16.1.

The other problem is that each time a client connects a new ng device is configured for them.

1st client -> ng0
2nd client -> ng1
etc...

I've tried adding these rules to PF as well just to test, but that doesn't help.

Code:

pass in quick on ng0 inet from any to any keep state
pass out quick on ng0 inet from any to any keep state

Now I'm stuck.. How can I configure PF, so that each time a new client is connected a new entry for ng is added and removed upon disconnect in PF?

The other strange issue from the mpd daemon I get is this:

Code:

B-1] system: command "/usr/sbin/arp" returned 256

The complete log from the daemon is attached to thread.

If I use tcpdump I can see the icmp echo request from the client only on the ng device, so it's not blocked anywhere else.

Do you an idea where/what I'm missing?

Thanks,
DNAeon


mpd-daemon.txt

[DNAeon]

Hello again,

Seems that this issue has already been fixed in RELENG_8.

To fix the issue:

http://lists.freebsd.org/pipermail/f...il/025128.html

Regards,
DNAeon

[roko]

first post on this forum, hi to everyone...

about that theme DNAeon im having the exact same problems with 8.0-STABLE. the goal is to get a vpn connection to access samba, so the thing is that everything works if i disable the firewall, but if pf is on, although there is nothing blocking from pf when i tcpdump pflog0 i cant ping from the remote to the local lan ip of the server, the other way around works. sure i cant access sambas network when pf is on, when its off theres no problem at all. i kinda cant figure this out because pflog0 is not showing me any blocking from his side.

some help .. thanks

[DNAeon]

Quote:

Originally Posted by roko

first post on this forum, hi to everyone...

about that theme DNAeon im having the exact same problems with 8.0-STABLE. the goal is to get a vpn connection to access samba, so the thing is that everything works if i disable the firewall, but if pf is on, although there is nothing blocking from pf when i tcpdump pflog0 i cant ping from the remote to the local lan ip of the server, the other way around works. sure i cant access sambas network when pf is on, when its off theres no problem at all. i kinda cant figure this out because pflog0 is not showing me any blocking from his side.

some help .. thanks

Hi roko,

The proxy arp issues were fixed in RELENG_8 and 8.1-RELEASE, so your issue should be more like a configuration problem.

Can you show your mpd.conf and PF rules?

Regards,

[roko]

about the proxy arp bug, i didnt even consider this to be relevant to my problem. So yeah i guess there is a problem in my pf configuration. Here is my mpd.conf:

Code:

startup:
        set console self 127.0.0.1 5005
        set console open
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_server

pptp_server:
        set ippool add pool1 10.0.0.50 10.0.0.100
        create bundle template MYVPN
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
        set ipcp ranges 10.0.0.1/32 ippool pool1
        set ipcp dns 10.0.0.1
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
        create link template MYVPN pptp
        set link action bundle MYVPN
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set link keep-alive 10 60
        set link mtu 1460
        set pptp self MY_WAN_IP
        set link enable incoming

and my mpd.links:

Code:

pptp1:
set link type pptp
set pptp enable incoming
set pptp disable originate

In the above configuration:

* MY_WAN_IP -> my public IP
* 10.0.0.50 - 10.0.0.100 -> the IP range for clients
* 10.0.0.1 -> the gateway internal's IP

my pf.conf:

Code:

external="em0"
internal="em1"
local="em3"
ipv6="stf0"
pptp="ng0"
intranal="10.0.0.0/24"
intranallocal="10.0.1.0/24"
services="{ 21, 25, 53, 50, 60, 70, 80, 110, 443, 995, 2525 }"
portsopen="{ 47, 2525, 1723, 10000, 10001 }"
ircportsopen="{ 10001 }"
irc="{ IPS }"
ipsopen="{ IPS }"
ip6sopen="{ IPS6 }"
blockaniipji="{ IPS }"
ports="{ 21 }"
icmp_types="echoreq"

set block-policy drop
set loginterface $external

set skip on lo0

scrub in all

scrub on $internal
scrub on $external random-id max-mss 1452 reassemble tcp fragment reassemble

nat on $external from $intranal to any -> ($external)
nat on $external from $intranallocal to any -> ($external)

rdr on $external proto tcp from any to $external port 60606 -> 10.0.0.2 port 60606

