From owner-freebsd-questions@FreeBSD.ORG Mon Jan 22 09:00:10 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 347D016A405 for ; Mon, 22 Jan 2007 09:00:10 +0000 (UTC) (envelope-from pprocacci@myhome.net) Received: from imf18aec.mail.bellsouth.net (imf18aec.mail.bellsouth.net [205.152.59.66]) by mx1.freebsd.org (Postfix) with ESMTP id D3BCF13C457 for ; Mon, 22 Jan 2007 09:00:09 +0000 (UTC) (envelope-from pprocacci@myhome.net) Received: from ibm57aec.bellsouth.net ([74.241.161.118]) by imf17aec.mail.bellsouth.net with ESMTP id <20070122073103.TVKO2165.imf17aec.mail.bellsouth.net@ibm57aec.bellsouth.net> for ; Mon, 22 Jan 2007 02:31:03 -0500 Received: from myhome.net ([74.241.161.118]) by ibm57aec.bellsouth.net with SMTP id <20070122073102.FBEC20155.ibm57aec.bellsouth.net@myhome.net> for ; Mon, 22 Jan 2007 02:31:02 -0500 Received: (qmail 1625 invoked by uid 1001); 22 Jan 2007 07:31:15 -0000 Date: Mon, 22 Jan 2007 01:31:15 -0600 From: Paul Procacci To: freebsd-questions@freebsd.org Message-ID: <20070122073115.GA1169@datapipe.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: Problem with Nat (port forwarding) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jan 2007 09:00:10 -0000 Hey all, I've been spending hours trying to figure out why my machine at the office (Linux), cannot connect to my FreeBSD (6.1) machine behind my nat'ed gateway. This was working fine previously before my linksys router decided to take a nose dive, so I am sure the Linux box that is attempting to establish the connection is configured fine. When the router crapped out, I decided to put all that old hardware I wasn't using for anything to good use. What I ended up with is a Pentium 3 200mhz machine with several network interfaces conncted to my internet provider (BellSouth). In order to continue working from home, it's necessary that I get this tunnel up and running, and for the life of me, I can't seem to figure out what exactly I'm doing wrong. Here is my current configuration: Gateway (FBSD 6.2) - IPFW / NATD ------------------------------------- PPPoE Configuration for DSL (Works fine) ------------------ nat# cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device PPPoE:xl0:pppoe-in enable lqr echo set cd 5 set dial set login set authname "username" set authkey "pass" set redial 0 0 enable dns set ifaddr 0.0.0.0/0 0.0.0.0/0 255.255.255.0 0.0.0.0 add default HISADDR The above creates the following device without problems: ----------------------- tun0: flags=8051 mtu 1492 inet xx.xx.xx.xx --> xx.xx.xx.xx netmask 0xffffff00 Opened by PID 492 Natd configuration (Works fine w/ the exception of port forwarding) ------------------------------ natd_enable="YES" natd_flags="-dynamic -m -redirect_port tcp 10.5.21.246:5000 5000" natd_interface="tun0" IPFW RULES (works fine) ------------------------------------------ nat# ipfw show 00001 0 0 allow ip from any to any via lo0 00002 0 0 deny ip from any to 127.0.0.0/8 00003 0 0 deny ip from 127.0.0.0/8 to any 00050 6 444 allow ip from any to any via xl0 00051 10646 2950467 allow ip from any to any via fxp0 00052 1212 101901 allow ip from any to any via dc0 00053 534 261533 allow ip from any to any via rl0 00100 4316 2156348 divert 8668 ip from any to any in via tun0 00101 0 0 check-state 00150 1121 332120 skipto 500 udp from any to any out via tun0 keep-state 00160 5795 2319421 skipto 500 tcp from any to any out via tun0 setup keep-state 00170 91 8551 skipto 500 icmp from any to any out via tun0 keep-state 00180 1013 87013 skipto 500 gre from any to any out via tun0 keep-state 00301 941 57268 allow tcp from any to 10.5.21.246 dst-port 5000 in via tun0 setup keep-state 00400 264 19399 deny log ip from any to any 00500 4182 622757 divert 8668 ip from any to any out via tun0 00501 8020 2747105 allow ip from any to any 65535 44 4726 allow ip from any to any Do note, the interfaces housing the vtund application that I'm concerned with lives over the fxp0 interace. In addition rule number 00301 triggers appropriately when a packet destined for port 5000 is inbound. /var/log/security makes no mention of anything being denied by this firewall ruleset destined for or originating from port 5000 by any host. This is certainly the case, as the host where vtund is running is recieving packets from the gateway on port 5000 (info showing this follows). I also see the vtund box responding to the inbound packets, but it never creates the tunnel device as it should, and nothing gets logged. VTUND HOST ------------------------------------------ IPFW RULES (NONE) ----------------------------- NETSTAT ----------------------------- nat# netstat -nat | fgrep 5000 tcp4 0 0 *.5000 *.