Solved FreeBSD 10.2 + VPN Service + Internet Gateway

Hello everyone,
I'm installing and configuring a FreeBSD server which will act as VPN server.
I've got this network configuration:
- DSL internet access. DSL router has the ISP public IP address and the only special configuration is the VPN external port mapping to FreeBSD server port.
- FreeBSD server as VPN server up and running

y3m95JcNdeHIlJIfctQtWQjOW9KAJ6nXq9pxyKCnLuzL90dcofJa2DbDIHizj4lU5OeapEFdcMmIB5kzrGtC1cXblmAzu1CkuLSkbwXRJ-kc_bASdkvGvdoT1qUkLM_kXIH1Q-ZXpOBkbYomiyHABgxU3-IZN422Q08ldTI3hdJ1zo




Now I would like to give access to Internet to one of the LAN computers. How can I get this?
I have enabled IP forwarding with the rc.conf gateway_enable="YES" and configured as default gateway on the computer I want to navigate. Browsing fails


FreeBSD box has three NIC cards:
re0: 192.168.1.50/24 connected to the DSL router
xl0: 10.1.1.50/24 connected to one of the LAN networks (10.1.1.0/24). One of these computers must have temporarily internet access, 10.1.1.60.
xl1: 172.20.3.11/24 connected to the other LAN network (172.30.3.x/24)

This is the rc.conf file contents:
Code:
ifconfig_re0="inet 192.168.1.50 netmask 255.255.255.0 broadcast 192.168.1.255"
ifconfig_xl1="inet 172.20.3.11 netmask 255.255.255.0 broadcast 172.20.3.255"
ifconfig_xl0="inet 10.1.1.50 netmask 255.255.255.0 broadcast 10.1.1.255"
defaultrouter="192.168.1.1"
gateway_enable="YES"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/bsdserver.conf"
...

This is the routing table:
Code:
# netstat -rfinet
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            192.168.1.1        UGS         re0
10.1.1.0           link#2             U           xl0
10.1.1.50          link#2             UHS         lo0
localhost          link#4             UH          lo0
172.20.3.0         link#3             U           xl1
172.20.3.11        link#3             UHS         lo0
192.168.1.0        link#1             U           re0
192.168.1.50       link#1             UHS         lo0
192.168.5.0        192.168.5.1        UGS        tun0
192.168.5.1        localhost          UH          lo0
192.168.5.2        link#5             UH         tun0


From the computer I tried to ping some places. At the same time I have put tcpdump listening to the re0 NIC. I can get just outgoing packets, but I cannot get the answers. I think this means packets coming from LAN jump correctly to the other side but the answers are sent elsewhere:

From 10.1.1.60 web browsing to mail.yahoo.com
And tcpdump listening FreeBSD gets:

Code:
# tcpdump 'tcp port 80 or 443'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:01:15.059772 IP 10.1.1.60.26722 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 1651573949, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:01:15.187625 IP 10.1.1.60.26723 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 4242693577, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:01:18.076175 IP 10.1.1.60.26722 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 1651573949, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:01:18.201116 IP 10.1.1.60.26723 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 4242693577, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
12:01:24.075712 IP 10.1.1.60.26722 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 1651573949, win 8192, options [mss 1460,nop,nop,sackOK], length 0
12:01:24.216182 IP 10.1.1.60.26723 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 4242693577, win 8192, options [mss 1460,nop,nop,sackOK], length 0

6 packets captured
310 packets received by filter
0 packets dropped by kernel

On a desperate try I have opened the default FreeBSD configuration allowing traffic from any to any. The firewall ipfw has no configuration, just allow all.
Code:
ipfw list
65535 allow ip from any to any
Any idea of what can be happening?
The DSL router must do nothing, isn't it? I mean the route to 10.1.1.0 network
I suppose the DSL router does NAT. Do I need to configure NAT on FreeBSD as well?
I cannot move the public IP to the FreeBSD because there are other connections through it and I must keep them as they are.

Thank you in advance
 
You need to NAT your LAN-to-internet outgoing traffic. Most likely your internet DSL router is configured to only NAT traffic from 192.168.1.0/24 to the internet. You'll need to add traffic from 172.20.3.0/24 to that. The DSL router will probably also need a static route so it knows the way back to the 172.20.3.0/24 network.
 
Hi SirDice,
I think you're right. Yesterday night I was analyzing the network traffic and the lines coming from LAN
Code:
12:01:15.059772 IP 10.1.1.60.26722 > ats1.member.vip.ir2.yahoo.com.http: Flags S, seq 1651573949, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
never should appear with the LAN addresses. These packets should be already translated to 192.168.1.x. Otherwise, DSL router will never know where to send the answers. It has no routes for 10.1.1.x network and don't have to.

By the way, natd must be always set with any firewall isn't it? for example with ipfw?
I am going to try the configuration. I will update this thread with the results.

Thank you
 
Using two NATs in a row will work but I don't recommend it. You don't need to NAT on the FreeBSD host as long as you make sure the DSL router has the correct static routes and will also NAT traffic from the other networks.
 
Ok it works ! (like Apache ;)
The DSL router does not allow me to configure static routes on the LAN side, just on the WAN side. Don't ask me why, the conf tool does not show more than the WAN interfaces.

I have started the ipfw + kernel nat doing NAT on the FreeBSD re0 NIC (192.168.1.50). These are my rules:
Code:
# ipfw list

00005 allow ip from any to any via x10
00006 allow ip from any to any via x11
00007 allow ip from any to any via lo0
00008 allow ip from any to any via tun0
00010 check-state
00070 allow ip from 10.1.1.0/24 to any via xl0
00080 allow ip from any to 10.1.1.0/24 via xl0
00090 allow ip from 10.1.1.0/24 to any via xl1
00100 allow ip from any to 10.1.1.0/24 via xl1
00130 allow tcp from any to 192.168.1.50 dst-port 1196 via re0
00135 allow tcp from any to 172.20.3.11 dst-port 1196 via xl1
00136 allow tcp from any to 172.20.3.11 dst-port 22 via xl1
00136 allow tcp from any to 192.168.1.50 dst-port 22 via re0
00137 allow tcp from 192.168.1.50 1196 to any via re0
00138 allow tcp from 172.20.3.11 1196 to any via xl1
00139 allow tcp from 172.20.3.11 22 to any via xl1
00139 allow tcp from 192.168.1.50 22 to any via re0
00150 allow icmp from any to any
00151 allow ip from any to any dst-port 53 out via re0 setup keep-state
00152 allow ip from any to any dst-port 53 out via re0 keep-state
00160 nat 1 ip from 10.1.1.60 to any out
00160 nat 1 ip from 10.1.1.51 to any out
00161 nat 1 ip from any to 192.168.1.50 in
00450 deny ip from any to any
00502 deny log logamount 10 ip from any to any
65535 allow ip from any to any

This other line does not appear on the list output but it is important to enable NAT NIC at the beginning of the ipfw.rules:
Code:
ipfw nat 1 config ip 192.168.1.50 same_ports unreg_only log

Now, 10.1.1.60 and 10.1.1.51 can browse and the VPN still works fine !

Thank you
 
Back
Top