Good day everyone! Can't beat the following problem.
Internet ->
router (x.x.x.x/192.168.1.1) ->
ASC server {FreeBSD12+ipfw/nat/fwd (192.168.1.12|If_Inet) + OpenVPN server (192.168.101.1|If_VPN)} ->
ADM server {OpenVPN client (192.168.101.6|If_VPN) + FreeBSD12 www-server (Ip_WWW)} ->
Internet2
Task: to force the WWW-server to process requests from both lines. It feels like it's sending requests back incorrectly.
I've been fighting for a week now - I've smoked everything I can. no result. I try for an example on 40083 port.
ASC - rc.conf
ASC - sysctl.conf
ASC - ipfw.rules (start)
ASC - ipfw.rules (short for testing)
Internet ->
router (x.x.x.x/192.168.1.1) ->
ASC server {FreeBSD12+ipfw/nat/fwd (192.168.1.12|If_Inet) + OpenVPN server (192.168.101.1|If_VPN)} ->
ADM server {OpenVPN client (192.168.101.6|If_VPN) + FreeBSD12 www-server (Ip_WWW)} ->
Internet2
Task: to force the WWW-server to process requests from both lines. It feels like it's sending requests back incorrectly.
I've been fighting for a week now - I've smoked everything I can. no result. I try for an example on 40083 port.
ASC - rc.conf
Code:
ifconfig_re0="inet 192.168.1.12 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
#IPFW
firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_allowservices="any"
firewall_logdeny="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_nat_interface="tun0"
gateway_enable="YES"
firewall_nat_enable="YES"
dummynet_enable="YES"
#OpenVPN
openvpn_enable="YES"
openvpn_flags="--tls-server"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
ASC - sysctl.conf
Code:
#NAT
net.inet.ip.fw.one_pass=1
net.inet.ip.forwarding=1
ASC - ipfw.rules (start)
Code:
#!/bin/sh
FwCMD="/sbin/ipfw -q" # Path to ipfw
If_Inet="re0" # Interface Internet
If_Local="re0" # Interface LocalNet
If_VPN="tun0" # Interface VPN
Ip_Inet="192.168.1.12" # IP Internet
Ip_Local="192.168.1.12" # IP LocalNet
Mask_Inet="24" # Mask Internet
Mask_Local="24" # Mask LocalNet
Net_Local="192.168.1.0" # Net LocalNet
Net_VPN="192.168.101.0/24" # Net LocalNet
P_VPN="1194"
${FwCMD} -f flush # Clear all rules -f=no prompting, -q
${FwCMD} add check-state # Check for dynamic rules
#LOOP
${FwCMD} add allow ip from any to any via lo0 #all traffic to loop
${FwCMD} add deny ip from any to 127.0.0.0/8 #deny traffic to loop
${FwCMD} add deny ip from 127.0.0.0/8 to any #deny traffic from loop
#OpenVPN
${FwCMD} add allow all from any to any via ${If_VPN}
${FwCMD} add allow udp from any to me ${P_VPN}
${FwCMD} add allow udp from me ${P_VPN} to any
#NAT
${FwCMD} nat 1 config ip ${Ip_Inet}
${FwCMD} add nat 1 ip from ${Net_VPN} to any
${FwCMD} add nat 1 ip from any to ${Ip_Inet}
# deny localpacket to Interface Internet
${FwCMD} add deny ip from any to 10.0.0.0/8 in via ${If_Inet}
${FwCMD} add deny ip from 10.0.0.0/8 to any out via ${If_Inet}
${FwCMD} add deny ip from any to 172.16.0.0/12 in via ${If_Inet}
${FwCMD} add deny ip from 172.16.0.0/12 to any out via ${If_Inet}
${FwCMD} add deny ip from any to 0.0.0.0/8 in via ${If_Inet}
${FwCMD} add deny ip from 0.0.0.0/8 to any out via ${If_Inet}
${FwCMD} add deny ip from any to 169.254.0.0/16 in via ${If_Inet}
${FwCMD} add deny ip from 169.254.0.0/16 to any out via ${If_Inet}
#Multicast
${FwCMD} add deny ip from any to 224.0.0.0/4 in via ${If_Inet}
${FwCMD} add deny ip from 224.0.0.0/4 to any out via ${If_Inet}
${FwCMD} add deny ip from any to 240.0.0.0/4 in via ${If_Inet}