# START - XTREAMER - FTP
rdr on $external proto tcp from any to $external port 10002 -> 10.0.0.5 port 21
rdr on $external proto tcp from any to $external port 10003 -> 10.0.0.5 port 80
rdr on $external proto tcp from any to $external port 1024:1050 -> 10.0.0.5
# END - EXTREAMER - FTP

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#rdr on $internal proto tcp from any to any port 21 -> 127.0.0.1 port 21

block in log quick on $external inet proto tcp from any to any flags FUP/FUP
block in log quick on $external proto tcp from any to any flags SAFRPU/SAFRPU
block in log quick on $external proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $external proto tcp from any to any flags SF/SF
block in log quick on $external proto tcp from any to any flags SR/SR

block in inet proto icmp all icmp-type $icmp_types
block in log quick on $external proto tcp from $blockaniipji to $external
#pass in inet proto icmp icmp-type $icmp_types from $internal to any keep state
#pass inet proto icmp icmp-type $icmp_types from any to $external keep state

#block return-rst in quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto udp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto icmp from any to any

block in log all
block out log all

anchor "ftp-proxy/*"

antispoof quick for { lo $internal }
antispoof quick for { lo $local }

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state

# IP-TV ZA MREZO #

pass in on $external inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $external inet proto udp  to 224.0.0.0/4

pass out on $external inet proto igmp from $external to 224.0.0.0/4 allow-opts

pass in on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass in on $internal inet proto udp  from 10.0.0.0/24

pass out on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass out on $internal inet proto udp to 224.0.0.0/4

# KONEC IP-TV ZA MREZO #

# START OF IPV6

pass in on $ipv6 inet6 from any to any keep state

#pass in on $external inet proto ipv6 from any to $external keep state

pass in on $internal inet proto ipv6 from any to any keep state

pass out on $ipv6 all

pass out on $external inet proto ipv6 from $external to any keep state

pass in on lo all

pass out on lo all

# END OF IPV6

# START - XTREAMER - FTP

pass in quick on $external inet proto tcp from any to 10.0.0.5 port 21 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 80 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
pass out quick on $internal inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state

# END - XTREAMER - FTP

# START OF PORT FORWARDING THROUGH NAT

pass out on $internal inet proto tcp from any to 10.0.0.2 port 60606 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 21 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 80 keep state

# END OF PORT FORWARDING THROUGH NAT

pass out on $external inet proto udp all keep state

pass out on $external inet proto icmp from any to any keep state

pass out on $external inet proto tcp from any to any

pass out on lo inet proto tcp from any to any port 953 keep state

pass in on lo inet proto tcp from any to any port 953 keep state

# WEBMAIL

pass in on lo inet proto tcp from any to any port 143 keep state

pass out on lo inet proto tcp from any to any port 143 keep state

pass out on lo inet proto tcp from any to any port 25 keep state

pass in on lo inet proto tcp from any to any port 25 keep state

# END OF WEBMAIL

pass in on $external proto tcp from any to any port > 49151 keep state

pass in on $external inet proto udp from any to any port domain keep state

pass in on $internal inet from $intranal to any modulate state
pass in on $local inet from $intranallocal to any modulate state
pass out on $internal inet from $intranal to any modulate state
pass out on $local inet from $intranallocal to any modulate state

pass in on $external inet proto tcp from $ipsopen to $external port $portsopen keep state

#pass in quick on $external inet6 proto tcp from $ip6sopen to $external port $portsopen keep state

pass in on $external inet proto tcp from any to $external port $services keep state
pass in on $external inet proto tcp from $irc to $external port 113 keep state

pass in on $external inet proto tcp from any to $external user proxy keep state

# IGMP IP-TV
pass in on $internal inet proto igmp from any to any allow-opts
pass in on $external proto tcp from any to 10.0.1.2 flags S/SA keep state

antispoof for $external
antispoof for $ipv6
antispoof for $local
antispoof for $internal

i know that this pf config is messy, and sure there are some misconfigures in it, i didnt had time to retest everything and get the syntax 100%...

the things i added for mpd and pptp are:

Code:

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state

So the problem is that clients are able to connect to the pptp server, they get address from the pool - 10.0.0.50-100, but they cannot ping any system from the internal network - 10.0.0.0/24 unless i disable the PF, then the clients can ping the gateway 10.0.0.1 and samba starts working too...

thanks for the quick response DNAeon in hope to find the pf config bug..

[DNAeon]

Hi,

Here's what you can try as well.

