From owner-freebsd-isp@FreeBSD.ORG Wed Sep 1 14:49:32 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F2BE16A4CE for ; Wed, 1 Sep 2004 14:49:32 +0000 (GMT) Received: from mta.webmatic.de (mta.webmatic.de [212.78.99.126]) by mx1.FreeBSD.org (Postfix) with ESMTP id 960B743D2D for ; Wed, 1 Sep 2004 14:49:28 +0000 (GMT) (envelope-from freebsd-isp@chef-ingenieur.de) Received: (qmail 91443 invoked by uid 1003); 1 Sep 2004 14:49:22 -0000 Received: from freebsd-isp@chef-ingenieur.de by mta.webmatic.de by uid 89 with qmail-scanner-1.22 (clamdscan: 0.75. spamassassin: 2.63. Clear:RC:1(127.0.0.1):. Processed in 0.039156 secs); 01 Sep 2004 14:49:22 -0000 Received: from unknown (HELO mta.webmatic.de) (127.0.0.1) by localhost with SMTP; 1 Sep 2004 14:49:22 -0000 Received: from 212.78.101.51 (SquirrelMail authenticated user freebsd-isp@chef-ingenieur.de) by mta.webmatic.de with HTTP; Wed, 1 Sep 2004 16:49:22 +0200 (CEST) Message-ID: <1979.212.78.101.51.1094050162.squirrel@mta.webmatic.de> Date: Wed, 1 Sep 2004 16:49:22 +0200 (CEST) From: freebsd-isp@chef-ingenieur.de To: freebsd-isp@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Subject: ppp + natd + forwarding udp X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Sep 2004 14:49:32 -0000 Hello, I've a freebsd box on a DSL line, running ppp, ipfw and natd. This works fine since about 1 year. Now there shuld be a vpn build, but with cisco equipent. The cisco is located behind the firewall, so I've to forward the udp packets. But this doesn't work. My ipfw rules: 00100 1174 5341362 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny log ip from 172.16.1.0/24 to any in via tun0 00500 15184 9946779 divert 8668 ip from any to any via tun0 00600 0 0 check-state 00700 12125 8358860 allow tcp from me to any keep-state 00701 0 0 allow log ip from 172.16.1.3 to any 00702 0 0 allow log ip from any to 172.16.1.3 00800 13988 11016613 allow ip from 172.16.1.0/24 to any keep-state 01100 0 0 allow log udp from any to 172.16.1.3 dst-port 500 01200 0 0 allow log udp from 172.16.1.3 to any dst-port 500 01300 0 0 allow log udp from any to 172.16.1.3 dst-port 4500 01400 0 0 allow log udp from 172.16.1.3 to any dst-port 4500 01500 2 120 reset log tcp from any to me dst-port 113 in via tun0 01600 576 48970 allow udp from me to any dst-port 53 keep-state 01700 0 0 allow udp from 172.16.1.0/24 to any dst-port 53 keep-state 01800 12 912 allow udp from me to any dst-port 123 keep-state 01900 4 148 allow icmp from me to any 02000 0 0 allow icmp from 172.16.1.0/24 to any 02100 3 92 allow icmp from any to any in icmptypes 0,3,4,8,11,12 02200 1315 298371 deny log ip from any to any 65535 0 0 deny ip from any to any in /etc/natd.conf I've redirect_port udp 172.16.1.3:500 500 redirect_port udp 172.16.1.3:4500 4500 (the cisco is on 172.16.1.3 an has internet access) natd runs with the flags "-dynamic -u -l -s -f /etc/natd.conf -n tun0" rules 701+702 are for debugging I see the packets on the internal interface, but not on the tun0 interface (testet with tcpdump). Any hints would be great - I'm really helpless at the moment. Regards, Thomas.