Date: Sat, 17 Feb 2018 22:00:19 -0700 From: John Reynolds <johnjen@reynoldsnet.org> To: freebsd-questions@freebsd.org Subject: Anybody got a T-mobile cellspot v2 to work with NAT'd firewall (IPFW)? Message-ID: <fc2a76b6-d3c1-0d9c-6424-a0371c28919b@reynoldsnet.org>
next in thread | raw e-mail | index | archive | help
Hello all, I've been struggling trying to get one of T-mobile's Cellspot (v2) fempto-towers to configure. I have a pretty vanilla setup with a 11.1-RELEASE-p4 box acting as my gateway/fw (with various internal servers such as Samba, etc. running on it). ----> LAN machines Cable modem -> re0 --FreeBSD ipfw --> igb0 -----> 8-port switch ----> LAN .... ----> T-mobile Cellspot I can see that it is getting an IP address from my DHCP server and through tcpdump I see that it is talking to tmobile's servers--but it just abruptly "stops" and I get no further traffic to/from the device once I get to this point: cellspot.home-net.isakmp > mc14236d0.tmodns.net.isakmp: [udp sum ok] isakmp 2.0 msgid 00000000 cookie a2e7eea bc47d5a3a->0000000000000000: parent_sa ikev2_init[I]: (sa: len=112 (p: #1 protoid=isakmp transform=12 len=112 (t: #1 type=encr id=aes (type=keylen value=0100)) (t: #2 type=encr id=aes (type=keylen value=0080)) (t: #3 type=encr id=3des ) (t: #4 type=integ id=#12 ) (t: #5 type=integ id=aes-xcbc ) (t: #6 type=integ id=hmac-sha ) (t: #7 type=prf id=#5 ) (t: #8 type=prf id=aes128_xcbc ) (t: #9 type=prf id=hmac-sha ) (t: #10 type=dh id=modp2048 ) (t: #11 type=dh id=modp3072 ) (t: #12 type=dh id=modp4096 ))) (v2ke: len=256 group=modp2048) (nonce: len=32 nonce=(e88267d563388560eadb76d831fe877330cf258e0f15783fe27eabdf2895cedc) ) (n: prot_id=#0 type=16388(nat_detection_source_ip)) (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 20:13:12.510298 IP (tos 0x0, ttl 127, id 27639, offset 0, flags [none], proto UDP (17), length 137) I don't know if it's something I'm "doing" in my ipfw rules or if there's some sysctl for ipsec that I need to flip or if this box is just a dud. I've configured the box temporarily as an "open" firewall (with NAT) to try and eliminate it being "me" through some IPFW filtering. That made no difference. Just wondering if somebody out there has gotten one of these stupid CellSpot things and actually gotten it to talk to its mother ship and configure and actually WORK behind a NAT'd firewall. FWIW using Cox communications as internet provider and I know they don't block ports 500/4500/123. My sysctl variables are: kern.features.ipsec_natt: 1 kern.features.ipsec: 1 net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 1 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.natt_cksum_policy: 0 net.inet.ipsec.check_policy_history: 0 net.inet.ipsec.crypto_support: 50331648 (changing filtertunnel to 1 made no difference) My IPFW rules are: 00010 allow ip from any to any via lo0 00020 allow ip from any to any via igb0 00030 deny ip from any to any not antispoof in 00050 allow ip from any to any frag 00051 allow log udp from any to any dst-port 500 00054 allow log esp from any to any 00056 allow log ah from any to any 00058 allow log ipencap from any to any 00060 allow log udp from any 500 to any 00100 nat 1 ip from any to any via re0 in 00101 check-state :default 02000 skipto 10000 tcp from any to any via re0 out setup keep-state :default 02010 skipto 10000 udp from any to any via re0 out keep-state :default 05000 allow tcp from any to me dst-port 22,80,110,443,3458,4040,10993,123,500,4500 via re0 in setup keep-state :default 05001 allow udp from any to me dst-port 500,4500,123 via re0 in keep-state :default 09998 deny tcp from any to any via re0 09999 deny udp from any to any via re0 10000 nat 1 ip from any to any via re0 out 65534 allow ip from any to any 65535 deny ip from any to any If anybody has any hints, I'd be much appreciated ....... :/ Thanks. -John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fc2a76b6-d3c1-0d9c-6424-a0371c28919b>