From owner-freebsd-pf@FreeBSD.ORG  Tue Apr 11 18:59:39 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1498416A40D
	for <freebsd-pf@freebsd.org>; Tue, 11 Apr 2006 18:59:39 +0000 (UTC)
	(envelope-from mailme@roelsieg.nl)
Received: from smtp3.versatel.nl (smtp1.versatel.nl [62.58.50.88])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9103C43D5A
	for <freebsd-pf@freebsd.org>; Tue, 11 Apr 2006 18:59:36 +0000 (GMT)
	(envelope-from mailme@roelsieg.nl)
Received: (qmail 7511 invoked by uid 0); 11 Apr 2006 18:59:34 -0000
Received: from ip115-143-211-87.adsl2.versatel.nl (HELO beneden)
	([87.211.143.115]) (envelope-sender <mailme@roelsieg.nl>)
	by smtp1.versatel.nl (qmail-ldap-1.03) with SMTP
	for < >; 11 Apr 2006 18:59:34 -0000
Message-ID: <000601c65d9a$11570460$0601a8c0@beneden>
From: "mailme" <mailme@roelsieg.nl>
To: <freebsd-pf@freebsd.org>
Date: Tue, 11 Apr 2006 20:59:26 +0200
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: ADSL/router(VOIP) pf in private ip range
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Apr 2006 18:59:39 -0000

Old Situation
      to internet
  ^
  |
  |
 ADSL Router/Modem(Bridged)
     |=20
  V
    ip ext from isp
 BSD router with pf+NAT
    ip 192.168.0.1
  ^
  |
  |
  V
    ip 192.168.0.4
      client PC

New Situation:
      to internet
  ^
  |
  |
    ip ext from isp
 Davolink DV-201AMR (NAT)----->to VOIP telephone
    ip 192.168.1.1
  ^
  |
  | (DMZ 192.168.1.7)
  V
    ip 192.168.1.7
 BSD router with pf
    ip 192.168.0.1
  ^
  |
  |
  V
    ip 192.168.0.4
      client PC

The prefered settings for NAT on the would be like mentioned with a =
DeMilitartized Zone to just let BSD take care
of the secrurity issues.=20

It is not possible to set the router to a bridged-setting because:
-first the web-interface doesnot allow this and I found no way to telnet =
into the router for different settings
-second I don't think this will work in combination with the VOIP (the =
Davolink should have the extern ip from the isp)

Further more I have a packet filter installed on the BSD machine, the =
following rule set used to work in the old situation:

 # /etc/pf.conf

 # Macros
 EXT_IF=3D"rl0"
 INT_IF=3D"rl1"
 LOCAL_IF=3D"lo0"
 LAN=3D"192.168.0.0/24"
 NO_ROUTE=3D" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } =
"

 # Options
 set optimization normal
 set block-policy drop
 set require-order yes

 # Traffic Normalization
 scrub in all

 # Translation

 # General rdr to a port
 #rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> =
$DEST_IP port $DEST_PORT

 # Network Adress Translation
 nat on $EXT_IF inet from $LAN to any -> $EXT_IF

 # Packet Filtering
 block in log all
 block out log all

 antispoof log quick for $LOCAL_IF inet
 pass in on $LOCAL_IF inet all keep state
 pass out on $LOCAL_IF inet all keep state

 antispoof log quick for $INT_IF inet
 pass in on $INT_IF inet all keep state
 pass out on $INT_IF inet all keep state

 antispoof log quick for $EXT_IF inet
 block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
 block return-rst in log quick on $EXT_IF inet proto tcp from any to =
$EXT_IF port 113
 pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code =
0 keep state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags =
S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags =
S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags =
S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags =
S/SA modulate state

 block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
 pass out on $EXT_IF inet from $EXT_IF to any keep state

Now I think there is probably a problem in the NO_ROUTE statements =
because the NO_ROUTE 192.168.0.0/16 section
includes the address range 192.168.1.0/24 but since the DMZ forwards all =
the incoming trafic to 192.168.1.7
and if I make a statment allowing incoming trafic from 192.168.1.1 =
because i don't know if this in combination with
the DMZ just by-passes my packetfilter. From the dump beneat I get the =
impression that the DMZ just forwards all trafic
to 192.168.1.7 without NAT (192.168.1.1) but I am not sure.

The strangest things happen at the moment:
-I can connect to the internet from my client PC with a browser but MSN =
cannot make a connection
-I can recieve and send mail from the mail-server on the BSD machine but =
with a subject only no text

To get an impression of what happens here is a dump from the incomming =
traffic on the BSD machine=20

  pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000        =
                                09:47:17

  PR   DIR SRC                  DEST                         STATE       =
         AGE       EXP     PKTS    BYTES
  tcp  In  192.168.0.4:1374     192.168.0.1:22      =
ESTABLISHED:ESTABLISHED  00:09:33  23:59:55     1141   102486
  tcp  In  192.168.0.4:1375     65.54.239.80:1863    =
FIN_WAIT_2:FIN_WAIT_2   00:00:25  00:01:06       13      934
  tcp  In  192.168.0.4:1376     207.46.2.124:1863   =
ESTABLISHED:ESTABLISHED  00:00:24  23:59:37       10      932
  tcp  In  192.168.0.4:1377     65.54.183.192:443   =
ESTABLISHED:ESTABLISHED  00:00:23  23:59:52       16     8903
  tcp  Out 192.168.0.4:1375     65.54.239.80:1863    =
FIN_WAIT_2:FIN_WAIT_2   00:00:25  00:01:06       13      934
  tcp  Out 192.168.0.4:1376     207.46.2.124:1863   =
ESTABLISHED:ESTABLISHED  00:00:24  23:59:37       10      932
  tcp  Out 192.168.0.4:1377     65.54.183.192:443    =
STABLISHED:ESTABLISHED  00:00:23  23:59:52       16     8903
  udp  In  192.168.0.4:1063     192.168.0.1:53         MULTIPLE:MULTIPLE =
    00:00:25  00:00:37        4      711
  udp  Out 192.168.1.7:11789    62.4.69.96:53          MULTIPLE:SINGLE   =
    00:00:25  00:00:05        2      160
  udp  Out 192.168.1.7:11789    65.55.238.126:53       MULTIPLE:SINGLE   =
    00:00:23  00:00:07        2      201
  udp  Out 192.168.1.7:11789    65.54.240.126:53       MULTIPLE:SINGLE   =
    00:00:25  00:00:05        2      196
  udp  Out 192.168.1.7:11789    212.187.162.134:53     MULTIPLE:SINGLE   =
    00:00:23  00:00:07        2      392
  udp  Out 192.168.1.7:11789    213.199.144.151:53     MULTIPLE:SINGLE   =
    00:00:23  00:00:07       12      972

(ps don't know how the mailinglist works so reply to mailme@roelsieg.nl =
please)