From owner-freebsd-questions@FreeBSD.ORG Mon Nov 28 04:32:32 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E54C16A41F for ; Mon, 28 Nov 2005 04:32:32 +0000 (GMT) (envelope-from dscheidt@panix.com) Received: from mail2.panix.com (mail2.panix.com [166.84.1.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id CBCDF43D5C for ; Mon, 28 Nov 2005 04:32:31 +0000 (GMT) (envelope-from dscheidt@panix.com) Received: from panix1.panix.com (panix1.panix.com [166.84.1.1]) by mail2.panix.com (Postfix) with ESMTP id 41D5E9DC95 for ; Sun, 27 Nov 2005 23:32:31 -0500 (EST) Received: (from dscheidt@localhost) by panix1.panix.com (8.11.6p3/8.8.8/PanixN1.1) id jAS4WV020105 for freebsd-questions@freebsd.org; Sun, 27 Nov 2005 23:32:31 -0500 (EST) Date: Sun, 27 Nov 2005 23:32:31 -0500 From: David Scheidt To: freebsd-questions Message-ID: <20051128043231.GA21902@panix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.10i Subject: OpenVPN routing problems. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 04:32:32 -0000 I'm trying to set up an OpenVPN tunnel, from a remote (Win XP) machine to my local network. I've got that working, except for one problem. When I start the OpenVPN server, my FreeBSD router/firewall/ipnat/OpenVPN machine stops routing packets to the outside world. The machine is running 6.0-STABLE from about a week ago: FreeBSD tor 6.0-STABLE FreeBSD 6.0-STABLE #1: Mon Nov 21 23:06:14 EST 2005 root@tor:/usr/obj/usr/src/sys/TOR i386 though I built world before the new kernel, and it's a slow machine, so sources are at least 16 hours older than that. It's a pretty un-complicated network: the router has two NICs, rl0 is the real world, rl1 is the private network. Ipfilter has this rule set: (10.10.10.169 is (munged) public IP address, 172.21.172.0/24 is the private LAN, and 172.21.173.0/24 is the VPN subnet). block in log first quick on rl0 from 192.168.0.0/16 to any block in log first quick on rl0 from 172.16.0.0/12 to any block in log first quick on rl0 from 127.0.0.0/8 to any block in log first quick on rl0 from 0.0.0.0/8 to any block in log first quick on rl0 from 169.254.0.0/16 to any block in log first quick on rl0 from 192.0.2.0/24 to any block in log first quick on rl0 from 204.152.64.0/23 to any block in log first quick on rl0 from 224.0.0.0/3 to any block in log first quick on rl0 from 10.0.0.0/8 to any block in log first on rl0 from any to any pass in quick on tun0 pass out quick on tun0 pass in quick on rl0 proto tcp from any to 10.10.10.169/32 port = 22 flags S ke ep state pass in quick on rl0 proto udp from any to 10.10.10.169/32 port = 1194 keep state pass out quick on rl0 proto tcp from 172.21.172.0/24 to any flags S keep state pass out quick on rl0 proto udp from 172.21.172.0/24 to any keep state pass out quick on rl0 proto icmp from 172.21.172.0/24 to any keep state pass out quick on rl0 proto tcp from 10.10.10.169/32 to any flags keep state pass out quick on rl0 proto udp from 10.10.10.169/32 to any keep state pass out quick on rl0 proto icmp from 10.10.10.169/32 to any keep state ipnat has one rule: map rl0 172.21.172.0/24 -> 0/32 portmap tcp/udp auto The output of netstat -rn before starting the OpenVPN server: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.10.10.129 UGS 0 4399 rl0 127.0.0.1 127.0.0.1 UH 0 88 lo0 10.10.10.128/26 link#1 UC 0 0 rl0 10.10.10.129 00:09:e9:b5:2f:fc UHLW 2 0 rl0 1160 172.21.172/24 link#2 UC 0 0 rl1 172.21.172.5 00:30:c1:0e:14:8f UHLW 1 1 rl1 781 172.21.172.8 00:0d:88:c9:d2:99 UHLW 1 167 rl1 366 172.21.172.9 00:11:24:bc:d1:cd UHLW 1 965 rl1 657 172.21.172.100 00:11:24:9f:2d:dd UHLW 1 1245 rl1 705 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1 UC rl0 fe80::211:95ff:fe1c:2992%rl0 00:11:95:1c:29:92 UHL lo0 fe80::%rl1/64 link#2 UC rl1 fe80::250:baff:fed1:8d6c%rl1 00:50:ba:d1:8d:6c UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 ff01:1::/32 link#1 UC rl0 ff01:2::/32 link#2 UC rl1 ff01:4::/32 ::1 UC lo0 ff02::%rl0/32 link#1 UC rl0 ff02::%rl1/32 link#2 UC rl1 ff02::%lo0/32 ::1 UC lo0 The output of netstat -rn after starting OpenVPN: Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 10.10.10.129 UGS 0 6544 rl0 127.0.0.1 127.0.0.1 UH 0 128 lo0 10.10.10.128/26 link#1 UC 0 0 rl0 10.10.10.129 00:09:e9:b5:2f:fc UHLW 2 0 rl0 1134 172.21.172/24 link#2 UC 0 0 rl1 172.21.172.5 00:30:c1:0e:14:8f UHLW 1 1 rl1 199 172.21.172.8 00:0d:88:c9:d2:99 UHLW 1 75 rl1 1164 172.21.172.9 00:11:24:bc:d1:cd UHLW 1 977 rl1 75 172.21.172.100 00:11:24:9f:2d:dd UHLW 1 2145 rl1 123 172.21.173/24 172.21.173.2 UGS 0 57 tun0 172.21.173.2 172.21.173.1 UH 1 0 tun0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1 UC rl0 fe80::211:95ff:fe1c:2992%rl0 00:11:95:1c:29:92 UHL lo0 fe80::%rl1/64 link#2 UC rl1 fe80::250:baff:fed1:8d6c%rl1 00:50:ba:d1:8d:6c UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 fe80::%tun0/64 link#5 UC tun0 fe80::211:95ff:fe1c:2992%tun0 link#5 UHL lo0 ff01:1::/32 link#1 UC rl0 ff01:2::/32 link#2 UC rl1 ff01:4::/32 ::1 UC lo0 ff01:5::/32 link#5 UC tun0 ff02::%rl0/32 link#1 UC rl0 ff02::%rl1/32 link#2 UC rl1 ff02::%lo0/32 ::1 UC lo0 ff02::%tun0/32 link#5 UC tun0 Again, what happens is the FreeBSD machine stops forwarding packets from the 172.21.172/24 machines. It can talk to the world, the private LAN, and the VPN client. The private LAN can talk to the router, and to the VPN client. And I can't get it to restart. Deleting routes and adding them back doesn't work. net.inet.ip.forwarding is still 1. The only way I can get it to start working again is reboot the machine. I'm stuck, I think. David