Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 06 Aug 2000 12:18:59 -0700
From:      Kent Stewart <kstewart@urx.com>
To:        David Goddard <goddard@acm.org>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ppp and natd problems
Message-ID:  <398DBA23.39F41E5E@urx.com>
References:  <3.0.3.32.20000806173201.0085c330@dmg.parse.net>

next in thread | previous in thread | raw e-mail | index | archive | help


David Goddard wrote:
> 
> Hi,
> 
> I'm having some problems getting ipfw, natd and ppp all to work together
> happily on a recent 4.1-STABLE box.  Basically, while the individual
> components seem to be working fine, if I try and get them working together,
> packets from my internal network no longer get out properly (or the
> translation isn't working properly or something).  I've been using the
> documentation at http://www.freebsd.org/tutorials/dialup-firewall as a
> guide for the various settings, and have taken its advice to use natd
> instead of ppp for aliasing with ipfw.

I never found the FreeBSD examples to work on my system for ipfw. The
setup on http://www.mostgraveconcern.com/freebsd/ worked out of the
box. Ruslan's has some changes that look like they would address the
problem I had on my system. I also changed from one of the 169.254.x.x
style non-routeable networks to one of the 10.0.x.x. style RFC1918
internal networks. I use Dan's dual homed example ipfw setup on my
system plus a couple of changes. The only difference for you would be
your definition of the outside network. 

As alway, YMMV.

Kent

> 
> I've tried various combinations of settings (no natd, but using ppp -nat
> instead etc.), but nothing seems to work, although with different logging
> information being generated.
> 
> Any connections from the box itself to the outside world work as expected,
> it's just stuff on my 10.0.* internal subnet that has problems.
> 
> I've produced some logging information, while pinging an outside host from
> a computer on the internal network.  The alias.log file contains entries
> such as these:
> 
> icmp=0, udp=6, tcp=2, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8  (sock=0)
> icmp=0, udp=6, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=9  (sock=0)
> icmp=0, udp=5, tcp=3, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=8  (sock=0)
> 
> Meanwhile, tcpdump returns the following.  Note that the IP of the box
> doing the ping doesn't appear, so it looks like some translation is being
> done:
> 
> dmg% tcpdump -i tun0
> tcpdump: listening on tun0
> 10:54:13.274107 myhost > icwww.cc.ic.ac.uk: icmp: echo request
> 10:54:13.450202 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:13.450695 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:13.617630 myhost.1024 > dns1.myisp.domain:  48018+ PTR? 83.5.19
> 8.155.in-addr.arpa. (43)
> 10:54:13.820202 dns1.myisp.domain > myhost.1024:  48018 1/6/5 PTR icw
> ww.cc (303)
> 10:54:14.630420 myhost > icwww.cc.ic.ac.uk: icmp: echo request
> 10:54:14.790206 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:14.790696 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:14.823533 myhost.1024 > dns1.myisp.domain:  48738+ PTR? 76.0.20
> 0.195.in-addr.arpa. (43)
> 10:54:15.000247 dns1.myisp.domain > myhost.1024:  48738* 1/5/5 PTR dn
> s1.fte (263)
> 10:54:15.631630 myhost > icwww.cc.ic.ac.uk: icmp: echo request
> 10:54:15.780263 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:15.790178 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:16.633086 myhost > icwww.cc.ic.ac.uk: icmp: echo request
> 10:54:16.760313 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 10:54:16.770215 icwww.cc.ic.ac.uk > myhost: icmp: echo reply
> 
> My kernel is configured with the following options:
> 
> options         IPFIREWALL              #firewall
> options         IPFIREWALL_VERBOSE      #print information about
>                                          # dropped packets
> options         IPFIREWALL_FORWARD      #enable transparent proxy support
> options         IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> options         IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default
> options         IPDIVERT
> options         IPFILTER
> options         IPSTEALTH
> 
> The section from ppp.conf that I'm using is:
> 
> myisp:
>  set phone <myisp's phone>
> set login "ABORT NO\\sCARRIER TIMEOUT 15 ogin:--ogin: myuid word: mypasswd
> ocol: p
> pp"
>  set timeout 120
>  set accmap 000a0000
>  set ifaddr 195.200.9.208 10.0.0.10/0
>  add default HISADDR
>  enable dns
> 
> Finally, my rc.conf file looks like this:
> 
> hostname="myhost"
> ifconfig_ed0="inet 10.0.0.1 netmask 255.255.255.0"
> #ifconfig_tun0=
> gateway_enable="YES"
> named_enable="YES"
> named_flags="-u bind -g bind"
> linux_enable="YES"
> keymap="uk.cp850"
> nfs_server_enable="YES"
> ppp_enable="YES"
> ppp_mode="auto"
> ppp_nat="NO"
> ppp_profile="myisp"
> natd_enable="YES"
> natd_interface="tun0"
> natd_flags="-log -dynamic"
> firewall_enable="YES"
> firewall_type="simple"
> sendmail_flags="-bd"
> 
> (As far as I can tell, I no longer need the ifconfig_tun0= entry that I had
> with previous versions)
> 
> Disabling the firewall doesn't help, so it looks like a ppp/natd problem.
> Any suggestions?
> 
> Thanks,
> 
> Dave
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message

-- 
Kent Stewart
Richland, WA

mailto:kbstew99@hotmail.com
http://kstewart.urx.com/kstewart/index.html
FreeBSD News http://daily.daemonnews.org/

Bomber dropping fire retardant in front of Hanford Wild fire.
http://kstewart.urx.com/kstewart/bomber.jpg


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?398DBA23.39F41E5E>