Date: Wed, 1 Sep 2004 16:49:22 +0200 (CEST) From: freebsd-isp@chef-ingenieur.de To: freebsd-isp@freebsd.org Subject: ppp + natd + forwarding udp Message-ID: <1979.212.78.101.51.1094050162.squirrel@mta.webmatic.de>
next in thread | raw e-mail | index | archive | help
Hello, I've a freebsd box on a DSL line, running ppp, ipfw and natd. This works fine since about 1 year. Now there shuld be a vpn build, but with cisco equipent. The cisco is located behind the firewall, so I've to forward the udp packets. But this doesn't work. My ipfw rules: 00100 1174 5341362 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny log ip from 172.16.1.0/24 to any in via tun0 00500 15184 9946779 divert 8668 ip from any to any via tun0 00600 0 0 check-state 00700 12125 8358860 allow tcp from me to any keep-state 00701 0 0 allow log ip from 172.16.1.3 to any 00702 0 0 allow log ip from any to 172.16.1.3 00800 13988 11016613 allow ip from 172.16.1.0/24 to any keep-state 01100 0 0 allow log udp from any to 172.16.1.3 dst-port 500 01200 0 0 allow log udp from 172.16.1.3 to any dst-port 500 01300 0 0 allow log udp from any to 172.16.1.3 dst-port 4500 01400 0 0 allow log udp from 172.16.1.3 to any dst-port 4500 01500 2 120 reset log tcp from any to me dst-port 113 in via tun0 01600 576 48970 allow udp from me to any dst-port 53 keep-state 01700 0 0 allow udp from 172.16.1.0/24 to any dst-port 53 keep-state 01800 12 912 allow udp from me to any dst-port 123 keep-state 01900 4 148 allow icmp from me to any 02000 0 0 allow icmp from 172.16.1.0/24 to any 02100 3 92 allow icmp from any to any in icmptypes 0,3,4,8,11,12 02200 1315 298371 deny log ip from any to any 65535 0 0 deny ip from any to any in /etc/natd.conf I've redirect_port udp 172.16.1.3:500 500 redirect_port udp 172.16.1.3:4500 4500 (the cisco is on 172.16.1.3 an has internet access) natd runs with the flags "-dynamic -u -l -s -f /etc/natd.conf -n tun0" rules 701+702 are for debugging I see the packets on the internal interface, but not on the tun0 interface (testet with tcpdump). Any hints would be great - I'm really helpless at the moment. Regards, Thomas.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1979.212.78.101.51.1094050162.squirrel>