From owner-freebsd-questions  Sun Aug  6  9:32: 2 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from brass.ftech.net (mrtg.ftech.net [195.200.0.119])
	by hub.freebsd.org (Postfix) with ESMTP id 0E1B337B62C
	for <freebsd-questions@freebsd.org>; Sun,  6 Aug 2000 09:31:58 -0700 (PDT)
	(envelope-from goddard@acm.org)
Received: from logger5.ftech.net ([195.200.0.64] helo=relay1.ftech.net)
	by brass.ftech.net with esmtp (Exim 3.12.ftech-p6 #2)
	id 13LTL0-0008RA-00
	for freebsd-questions@freebsd.org; Sun, 06 Aug 2000 17:31:46 +0100
Received: from dmg.ftech.co.uk ([195.200.9.208] helo=dmg.parse.net)
	by relay1.ftech.net with esmtp (Exim 3.14.ftech-p6 #2)
	id 13LTKz-0007tQ-00
	for freebsd-questions@freebsd.org; Sun, 06 Aug 2000 17:31:45 +0100
Received: from elf (elf.putney.parse.net [10.0.0.10])
	by dmg.parse.net (8.9.3/8.9.3) with SMTP id RAA10138
	for <freebsd-questions@freebsd.org>; Sun, 6 Aug 2000 17:31:40 +0100 (BST)
	(envelope-from goddard@acm.org)
Message-Id: <3.0.3.32.20000806173201.0085c330@dmg.parse.net>
X-Sender: dmg@dmg.parse.net
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 06 Aug 2000 17:32:01 +0100
To: freebsd-questions@freebsd.org
From: David Goddard <goddard@acm.org>
Subject: ppp and natd problems
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

I'm having some problems getting ipfw, natd and ppp all to work together
happily on a recent 4.1-STABLE box.  Basically, while the individual
components seem to be working fine, if I try and get them working together,
packets from my internal network no longer get out properly (or the
translation isn't working properly or something).  I've been using the
documentation at http://www.freebsd.org/tutorials/dialup-firewall as a
guide for the various settings, and have taken its advice to use natd
instead of ppp for aliasing with ipfw.

I've tried various combinations of settings (no natd, but using ppp -nat
instead etc.), but nothing seems to work, although with different logging
information being generated.

Any connections from the box itself to the outside world work as expected,
it's just stuff on my 10.0.* internal subnet that has problems.

I've produced some logging information, while pinging an outside host from
a computer on the internal network.  The alias.log file contains entries
such as these:

icmp=0, udp=6, tcp=2, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8  (sock=0)
icmp=0, udp=6, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=9  (sock=0)
icmp=0, udp=5, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8  (sock=0)

Meanwhile, tcpdump returns the following.  Note that the IP of the box
doing the ping doesn't appear, so it looks like some translation is being
done:

dmg% tcpdump -i tun0
tcpdump: listening on tun0
10:54:13.274107 myhost > icwww.cc.ic.ac.uk: icmp: echo request
10:54:13.450202 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:13.450695 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:13.617630 myhost.1024 > dns1.myisp.domain:  48018+ PTR? 83.5.19
8.155.in-addr.arpa. (43)
10:54:13.820202 dns1.myisp.domain > myhost.1024:  48018 1/6/5 PTR icw
ww.cc (303)
10:54:14.630420 myhost > icwww.cc.ic.ac.uk: icmp: echo request
10:54:14.790206 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:14.790696 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:14.823533 myhost.1024 > dns1.myisp.domain:  48738+ PTR? 76.0.20
0.195.in-addr.arpa. (43)
10:54:15.000247 dns1.myisp.domain > myhost.1024:  48738* 1/5/5 PTR dn
s1.fte (263)
10:54:15.631630 myhost > icwww.cc.ic.ac.uk: icmp: echo request
10:54:15.780263 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:15.790178 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:16.633086 myhost > icwww.cc.ic.ac.uk: icmp: echo request
10:54:16.760313 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
10:54:16.770215 icwww.cc.ic.ac.uk > myhost: icmp: echo reply


My kernel is configured with the following options:

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print information about
                                         # dropped packets
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
options         IPDIVERT
options         IPFILTER
options         IPSTEALTH


The section from ppp.conf that I'm using is:

myisp:
 set phone <myisp's phone>
set login "ABORT NO\\sCARRIER TIMEOUT 15 ogin:--ogin: myuid word: mypasswd
ocol: p
pp"
 set timeout 120
 set accmap 000a0000
 set ifaddr 195.200.9.208 10.0.0.10/0
 add default HISADDR
 enable dns

Finally, my rc.conf file looks like this:

hostname="myhost"
ifconfig_ed0="inet 10.0.0.1 netmask 255.255.255.0"
#ifconfig_tun0=
gateway_enable="YES"
named_enable="YES"
named_flags="-u bind -g bind"
linux_enable="YES"
keymap="uk.cp850"
nfs_server_enable="YES"
ppp_enable="YES"
ppp_mode="auto"
ppp_nat="NO"
ppp_profile="myisp"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-log -dynamic"
firewall_enable="YES"
firewall_type="simple"
sendmail_flags="-bd"

(As far as I can tell, I no longer need the ifconfig_tun0= entry that I had
with previous versions)

Disabling the firewall doesn't help, so it looks like a ppp/natd problem.
Any suggestions?

Thanks,

Dave



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message