1) Mine mpd.conf file is almost the same as yours, except that I don't have mpd.links

2) pf.conf configuration

What I understood is that your mpd5 daemon is running on your external IP, right?

Your internal network is 10.0.0.0/24 which also includes the ip pool for mpd - 10.0.0.50 - 10.0.0.100.

Upon a new pptp connection mpd will automatically create a new ngX interface associated to that specific connection - in your PF configuration you are limited to only one pptp connection, so instead of allowing that specific ng0 interface, allow the ip pool from mpd.conf.

Here are some parts from my pf.conf that you might find useful to fit into your configuration:

Code:

# --- MACROS section ---
ext_if = "re0"
int_if = "fxp0"

# --- pptp services ---
PPTP_SERVICES = "{ 1723 47 }"

# --- hosts with internet access ---
table <allowed> { 10.0.0.0/24 }

# --- OPTIONS section ---
set skip on lo0

# --- SCRUB section ---
scrub in all

# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> ($ext_if)

# --- FILTER RULES ---

# --- default policy ---
block log all

# --- antispoof protection ---
antispoof quick for $ext_if inet
antispoof quick for $int_if inet

# --- INTERNAL interface ---

pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state

# --- EXTERNAL interface ---

# --- pass incoming pptp connections to the pptp server ---
pass in quick on $ext_if inet proto { tcp udp } from any to $ext_if port $PPTP_SERVICES keep state

pass out quick on $ext_if inet from any to any keep state

In the above configuration the hosts from the table allowed get access to the internet and since in that network is your ip pool from mpd, all clients connecting to your pptp client will have internet access too.

My setup differs with yours with only one more thing, and that is that my pptp server runs on the internal network, so I just have an additional rdr rule to pass the traffic.

Let me know if that works for you.

Regards,

[roko]

Yes, the mpd5 deamon is running on my external ip. So i fixed now the issue by assigning the pool 10.1.0.1/24 to mpd5 and referring nat to the interface so that internet works as well as samba. I guess that my pf config redirects something on the 10.0.0.1/24 lan so that something is not routing right. Ill take a look on that later and report.

Now i have an additional problem, now my slackware wants to use that vpn as the primary internet connection. Its the same with windows 7, i tried to assing a higher metric to the vpn connection but still its the primary on the internet usage. As i want to use my local connection and not the vpn as the primary internet connection, any idea how to fix that on linux & windows.

Regards,

[DNAeon]

Quote:

Originally Posted by roko

Now i have an additional problem, now my slackware wants to use that vpn as the primary internet connection. Its the same with windows 7, i tried to assing a higher metric to the vpn connection but still its the primary on the internet usage. As i want to use my local connection and not the vpn as the primary internet connection, any idea how to fix that on linux & windows.

There's a "Use default gateway on remote server" or something similar on network connection property under Windows.

As to Linux, you might need these options for your ppp configuration:

Code:

# Try to get the name server addresses from the ISP.
usepeerdns
# Use this connection as the default route.
defaultroute

Just a side note - if you configure your clients to to use their local DNS servers and not the DNS server from the VPN connection, you may not be able to connect to your Samba machine if you are connecting to it using ti's DNS name.

What would happen when a client wants to connect to your Samba machine, and you are using a private domain name for example - then the clients DNS server does not know anything about it, and thus you won't be able to connect to it.

If your clients use the DNS server that from the VPN connection, it will be a bit slower, but for sure that DNS server will know more

Regards,

[roko]

Quote:

Originally Posted by DNAeon

There's a "Use default gateway on remote server" or something similar on network connection property under Windows.

As to Linux, you might need these options for your ppp configuration:

Code:

# Try to get the name server addresses from the ISP.
usepeerdns
# Use this connection as the default route.
defaultroute

Just a side note - if you configure your clients to to use their local DNS servers and not the DNS server from the VPN connection, you may not be able to connect to your Samba machine if you are connecting to it using ti's DNS name.

What would happen when a client wants to connect to your Samba machine, and you are using a private domain name for example - then the clients DNS server does not know anything about it, and thus you won't be able to connect to it.

If your clients use the DNS server that from the VPN connection, it will be a bit slower, but for sure that DNS server will know more

Regards,

thanks for the reply, i know about the "Use default gateway on remote server" option under windows and about blocking a gateway under linux but then i cant access the samba network anymore whats the whole point of the vpn... , any other solution in sight?