${FwCMD} add deny ip from 240.0.0.0/4 to any out via ${If_Inet}
#ICMP
${FwCMD} add deny icmp from any to any frag
${FwCMD} add deny icmp from any to 255.255.255.255 in via ${If_Inet}
${FwCMD} add deny icmp from any to 255.255.255.255 out via ${If_Inet}
${FwCMD} add allow icmp from any to any icmptypes 0,8,11 #ICMP echo in|out lifeend
#
${FwCMD} add allow tcp from any to any established #Established connections
${FwCMD} add allow ip from ${Ip_Inet} to any out xmit ${If_Inet}
#UDP Inet
${FwCMD} add allow udp from any 53 to any via ${If_Inet} #DNS
${FwCMD} add allow udp from any to any 53 via ${If_Inet} #DNS-Server
${FwCMD} add allow udp from any to any 123 via ${If_Inet} #Time Syncro
#TCP Inet
${FwCMD} add deny tcp from any to ${Ip_Inet} 21 via ${If_Inet} #FTP
${FwCMD} add allow tcp from any to ${Ip_Inet} 22 via ${If_Inet} #SSH
${FwCMD} add allow tcp from any to ${Ip_Inet} 25 via ${If_Inet} #SMTP-Server
${FwCMD} add allow tcp from any to ${Ip_Inet} 80 via ${If_Inet} #WWW-Server
${FwCMD} add allow tcp from any to ${Ip_Inet} 110 via ${If_Inet} #POP
${FwCMD} add allow tcp from any to ${Ip_Inet} 143 via ${If_Inet} #IMAP
${FwCMD} add allow tcp from any to ${Ip_Inet} 443 via ${If_Inet} #SSL
${FwCMD} add allow tcp from any to ${Ip_Inet} 40082 via ${If_Inet} #WEBMIN
${FwCMD} add allow tcp from any to ${Ip_Inet} 40083 via ${If_Inet} #APACHE
#Local traffic
${FwCMD} add allow ip from any to any via ${If_Local} #Local All
${FwCMD} add allow gre from any to any via ${If_Local} #Local GRE
${FwCMD} add allow tcp from any to any via ${If_Local} #Local TCP
${FwCMD} add allow udp from any to any via ${If_Local} #Local UDP
${FwCMD} add allow icmp from any to any via ${If_Local} #Local ICMP
#ALL
${FwCMD} add 65534 allow all from any to any #ALLOW ALL
ASC - ipfw.rules (short for testing)
Code:
#!/bin/sh
FwCMD="/sbin/ipfw -q" # Path to ipfw
If_Inet="re0" # Interface Internet
If_Local="re0" # Interface LocalNet
If_VPN="tun0" # Interface VPN
Ip_Inet="192.168.1.12" # IP Internet
Ip_Local="192.168.1.12" # IP LocalNet
Mask_Inet="24" # Mask Internet
Mask_Local="24" # Mask LocalNet
Net_Local="192.168.1.0" # Net LocalNet
Net_VPN="192.168.101.0/24" # Net LocalNet
Ip_WWW="y.y.y.y" # IP WWW Server
P_VPN="1194"
${FwCMD} -f flush # Clear all rules -f=no prompting, -q
${FwCMD} add check-state # Check for dynamic rules
#LOOP
${FwCMD} add allow ip from any to any via lo0 #all traffic to loop
${FwCMD} add deny ip from any to 127.0.0.0/8 #deny traffic to loop
${FwCMD} add deny ip from 127.0.0.0/8 to any #deny traffic from loop
${FwCMD} add fwd 192.168.101.6,40083 tcp from me to any 40083 keep-state
${FwCMD} add nat 123 ip from any to any via ${If_Inet}
#OpenVPN
${FwCMD} add allow all from any to any via ${If_VPN}
${FwCMD} add allow udp from any to me ${P_VPN}
${FwCMD} add allow udp from me ${P_VPN} to any
${FwCMD} add allow tcp from any to any established #Established connections
#NAT
#${FwCMD} nat 1 config ip ${Ip_Inet} \
${FwCMD} nat 123 config if ${If_Inet} reset same_ports \
redirect_port tcp ${Ip_WWW}:40083 40083
#redirect_port tcp 192.168.101.6:40083 40083
#${FwCMD} nat 123 config if ${If_Inet} reset same_ports deny_in \
#redirect_port tcp 192.168.101.6:80 80
#redirect_port tcp 192.168.101.6:443 443
#${FwCMD} add nat 123 ip from any to any
#${FwCMD} add nat 123 ip from any to any via ${If_VPN}
#ALL
${FwCMD} add 65534 allow all from any to any #ALLOW ALL