From owner-freebsd-questions@freebsd.org Sun Feb 18 05:02:58 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77EADF1169D for ; Sun, 18 Feb 2018 05:02:58 +0000 (UTC) (envelope-from johnjen@reynoldsnet.org) Received: from reynoldsnet.org (reynoldsnet.org [64.62.221.161]) by mx1.freebsd.org (Postfix) with SMTP id E565D82D2A for ; Sun, 18 Feb 2018 05:02:57 +0000 (UTC) (envelope-from johnjen@reynoldsnet.org) Received: from dolphin.home-net ([68.225.211.65]) by reynoldsnet.org for ; Sat, 17 Feb 2018 21:00:20 -0800 Received: from [192.168.1.2] (whale.home-net [192.168.1.2]) by dolphin.home-net (8.15.2/8.15.2) with ESMTP id w1I50Jtb003206 for ; Sat, 17 Feb 2018 22:00:19 -0700 (MST) (envelope-from johnjen@reynoldsnet.org) To: freebsd-questions@freebsd.org From: John Reynolds Subject: Anybody got a T-mobile cellspot v2 to work with NAT'd firewall (IPFW)? Message-ID: Date: Sat, 17 Feb 2018 22:00:19 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Feb 2018 05:02:58 -0000 Hello all, I've been struggling trying to get one of T-mobile's Cellspot (v2) fempto-towers to configure. I have a pretty vanilla setup with a 11.1-RELEASE-p4 box acting as my gateway/fw (with various internal servers such as Samba, etc. running on it).                                                          ----> LAN machines     Cable modem ->   re0 --FreeBSD ipfw --> igb0 -----> 8-port switch ----> LAN ....                                                          ----> T-mobile Cellspot I can see that it is getting an IP address from my DHCP server and through tcpdump I see that it is talking to tmobile's servers--but it just abruptly "stops" and I get no further traffic to/from the device once I get to this point:     cellspot.home-net.isakmp > mc14236d0.tmodns.net.isakmp: [udp sum ok] isakmp 2.0 msgid 00000000 cookie a2e7eea bc47d5a3a->0000000000000000: parent_sa ikev2_init[I]:     (sa: len=112         (p: #1 protoid=isakmp transform=12 len=112             (t: #1 type=encr id=aes (type=keylen value=0100))             (t: #2 type=encr id=aes (type=keylen value=0080))             (t: #3 type=encr id=3des )             (t: #4 type=integ id=#12 )             (t: #5 type=integ id=aes-xcbc )             (t: #6 type=integ id=hmac-sha )             (t: #7 type=prf id=#5 )             (t: #8 type=prf id=aes128_xcbc )             (t: #9 type=prf id=hmac-sha )             (t: #10 type=dh id=modp2048 )             (t: #11 type=dh id=modp3072 )             (t: #12 type=dh id=modp4096 )))     (v2ke: len=256 group=modp2048)     (nonce: len=32 nonce=(e88267d563388560eadb76d831fe877330cf258e0f15783fe27eabdf2895cedc) )     (n: prot_id=#0 type=16388(nat_detection_source_ip))     (n: prot_id=#0 type=16389(nat_detection_destination_ip)) 20:13:12.510298 IP (tos 0x0, ttl 127, id 27639, offset 0, flags [none], proto UDP (17), length 137) I don't know if it's something I'm "doing" in my ipfw rules or if there's some sysctl for ipsec that I need to flip or if this box is just a dud. I've configured the box temporarily as an "open" firewall (with NAT) to try and eliminate it being "me" through some IPFW filtering. That made no difference. Just wondering if somebody out there has gotten one of these stupid CellSpot things and actually gotten it to talk to its mother ship and configure and actually WORK behind a NAT'd firewall. FWIW using Cox communications as internet provider and I know they don't block ports 500/4500/123. My sysctl variables are: kern.features.ipsec_natt: 1 kern.features.ipsec: 1 net.inet.ipsec.def_policy: 1 net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 0 net.inet.ipsec.debug: 1 net.inet.ipsec.filtertunnel: 0 net.inet.ipsec.natt_cksum_policy: 0 net.inet.ipsec.check_policy_history: 0 net.inet.ipsec.crypto_support: 50331648 (changing filtertunnel to 1 made no difference) My IPFW rules are: 00010 allow ip from any to any via lo0 00020 allow ip from any to any via igb0 00030 deny ip from any to any not antispoof in 00050 allow ip from any to any frag 00051 allow log udp from any to any dst-port 500 00054 allow log esp from any to any 00056 allow log ah from any to any 00058 allow log ipencap from any to any 00060 allow log udp from any 500 to any 00100 nat 1 ip from any to any via re0 in 00101 check-state :default 02000 skipto 10000 tcp from any to any via re0 out setup keep-state :default 02010 skipto 10000 udp from any to any via re0 out keep-state :default 05000 allow tcp from any to me dst-port 22,80,110,443,3458,4040,10993,123,500,4500 via re0 in setup keep-state :default 05001 allow udp from any to me dst-port 500,4500,123 via re0 in keep-state :default 09998 deny tcp from any to any via re0 09999 deny udp from any to any via re0 10000 nat 1 ip from any to any via re0 out 65534 allow ip from any to any 65535 deny ip from any to any If anybody has any hints, I'd be much appreciated ....... :/ Thanks. -John