* LISTEN IS IT LISTENING??? -- YES ----------------------------- nat# telnet 10.5.21.246 5000 Trying 10.5.21.246... Connected to work_machine. Escape character is '^]'. VTUN server ver 12/20/2006 TCPDUMP from destination machine(Packets are making it this far) ----------------------------- fileserv# tcpdump -i em0 port 5000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes 01:18:16.831396 IP 10.5.21.246.commplex-main > .20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 01:18:19.846872 IP .20342 > 10.5.21.246.commplex-main: S 1110928858:1110928858(0) win 5840 01:18:19.846894 IP 10.5.21.246.commplex-main > .20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 01:18:25.876180 IP 10.5.21.246.commplex-main > .20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 01:18:31.912374 IP .20342 > 10.5.21.246.commplex-main: S 1110928858:1110928858(0) win 5840 01:18:31.912406 IP 10.5.21.246.commplex-main > .20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 01:18:43.971794 IP 10.5.21.246.commplex-main > .20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 01:18:46.024173 IP .20373 > 10.5.21.246.commplex-main: S 1145016457:1145016457(0) win 5840 01:18:46.024208 IP 10.5.21.246.commplex-main > .20373: S 2258110650:2258110650(0) ack 1145016458 win 65535 01:18:47.821762 IP .20232 > 10.5.21.246.commplex-main: . ack 0 win 0 01:18:47.821788 IP 10.5.21.246.commplex-main > .20232: R 0:0(0) win 0 01:18:49.038886 IP 10.5.21.246.commplex-main > .20373: S 2258110650:2258110650(0) ack 1145016458 win 65535 01:18:49.038942 IP .20373 > 10.5.21.246.commplex-main: S 1145016457:1145016457(0) win 5840 01:18:49.038959 IP 10.5.21.246.commplex-main > .20373: S 2258110650:2258110650(0) ack 1145016458 win 65535 ..... ..... TCPDUMP on the interal nic (gateway - fxp0) ----------------------------- nat# tcpdump -i fxp0 port 5000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 68 bytes 01:25:36.734256 IP work_machine.commplex-main > .20488: S 3180151438:3180151438(0) ack 332523228 win 65535 01:25:36.735776 IP .20488 > work_machine.commplex-main: S 332523227:332523227(0) win 5840 01:25:36.735984 IP work_machine.commplex-main > .20488: S 3180151438:3180151438(0) ack 332523228 win 65535 01:25:37.202142 IP .20406 > work_machine.commplex-main: . ack 0 win 0 01:25:37.202299 IP work_machine.commplex-main > .20406: R 0:0(0) win 0 01:25:50.744236 IP .20500 > work_machine.commplex-main: S 1092281427:1092281427(0) win 5840 01:25:50.744460 IP work_machine.commplex-main > .20500: S 2038175112:2038175112(0) ack 1092281428 win 65535 ..... ..... TCPDUMP on the external nic (gateway) ----------------------------- nat# tcpdump -i tun0 host tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun0, link-type NULL (BSD loopback), capture size 68 bytes 01:28:10.872333 IP .20533 > adsl-241-161-118.bna.bellsouth.net.commplex-main: S 2029663877:2029663877(0) win 5840 01:28:10.872786 IP work_machine.commplex-main > .20533: S 1854728145:1854728145(0) ack 2029663878 win 65535 01:28:12.185971 IP work_machine.commplex-main > .20428: . ack 618288056 win 0 01:28:12.186129 IP work_machine.commplex-main > .20428: R 0:0(0) win 0 01:28:13.869476 IP .20533 > adsl-241-161-118.bna.bellsouth.net.commplex-main: S 2029663877:2029663877(0) win 5840 01:28:13.869843 IP work_machine.commplex-main > .20533: S 1854728145:1854728145(0) ack 2029663878 win 65535 01:28:16.869646 IP work_machine.commplex-main > .20533: S 1854728145:1854728145(0) ack 2029663878 win 65535 ..... ..... If anyone has any ideas, I've be much appreciated. Thanks!