PF+pptp

Vadim · Jul 1, 2009

Hi all!
I have some misunderstanding with pf-firewall. The point is:
1)
(LAN1)->Gateway1(FreeBSD 7.2+pf)-----pptp------Gateway2(FreeBSD 6.3+ipfw+mpd4)<-(LAN2)

2)Client PC from LAN1 makes vpn-connection(pptp) to the external vpn-server (Gateway2). With current pf.conf this connection establishes successfully. But when I try to ping some host in vpn-net - no answers come back. Thus I have no access to the shares of LAN2.

3)My current pf.conf

Code:

ext_if          = "rl2"
int_if          = "rl0"
lo              = "lo0"
internal_net    = "192.168.0.0/8"
esc_vpn        = "10.18.0.0/8"
ext_ip        = "Y.Y.Y.Y"

tcp_svc         = "smtp www pop3"
udp_svc         = "domain"

esc_ports    = "ftp, ftp-data, ssh, 3389, 1723"


set block-policy drop
set skip on lo0

scrub in on ! $lo all fragment reassemble


nat on $ext_if from $internal_net to any -> ($ext_if)

rdr on $ext_if proto tcp from any to any port 1723 -> 192.168.0.5 port 1723
rdr on $ext_if proto icmp from any to any -> 192.168.0.5
rdr on $ext_if proto gre from any to any -> 192.168.0.5


pass quick log on { lo $int_if }
antispoof log quick for $ext_if

block log on $ext_if
block in log quick from any os NMAP

pass inet proto tcp from any to any
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass proto 47 all keep state
pass in quick on $ext_if proto tcp from any to any port {1723 3389} keep state
pass in quick on $ext_if proto udp from any to any port 53 keep state
pass out quick all keep state
pass out log on $ext_if proto {tcp gre udp} from $esc_vpn to $esc_vpn keep state
pass in log on $ext_if proto {tcp gre udp} from $esc_vpn to $esc_vpn keep state
pass out log on $ext_if proto tcp flags S/SA keep state
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass in log on $ext_if proto tcp from X.X.X.X to port {$esc_ports} keep state
pass in log on $ext_if proto gre from X.X.X.X keep state
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state

4)"route print" on client PC (winXP)

Code:

Network address           Mask      Gateway       iface  metric
          0.0.0.0          0.0.0.0        10.18.0.5       10.18.0.5       1
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.5       21
        10.18.0.5  255.255.255.255        127.0.0.1       127.0.0.1       50
   10.255.255.255  255.255.255.255        10.18.0.5       10.18.0.5       50
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0      192.168.0.5     192.168.0.5       20
      192.168.0.5  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255      192.168.0.5     192.168.0.5       20
  X.X.X.X  255.255.255.255      192.168.0.1     192.168.0.5       20
        224.0.0.0        240.0.0.0      192.168.0.5     192.168.0.5       20
        224.0.0.0        240.0.0.0        10.18.0.5       10.18.0.5       1
  255.255.255.255  255.255.255.255        10.18.0.5       10.18.0.5       1
  255.255.255.255  255.255.255.255      192.168.0.5     192.168.0.5       1
default gateway:           10.18.0.5
===========================================================================

X.X.X.X- external ip of vpn-server(gateway2)
Y.Y.Y.Y-external ip gateway1.
192.168.0.0/24 - network mask of LAN1 and LAN2.
10.18.0.0/8 - mask of vpn-network.
192.168.0.5 - client PC
Please - explain me where i'm wrong in this pf.conf.

Antti · Jul 3, 2009

I think your answer is pf pptp proxy: frickin

Vadim · Jul 3, 2009

As I know, frickin is used on a gateway, when you try to connect more than 1 client behind nat. I need only 1 client to be able to connect to 1 vpn-server. If there will be no decisions I'll try frickin one.

Vadim · Jul 3, 2009

The solution is to alter 192.168.0.0/24 subnet in LAN1 on another (in my case 192.168.10.0/24). The last pf.conf

Code:

ext_if          = "rl2"
int_if          = "rl0"
int_if2          = "xl0"
lo              = "lo0"
internal_net	= "192.168.10.0/8"
esc_vpn		= "10.18.0.0/8"
ext_ip		= "Y.Y.Y.Y"
squid           = "3128"
tcp_svc         = "smtp www pop3"
udp_svc         = "domain"

esc_ports	= "ftp, ftp-data, ssh, 3389, 1723"

set debug urgent
set block-policy drop
set skip on lo0
scrub in on ! $lo all fragment reassemble

nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr on $ext_if proto tcp from any to any port 1723 -> 192.168.10.5 port 1723
rdr on $ext_if proto gre from any to any -> 192.168.10.5

pass quick log on { lo $int_if $int_if2 }
antispoof log quick for $ext_if
block log on $ext_if

pass out quick on $ext_if inet proto tcp from $int_if2 to any keep state
pass out on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass out on $ext_if proto udp keep state
pass proto 47 all keep state
pass in quick on $ext_if proto tcp from any to any port {1723 3389} keep state
pass in quick on $ext_if proto udp from any to any port 53 keep state
pass out log on $ext_if proto tcp flags S/SA keep state
pass in on $ext_if inet proto icmp icmp-type echoreq code 0 keep state
pass in log on $ext_if proto tcp from X.X.X.X to port {$esc_ports} keep state
pass in log on $ext_if proto gre from X.X.X.X keep state
pass in on $ext_if proto tcp to port > 49151 flags S/SA user proxy keep state

problem solved - tnx all.

PF+pptp

Vadim

Antti

Vadim

Vadim