From owner-freebsd-pf@FreeBSD.ORG Tue Aug 2 22:34:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2F48106564A for ; Tue, 2 Aug 2011 22:34:47 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id A6C378FC0A for ; Tue, 2 Aug 2011 22:34:47 +0000 (UTC) Received: by ywm39 with SMTP id 39so200713ywm.13 for ; Tue, 02 Aug 2011 15:34:47 -0700 (PDT) Received: by 10.150.146.16 with SMTP id t16mr2303498ybd.29.1312324485491; Tue, 02 Aug 2011 15:34:45 -0700 (PDT) Received: from papi.localnet ([187.58.105.128]) by mx.google.com with ESMTPS id a16sm1886364ybn.17.2011.08.02.15.34.42 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 02 Aug 2011 15:34:44 -0700 (PDT) From: Mario Lobo To: "Lyndon Nerenberg (VE6BBM/VE7TFX)" Date: Tue, 2 Aug 2011 19:34:37 -0300 User-Agent: KMail/1.13.7 (FreeBSD/8.2-STABLE; KDE/4.6.2; amd64; ; ) References: <8e39326f7157e68f3dbc7d3080fbe186@orthanc.ca> In-Reply-To: <8e39326f7157e68f3dbc7d3080fbe186@orthanc.ca> X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201108021934.37477.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: pf rules for pptpd X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Aug 2011 22:34:48 -0000 On Tuesday 02 August 2011 19:17:34 you wrote: > > I finally gave up and switched to mpd5. I solved my problem and it has > > been rock solid ever since. > > I'm not wedded to pptpd. But I found mpd5 to be even more convoluted to > configure. Can you share your configuration files? Sure thing, man ! Here it is. Server side. With this config, ANY unix or Win(XP,7,Vista,whatever) closes a vpn with the FreeBSD FW. And it authenticates the user in AD (2008 R2) via AD's radius server. ### mpd.conf startup: # Setup console user, password and level set user admin password yyyyyy set console self 127.0.0.1 5005 set console open # set web self 0.0.0.0 5006 # set web open default: load pptp_server pptp_server: set ippool add pool1 172.16.3.201 172.16.3.239 create bundle template B set iface up-script /usr/local/etc/mpd5/linkup set iface down-script /usr/local/etc/mpd5/linkdown set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp set ipcp ranges 172.16.3.200/32 ippool pool1 set ipcp dns 172.16.3.133 set ipcp nbns 172.16.3.133 set bundle enable compression # set bundle enable encryption set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless ## Setup The Link Layer ## create link template L pptp set link action bundle B set link enable multilink set link yes acfcomp protocomp set link no pap chap set link enable chap set link keep-alive 10 60 # set link mtu 1300 set link mtu 1460 set pptp self a.b.c.d # set pptp disable windowing set link enable incoming load radius radius: set radius server 172.16.3.133 password 1812 1813 set radius retries 3 set radius timeout 10 set auth acct-update 120 set auth enable radius-auth set auth enable radius-acct set radius enable message-authentic set radius me 172.16.3.1 set radius identifier xxxxxxx With those scripts bellow, I get indiviual user log files, Saying when they logged in/out, which LAN IP and ng interface they used and from what public IP they connected from. if I do an "ls /var/log/vpns/*.IN", I can see which users are connected to the vpn. ### linkup #!/usr/local/bin/bash /usr/bin/touch /var/log/vpns/rules if ! /usr/bin/grep $1 /var/log/vpns/rules 1>/dev/null 2>&1 ; then echo "pass quick on $1 all" >> /var/log/vpns/rules fi /sbin/pfctl -a vpns -f /var/log/vpns/rules USU="${5:0:11}" case ${USU} in [Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee]) USU="${5:12:20}" ;; *) USU=$5 ;; esac USUIN=${USU}"-"${4} DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"` IP=$8 if [ -f /var/log/vpns/"${USU}".log ] ; then /bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]." >> /var/log/vpns/"${USU}".log else /bin/echo "${DIA} -> ${USU} Logged IN with [ ${1}:${4} ] from [ ${IP} ]." > /var/log/vpns/"${USU}".log fi /usr/bin/touch /var/log/vpns/"${USUIN}".IN /usr/sbin/arp -s "${4}" auto pub only ### linkdown #!/usr/local/bin/bash USU="${5:0:11}" case ${USU} in [Aa][Ll][Ll][Ee][Nn][Rr][Ee][Cc][Ii][Ff][Ee]) USU="${5:12:20}" ;; *) USU=$5 ;; esac DIA=`/bin/date "+%Y-%m-%d% %H:%M:%S"` USUIN=${USU}"-"${4} count=`ls -1 /var/log/vpns/${USU}*.IN | wc -l` if [ $count -eq 1 ]; then if [ -f /var/log/vpns/"${USU}".log ] ; then /bin/echo "${DIA} -> ${USU} logged OUT." >> /var/log/vpns/"${USU}".log else /bin/echo "${DIA} -> ${USU} logged OUT." > /var/log/vpns/"${USU}".log fi fi /bin/rm /var/log/vpns/"${USUIN}".IN ## END I hope this helps ! -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)