Getting in from outside my network

Quite new to this whole thing but :

I have two FreeBSD machines running. The current production machine is reachable from anywhere, the new one isn't reachable from anywhere, but within and can reach out to the internet (but needs to be reachable from outside the network).

I'm sure I'm not providing enough information but by all means please let me know what else I need to provide.

The production (ip xx.yy.zz.220) is running:
named
sendmail

The new (IP xx.yy.zz.221) is running:
named
sendmail
routed
ppp

Thanks,

Dave

ifconfig on old:
Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500  options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
  ether 00:22:64:16:39:aa
  inet xx.yy.zz.220 netmask 0xfffffff8 broadcast xx.yy.zz.223
  inet6 fe80::222:64ff:fe16:39aa%em0 prefixlen 64 scopeid 0x1
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

ifconfig on new:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=31b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,TSO6>
  ether 00:15:5d:c7:d1:00
  inet xx.yy.zz.221 netmask 0xfffffff8 broadcast xx.yy.zz.223
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1448
  options=80000<LINKSTATE>
  inet 192.168.1.129 --> 192.168.1.1 netmask 0xffffff00
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 673
 
Both machines appear to be connected directly to the internet (that's assuming xx.yy.zz.220 and xx.yy.zz.221 are the same subnet and your external internet addresses). So if you can access one but not the other I'd take a closer look at any firewalls that might be between these hosts and the internet.
 
Thanks for responding so quick. I am not aware of any firewalls on either machine.

I am seeing incoming traffic attempts on port 25 on the new machine just no answers. Please also note that this one is configured to be connected to a VPN where the other is not.

Code:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=31b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,TSO6>
  ether 00:15:5d:c7:d1:00
  inet xx.yy.zz.221 netmask 0xfffffff8 broadcast xx.yy.zz.223
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1448
  options=80000<LINKSTATE>
  inet 192.168.1.129 --> 192.168.1.1 netmask 0xffffff00
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 673


# tcpdump -q -i tun0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
10:07:14.719868 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:15.726369 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:17.727191 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:20.730528 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:21.734250 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:24.743285 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:27.754465 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:29.758132 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:32.794821 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:35.803220 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:38.808698 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
 
Those look like outgoing connections, not incoming. But perhaps the connections are incoming on hn0 and due to your routing table the response is sent out via tun0.

In any case, are the Internet connections supposed to come in on the tunnel or on the physical interface?
 
I thought it looked like outbound traffic after I posted it. My guess is that the problem is it is coming in on the physical interface but is going back out on the tunnel. Looks like that suspicion is true; is it something in my ppp settings (most are just copied from googled sources).

Code:
# tcpdump -q -i hn0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:56:54.006842 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:56:55.007763 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:56:57.011945 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:57:01.019700 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0

Here are my relevant ppp.conf settings

Code:
ROUTER:
set authname DaveQ
set authkey *******
set timeout 0
set ifaddr 192.168.1.1/0 192.168.1.2/0 255.255.255.0
add 0 0 HISADDR
alias enable yes
disable ipv6cp
 
It really depends on what the VPN is supposed to do. At the moment it's routing all outgoing traffic through it. Maybe it's only for specific traffic?
 
Do you have control over the server the VPN connects to? If you have the easiest is to configure that to not send a default gateway but a specific route for that particular network. At the moment your VPN client receives a route that tells the client to route all traffic through the VPN.
 
Back
Top