Date: Tue, 11 Apr 2006 20:59:26 +0200 From: "mailme" <mailme@roelsieg.nl> To: <freebsd-pf@freebsd.org> Subject: ADSL/router(VOIP) pf in private ip range Message-ID: <000601c65d9a$11570460$0601a8c0@beneden>
next in thread | raw e-mail | index | archive | help
Old Situation
to internet
^
|
|
ADSL Router/Modem(Bridged)
|=20
V
ip ext from isp
BSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
New Situation:
to internet
^
|
|
ip ext from isp
Davolink DV-201AMR (NAT)----->to VOIP telephone
ip 192.168.1.1
^
|
| (DMZ 192.168.1.7)
V
ip 192.168.1.7
BSD router with pf
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
The prefered settings for NAT on the would be like mentioned with a =
DeMilitartized Zone to just let BSD take care
of the secrurity issues.=20
It is not possible to set the router to a bridged-setting because:
-first the web-interface doesnot allow this and I found no way to telnet =
into the router for different settings
-second I don't think this will work in combination with the VOIP (the =
Davolink should have the extern ip from the isp)
Further more I have a packet filter installed on the BSD machine, the =
following rule set used to work in the old situation:
# /etc/pf.conf
# Macros
EXT_IF=3D"rl0"
INT_IF=3D"rl1"
LOCAL_IF=3D"lo0"
LAN=3D"192.168.0.0/24"
NO_ROUTE=3D" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } =
"
# Options
set optimization normal
set block-policy drop
set require-order yes
# Traffic Normalization
scrub in all
# Translation
# General rdr to a port
#rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> =
$DEST_IP port $DEST_PORT
# Network Adress Translation
nat on $EXT_IF inet from $LAN to any -> $EXT_IF
# Packet Filtering
block in log all
block out log all
antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state
antispoof log quick for $INT_IF inet
pass in on $INT_IF inet all keep state
pass out on $INT_IF inet all keep state
antispoof log quick for $EXT_IF inet
block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
block return-rst in log quick on $EXT_IF inet proto tcp from any to =
$EXT_IF port 113
pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code =
0 keep state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags =
S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags =
S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags =
S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags =
S/SA modulate state
block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
pass out on $EXT_IF inet from $EXT_IF to any keep state
Now I think there is probably a problem in the NO_ROUTE statements =
because the NO_ROUTE 192.168.0.0/16 section
includes the address range 192.168.1.0/24 but since the DMZ forwards all =
the incoming trafic to 192.168.1.7
and if I make a statment allowing incoming trafic from 192.168.1.1 =
because i don't know if this in combination with
the DMZ just by-passes my packetfilter. From the dump beneat I get the =
impression that the DMZ just forwards all trafic
to 192.168.1.7 without NAT (192.168.1.1) but I am not sure.
The strangest things happen at the moment:
-I can connect to the internet from my client PC with a browser but MSN =
cannot make a connection
-I can recieve and send mail from the mail-server on the BSD machine but =
with a subject only no text
To get an impression of what happens here is a dump from the incomming =
traffic on the BSD machine=20
pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000 =
09:47:17
PR DIR SRC DEST STATE =
AGE EXP PKTS BYTES
tcp In 192.168.0.4:1374 192.168.0.1:22 =
ESTABLISHED:ESTABLISHED 00:09:33 23:59:55 1141 102486
tcp In 192.168.0.4:1375 65.54.239.80:1863 =
FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp In 192.168.0.4:1376 207.46.2.124:1863 =
ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp In 192.168.0.4:1377 65.54.183.192:443 =
ESTABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
tcp Out 192.168.0.4:1375 65.54.239.80:1863 =
FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp Out 192.168.0.4:1376 207.46.2.124:1863 =
ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp Out 192.168.0.4:1377 65.54.183.192:443 =
STABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
udp In 192.168.0.4:1063 192.168.0.1:53 MULTIPLE:MULTIPLE =
00:00:25 00:00:37 4 711
udp Out 192.168.1.7:11789 62.4.69.96:53 MULTIPLE:SINGLE =
00:00:25 00:00:05 2 160
udp Out 192.168.1.7:11789 65.55.238.126:53 MULTIPLE:SINGLE =
00:00:23 00:00:07 2 201
udp Out 192.168.1.7:11789 65.54.240.126:53 MULTIPLE:SINGLE =
00:00:25 00:00:05 2 196
udp Out 192.168.1.7:11789 212.187.162.134:53 MULTIPLE:SINGLE =
00:00:23 00:00:07 2 392
udp Out 192.168.1.7:11789 213.199.144.151:53 MULTIPLE:SINGLE =
00:00:23 00:00:07 12 972
(ps don't know how the mailinglist works so reply to mailme@roelsieg.nl =
please)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000601c65d9a$11570460$0601a8c0>