From owner-freebsd-pf@FreeBSD.ORG Sat Sep 10 13:42:53 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB13E1065670 for ; Sat, 10 Sep 2011 13:42:53 +0000 (UTC) (envelope-from lobo@bsd.com.br) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id B0F908FC0C for ; Sat, 10 Sep 2011 13:42:53 +0000 (UTC) Received: by yxk36 with SMTP id 36so2749103yxk.13 for ; Sat, 10 Sep 2011 06:42:53 -0700 (PDT) Received: by 10.236.181.135 with SMTP id l7mr17730296yhm.85.1315662171442; Sat, 10 Sep 2011 06:42:51 -0700 (PDT) Received: from papi.localnet ([177.17.68.103]) by mx.google.com with ESMTPS id x65sm9185100yhh.26.2011.09.10.06.42.48 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 10 Sep 2011 06:42:50 -0700 (PDT) To: Daniel Hartmeier From: Mario Lobo Date: Sat, 10 Sep 2011 10:42:53 -0300 X-KMail-Markup: true MIME-Version: 1.0 Message-Id: <201109101042.53575.lobo@bsd.com.br> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re: VPN problem X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Sep 2011 13:42:54 -0000 On Saturday 10 September 2011 02:45:38 Daniel Hartmeier wrote: > On Fri, Sep 09, 2011 at 04:46:15PM -0300, Mario Lobo wrote: > More details in an old thread > http://lists.freebsd.org/pipermail/freebsd-pf/2006-November/002834.html > > If this is not the problem, you'll have to provide more details, like > tcpdump on the pf NAT box (on both external and internal interfaces) > while trying to establish a connection, run pfctl -vvss, pfctl -si > before and after, use 'set debug misc' and watch /var/log/messages, etc. > Daniel; I put set debug misc on pf.conf. As soon as I made my first attempt to connect, I got this: Sep 10 10:27:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 Sep 10 10:27:49 lobos last message repeated 83 times Sep 10 10:28:59 lobos last message repeated 283 times Sep 10 10:28:59 lobos kernel: pf: NAT proxy port allocation (1024-65535) failed Sep 10 10:29:00 lobos kernel: pf_map_addr: selected address 177.17.68.103 Sep 10 10:29:15 lobos last message repeated 22 times Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 174.122.209.54:110 174.122.209.54:110 10.10.10.2:20941 [lo=2747216958 high=2747223832 win=4105 modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mod Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 10.10.10.2:20941 177.17.68.103:27334 174.122.209.54:110 [lo=2747216958 high=2747223832 win=4105 modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mo Sep 10 10:29:15 lobos kernel: pf: loose state match: TCP 10.10.10.2:20941 177.17.68.103:27334 174.122.209.54:110 [lo=2747216958 high=2747223832 win=4105 modulator=0 wscale=4] [lo=2628859950 high=2628925592 win=54 mo Sep 10 10:29:16 lobos kernel: pf_map_addr: selected address 177.17.68.103 Sep 10 10:29:47 lobos last message repeated 71 times Sep 10 10:30:02 lobos last message repeated 114 times I had nat on $ext_if from any to any -> ($ext_if) port 1024:65535 replaced with nat on $ext_if from any to any -> ($ext_if) tried to connect again and and got: Sep 10 10:30:02 lobos kernel: pf: NAT proxy port allocation (50001-65535) failed Sep 10 10:30:02 lobos kernel: pf_map_addr: selected address 177.17.68.103 Sep 10 10:30:33 lobos last message repeated 373 times Sep 10 10:31:36 lobos last message repeated 559 times Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 10.10.10.2:13369 177.17.68.103:51153 189.17.94.162:1723 [lo=3293828711 high=3293894229 win=65535 modulator=0] [lo=4058414752 high=4058480270 win=65535 modulat Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 189.17.94.162:1723 189.17.94.162:1723 10.10.10.2:13369 [lo=3293828711 high=3293894229 win=65535 modulator=0] [lo=4058414752 high=4058480270 win=65535 modulato Sep 10 10:31:36 lobos kernel: pf: loose state match: TCP 189.17.94.162:1723 189.17.94.162:1723 10.10.10.2:13369 [lo=3293828711 high=3293894229 win=65535 modulator=0] [lo=4058414752 high=4058480270 win=65535 modulato Sep 10 10:31:37 lobos kernel: pf_map_addr: selected address 177.17.68.103 Sep 10 10:32:08 lobos last message repeated 227 times Both attempts failed. Can you make something out of this? -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winblows FREE)