From owner-freebsd-questions Sun Aug 6 12:19: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from 2711.dynacom.net (2711.dynacom.net [206.107.213.3]) by hub.freebsd.org (Postfix) with ESMTP id 617F037B575 for ; Sun, 6 Aug 2000 12:19:01 -0700 (PDT) (envelope-from kstewart@urx.com) Received: from urx.com (dsl1-160.dynacom.net [206.159.132.160]) by 2711.dynacom.net (Build 101 8.9.3/NT-8.9.3) with ESMTP id MAA03807; Sun, 06 Aug 2000 12:18:59 -0700 Message-ID: <398DBA23.39F41E5E@urx.com> Date: Sun, 06 Aug 2000 12:18:59 -0700 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: David Goddard Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ppp and natd problems References: <3.0.3.32.20000806173201.0085c330@dmg.parse.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG David Goddard wrote: > > Hi, > > I'm having some problems getting ipfw, natd and ppp all to work together > happily on a recent 4.1-STABLE box. Basically, while the individual > components seem to be working fine, if I try and get them working together, > packets from my internal network no longer get out properly (or the > translation isn't working properly or something). I've been using the > documentation at http://www.freebsd.org/tutorials/dialup-firewall as a > guide for the various settings, and have taken its advice to use natd > instead of ppp for aliasing with ipfw. I never found the FreeBSD examples to work on my system for ipfw. The setup on http://www.mostgraveconcern.com/freebsd/ worked out of the box. Ruslan's has some changes that look like they would address the problem I had on my system. I also changed from one of the 169.254.x.x style non-routeable networks to one of the 10.0.x.x. style RFC1918 internal networks. I use Dan's dual homed example ipfw setup on my system plus a couple of changes. The only difference for you would be your definition of the outside network. As alway, YMMV. Kent > > I've tried various combinations of settings (no natd, but using ppp -nat > instead etc.), but nothing seems to work, although with different logging > information being generated. > > Any connections from the box itself to the outside world work as expected, > it's just stuff on my 10.0.* internal subnet that has problems. > > I've produced some logging information, while pinging an outside host from > a computer on the internal network. The alias.log file contains entries > such as these: > > icmp=0, udp=6, tcp=2, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8 (sock=0) > icmp=0, udp=6, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=9 (sock=0) > icmp=0, udp=5, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8 (sock=0) > > Meanwhile, tcpdump returns the following. Note that the IP of the box > doing the ping doesn't appear, so it looks like some translation is being > done: > > dmg% tcpdump -i tun0 > tcpdump: listening on tun0 > 10:54:13.274107 myhost > icwww.cc.ic.ac.uk: icmp: echo request > 10:54:13.450202 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:13.450695 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:13.617630 myhost.1024 > dns1.myisp.domain: 48018+ PTR? 83.5.19 > 8.155.in-addr.arpa. (43) > 10:54:13.820202 dns1.myisp.domain > myhost.1024: 48018 1/6/5 PTR icw > ww.cc (303) > 10:54:14.630420 myhost > icwww.cc.ic.ac.uk: icmp: echo request > 10:54:14.790206 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:14.790696 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:14.823533 myhost.1024 > dns1.myisp.domain: 48738+ PTR? 76.0.20 > 0.195.in-addr.arpa. (43) > 10:54:15.000247 dns1.myisp.domain > myhost.1024: 48738* 1/5/5 PTR dn > s1.fte (263) > 10:54:15.631630 myhost > icwww.cc.ic.ac.uk: icmp: echo request > 10:54:15.780263 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:15.790178 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:16.633086 myhost > icwww.cc.ic.ac.uk: icmp: echo request > 10:54:16.760313 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > 10:54:16.770215 icwww.cc.ic.ac.uk > myhost: icmp: echo reply > > My kernel is configured with the following options: > > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #print information about > # dropped packets > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default > options IPDIVERT > options IPFILTER > options IPSTEALTH > > The section from ppp.conf that I'm using is: > > myisp: > set phone > set login "ABORT NO\\sCARRIER TIMEOUT 15 ogin:--ogin: myuid word: mypasswd > ocol: p > pp" > set timeout 120 > set accmap 000a0000 > set ifaddr 195.200.9.208 10.0.0.10/0 > add default HISADDR > enable dns > > Finally, my rc.conf file looks like this: > > hostname="myhost" > ifconfig_ed0="inet 10.0.0.1 netmask 255.255.255.0" > #ifconfig_tun0= > gateway_enable="YES" > named_enable="YES" > named_flags="-u bind -g bind" > linux_enable="YES" > keymap="uk.cp850" > nfs_server_enable="YES" > ppp_enable="YES" > ppp_mode="auto" > ppp_nat="NO" > ppp_profile="myisp" > natd_enable="YES" > natd_interface="tun0" > natd_flags="-log -dynamic" > firewall_enable="YES" > firewall_type="simple" > sendmail_flags="-bd" > > (As far as I can tell, I no longer need the ifconfig_tun0= entry that I had > with previous versions) > > Disabling the firewall doesn't help, so it looks like a ppp/natd problem. > Any suggestions? > > Thanks, > > Dave > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ Bomber dropping fire retardant in front of Hanford Wild fire. http://kstewart.urx.com/kstewart/bomber.jpg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message