From owner-freebsd-net@freebsd.org Sun May 19 11:42:01 2019 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 987AF15AB49C for ; Sun, 19 May 2019 11:42:01 +0000 (UTC) (envelope-from robert@heron.pl) Received: from sys.heron.com.pl (sys.heron.com.pl [89.25.217.130]) by mx1.freebsd.org (Postfix) with ESMTP id 7A42A899F9 for ; Sun, 19 May 2019 11:42:00 +0000 (UTC) (envelope-from robert@heron.pl) Received: from [79.189.180.154] (helo=[192.168.0.230]) by sys.heron.com.pl with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1hSKCN-00044L-LG; Sun, 19 May 2019 13:41:51 +0200 Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Subject: Re: FreeBSD Port: mpd5-5.8_10 - only one client behind NAT can work simultaneously From: Robert Heron In-Reply-To: <0fe5932b-f15b-091b-705b-26af29de0f35@grosbein.net> Date: Sun, 19 May 2019 13:41:50 +0200 Cc: freebsd-net@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <637DBA48-68C2-4665-8C7C-D011E46B7E8F@heron.pl> References: <6B8DCAC2-803F-4247-89B1-7D071104630E@heron.pl> <0fe5932b-f15b-091b-705b-26af29de0f35@grosbein.net> To: Eugene Grosbein X-Mailer: Apple Mail (2.3445.102.3) X-Rspamd-Queue-Id: 7A42A899F9 X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of robert@heron.pl designates 89.25.217.130 as permitted sender) smtp.mailfrom=robert@heron.pl X-Spamd-Result: default: False [-0.94 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.960,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:89.25.217.128/28]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[heron.pl]; NEURAL_HAM_LONG(-1.00)[-0.996,0]; NEURAL_SPAM_SHORT(0.65)[0.646,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mail.heron.pl]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(0.08)[asn: 31242(0.34), country: PL(0.06)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31242, ipnet:89.25.128.0/17, country:PL]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 May 2019 11:42:01 -0000 > On 18 May 2019, at 22:10, Eugene Grosbein wrote: >=20 > 19.05.2019 0:31, Robert Heron wrote: >=20 >> I use mpd5 from ports on FreeBSD 11.2-RELEASE-p10 amd64 and there is = one serious problem I can=E2=80=99t solve: when connecting clients from = behind NAT (with the same public IP) to an mpd5 box, every new = established connection causes the previous one (from the same source IP) = to go dead. Any IP traffic is stopped through the previous connection = but its ng interface still exists. This happens regardless of used = cryptography. I=E2=80=99ve tried both PPTP and L2TP over IPSec PSK = (with racoon). When one client connects, it works OK. When any second = one from the same public IP connects, then previous IP traffic dies. My = firewall is open. >> I=E2=80=99ve searched the net, but found no clue :( >=20 > If you use PPtP and no IPSEC, then you use PPtPGRE - that is, modified = version of GRE protocol. > Your NAT box must support multiple PPtPGRE connections for this to = work. > If you use another FreeBSD as NAT box, it has support for multiple = PPtP connections > by means of ipfw nat if you load alias_pptp.ko kernel module. > If your NAT box has no support for aliasing multiple PPtP clients, you = are out of luck > and need to change NAT box or switch to another protocol. >=20 > As for L2TP without IPSEC, you can use PPP/MPPE inside L2TP to = encapsulate VPN into UDP stream > and then it will pass through any NAT box without extra protocol = support. >=20 > I do not know if it is possible to run multiple L2IP/IPSEC clients = behind same NAT box. >=20 > Anyway, this is all not problem of mpd5 but of NAT box or IPSEC. >=20 I use FreeBSD 12.0 ARM as NAT box and adding alias_pptp.ko fixed the = problem for PPTP. Now PPTP works OK for multiple connections :) Multiple L2TP over IPSec still don=E2=80=99t work, but I think it=E2=80=99= s a problem in my NAT box. I will try some commercial NAT router(s) with = VPN pass-through feature. Many thanks for help! =E2=80=94 Robert