Solved mpd5 VPN server - clients cannot access server's LAN - "/usr/sbin/arp" returned 256

[Selin]

Hi

I've updated from 13.3 to 14.1 and hit the issue with the mpd5 VPN server: VPN clients can connect and access server itself, but cannot access LAN beyond that server.

in mpd5.log I see the following difference from the old system, when client connects:
[b_pptp-1] system: command "/usr/sbin/arp" returned 256
searching for this message leads me to old issue with FreeBSD 8:
- https://forums.freebsd.org/threads/freebsd8-mpd5-3-proxy-arp-problem.8427/
- https://lists.freebsd.org/pipermail/freebsd-net/2010-March/024731.html

Is there a solution for the FreeBSD 14.1?

mpd5-5.9_18
FreeBSD 14.1-RELEASE-p3 GENERIC amd64

 

[covacat]

would arp work if you run it manually after the connection is made ?
if it does you can run it from the linkup script or anyway can log its output

 

[SirDice]

PPTP is layer 3, ARP is at layer 2. There is no layer 2 connectivity with PPTP. You have a routing issue, probably with the return packets being routed the wrong way.

 

[covacat]

PPTP is layer 3, ARP is at layer 2. There is no layer 2 connectivity with PPTP. You have a routing issue, probably with the return packets being routed the wrong way.

most vpn servers have a proxy-arp option so if your clients get a local lan network ip they are arp-proxied
usually is just a bool proxy-arp yes/no and it only makes sense if the client pool is on the same net as your local lan
the effect is to publish the client ip with the servers lan mac as a proxy and remove it when the client disconnects

 

[Selin]

would arp work if you run it manually after the connection is made ?

thanks for the suggestion

I tried to run the arp command manually after client is connected - with the same parameters as in mpd5.log (with "log +all" option in mpd5.conf)

# /usr/sbin/arp -S 192.168.1.100 6a:3e:ea:a1:2f:da pub
arp: delete 192.168.1.100: No such file or directory
arp: set: 192.168.1.100: Invalid argument (NDA_LLADDR address length (6) is different from expected (0))

 

[covacat]

ok so thats what i found
arp will fail if a route exists to the published host address thats not via the host ether
so the hack will be like this
turn of arp proxy in the mpd.conf file
create an iface-up script
route delete $client_ip
arp -S $client_ip auto pub
route add $client_ip -interface $my_iface (ngXX)
the interface, client_ip will be passed as args to the script (see docs for order, etc)

 

[Selin]

than you
but this part not working (

route delete $client_ip

# route delete 192.168.1.100
delete host 192.168.1.100 fib 0: gateway uses the same route

 

[covacat]

ok, try ifconfig ng0 down
then arp
the ifconfig ng0 up

 

[covacat]

[root@hp14 ~]# route -n get 10.1.1.17
   route to: 10.1.1.17
destination: 10.1.1.0
       mask: 255.255.255.0
        fib: 0
  interface: re0
      flags: <UP,DONE,PINNED>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0
[root@hp14 ~]# ifconfig tun0 create
[root@hp14 ~]# ifconfig tun0 1.2.3.4 10.1.1.17 up
[root@hp14 ~]# arp -S 10.1.1.17 auto pub
arp: delete 10.1.1.17: No such file or directory
using interface re0 for proxy with address 7c:d3:0a:2c:20:1b
arp: set: 10.1.1.17: Invalid argument (NDA_LLADDR address length (6) is different from expected (0))
[root@hp14 ~]# ifconfig tun0 down
[root@hp14 ~]# arp -S 10.1.1.17 auto pub
10.1.1.17 (10.1.1.17) deleted
using interface re0 for proxy with address 7c:d3:0a:2c:20:1b
[root@hp14 ~]# ifconfig tun0 up
#pinging 10.1.1.17 from another box
[root@hp14 ~]# cat /dev/tun0
ET�?k�
I
j��M�f��e

 

[Selin]

ok, try ifconfig ng0 down
then arp

Thank you very much!

- disabled arp-proxy
- added up-script:
set iface up-script /usr/local/etc/mpd5/iface_up.sh

ifconfig $1 down
arp -S $4 auto pub
ifconfig $1 up

mpd5 log:
system: /iface_up.sh ng0 inet 192.168.1.1/32 192.168.1.100 'login' '' '' 'e.x.i.p' '-'
script log:
# ifconfig ng0 down # arp -S 192.168.1.100 auto pub 192.168.1.100 (192.168.1.100) deleted using interface eth0 for proxy with address c2:b6:2b:2f:69:02 # ifconfig ng0 up


- added down-script:
set iface down-script /usr/local/etc/mpd5/iface_down.sh

ifconfig $1 down
arp -d $4

mpd5 log:
system: /iface_down.sh ng0 inet 192.168.1.1/32 192.168.1.100 'login' 'e.x.i.p' '-'
script log:
# ifconfig ng0 down # arp -d 192.168.1.100 auto pub 192.168.1.100 (192.168.1.100) deleted using interface eth0 for proxy with address c2:b6:2b:2f:69:02


Looks like now everything works as it should )
Thank you for your help!


P.S.
BTW, it looks like set of script's parameters a bit different from the one described in the mpd5 doc.
Or I used wrong mpd5 doc...

Interface layer

set iface up-script script
script interface proto local-ip remote-ip authname [ dns1 server-ip ] [ dns2 server-ip ] peer-address
set iface down-script script
script interface proto local-ip remote-ip authname peer-address