Hosting Provided By

Help with PF rdr to MS RAS Server

From: Donald Armstrong <armstrong(at)cross-works.com>
Date: Tue Nov 12 2002 - 12:29:25 EST

Hello all,

The desired configuration is to have external NIC pass all MS VPN PPTP connection attempts to the RAS server behind the OpenBSD firewall and to allow internal clients to establish MS VPN connections. I get a connection (1723?), but unable to authenticate (GRE?). My current rules are below along with a peculiar GRE message from TCPDUMP on xl1.

Any help is greatly appreciated.

Machine

OpenBSD 3.2 GENERIC
Celeron 466
128 MB RAM
2x 3com PCI NIC

Pf.conf

# $OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
# See pf.conf(5) for syntax and examples
#

# Network interfaces

internal = "xl0"
external = "xl1"

# Network addresses

vpnsrv = "10.10.220.10"

# NAT'ted addresses

nataddr = "{ 10.0.0.0/8 }"

Do you need help?

# Services visible from the outside

services = "{ ssh, smtp, pptp }"

# Non-routable addresses

nonroutable = "{ 192.168.0.0/16, 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8,

                 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24,
204.152.64.0/23,
                 224.0.0.0/3, 255.255.255.255/32 }"

# Allowable icmp services

icmp = "{ echorep, echoreq, timex, unreach }"

# Normalize: reassemble fragments and resolve or reduce traffic
ambiguities
scrub in all

########################################################################
# NAT traffic
########################################################################
nat on $external from $nataddr to any -> $external

########################################################################
# Redirection of traffic
########################################################################
# VPN

rdr on $external proto gre from any to any port 0 -> $vpnsrv port 0 rdr on $external proto tcp from any to any port pptp -> $vpnsrv port pptp

########################################################################
# Filter rules
########################################################################
# Don't bug loopback

pass out quick on lo0 from any to any
pass in quick on lo0 from any to any

# Leave the inside interfaces alone as well
pass out quick on $internal from any to any pass in quick on $internal from any to any

Do you need more help?

# Block inherently bad packets

block in log quick on $external inet proto icmp from any to any icmp-type redir

# Block any spoofing attempts

block in quick on $external from $nonroutable to any

# Block non-routable traffic from exiting
block out quick on $external from any to $nonroutable

# Allow designated icmp, block and log others
pass in quick on $external inet proto icmp from any to any icmp-type $icmp
block in log quick on $external inet proto icmp from any to any

# Allow designated tcp services

pass in quick on $external inet proto gre from any to any keep state pass in quick on $external inet proto tcp from any to any port $services \

                flags S/SA keep state

# Allow outbound traffic

pass out quick on $external inet proto gre all keep state
pass out quick on $external inet proto udp all keep state
pass out quick on $external inet proto icmp from any to any keep state
pass out quick on $external inet proto tcp from any to any \
                flags S/SA keep state

# Block, log return RST or UNREACHABLE

block return-rst in log quick on $external inet proto tcp from any to any
block return-icmp in log quick on $external inet proto udp from any to any

# Drop just in case a packet did not match any above rules
block in quick on $external all

Can we help you?

Tcpdump xl1

10:42:21.818139 {outside-addr}.1408 > fw.pptp: S 417113636:417113636(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
10:42:21.853079 {outside-addr}.1408 > fw.pptp: S 417113636:417113636(0) win 8192 <mss 1460,nop,nop,sackOK> (DF)
10:42:21.853468 fw.pptp > {outside-addr}.1408: S 3860846638:3860846638(0) ack 417113637 win 64240 <mss 1460,nop,nop,sackOK> (DF)
10:42:21.877366 fw.pptp > {outside-addr}.1408: S 3860846638:3860846638(0) ack 417113637 win 64240 <mss 1460,nop,nop,sackOK> (DF)
10:42:21.877780 {outside-addr}.1408 > fw.pptp: . ack 1 win 8760 (DF) 10:42:21.877803 {outside-addr}.1408 > fw.pptp: P 1:157(156) ack 1 win 8760 (DF)
10:42:21.907162 {outside-addr}.1408 > fw.pptp: . ack 1 win 8760 (DF) 10:42:21.921350 {outside-addr}.1408 > fw.pptp: P 1:157(156) ack 1 win 8760 (DF)
10:42:21.921604 fw.pptp > {outside-addr}.1408: P 1:157(156) ack 157 win 64084 (DF)
10:42:21.958816 fw.pptp > {outside-addr}.1408: P 1:157(156) ack 157 win 64084 (DF)
10:42:24.795884 {outside-addr}.1408 > fw.pptp: P 1:157(156) ack 1 win 8760 (DF)
10:42:24.838142 {outside-addr}.1408 > fw.pptp: P 1:157(156) ack 1 win 8760 (DF)

10:42:24.838432 fw.pptp > {outside-addr}.1408: . ack 157 win 64084 (DF)
10:42:24.876551 fw.pptp > {outside-addr}.1408: . ack 157 win 64084 (DF)
10:42:25.146730 fw.pptp > {outside-addr}.1408: P 1:157(156) ack 157 win

64084 (DF)
10:42:25.189256 fw.pptp > {outside-addr}.1408: P 1:157(156) ack 157 win 64084 (DF)
10:42:25.189536 {outside-addr}.1408 > fw.pptp: P 157:325(168) ack 157 win 8604 (DF)
10:42:25.227150 {outside-addr}.1408 > fw.pptp: P 157:325(168) ack 157 win 8604 (DF)
10:42:25.229115 fw.pptp > {outside-addr}.1408: P 157:189(32) ack 325 win 63916 (DF)
10:42:25.260135 fw.pptp > {outside-addr}.1408: P 157:189(32) ack 325 win 63916 (DF)

10:42:25.328267 kpunset!  (gre encap)
10:42:25.365113 kpunset!  (gre encap)
10:42:25.366773 kpunset!  (gre encap)
10:42:25.367267 kpunset!  (gre encap)
10:42:25.395319 kpunset!  (gre encap)
10:42:25.395729 {outside-addr}.1408 > fw.pptp: . ack 189 win 8572 (DF)
10:42:25.397073 kpunset!  (gre encap)
10:42:25.411882 kpunset!  (gre encap)
10:42:25.428133 {outside-addr}.1408 > fw.pptp: . ack 189 win 8572 (DF)
10:42:25.452161 kpunset!  (gre encap)
10:42:25.453053 kpunset!  (gre encap)
10:42:25.490032 kpunset!  (gre encap)
10:42:25.501460 kpunset!  (gre encap)
10:42:25.543601 kpunset!  (gre encap)
10:42:25.544623 fw.pptp > {outside-addr}.1408: P 189:213(24) ack 325 win

63916 (DF)
10:42:25.545505 kpunset! (gre encap)
10:42:25.572215 fw.pptp > {outside-addr}.1408: P 189:213(24) ack 325 win 63916 (DF)

10:42:25.573476 kpunset!  (gre encap)
10:42:25.587752 kpunset!  (gre encap)
10:42:25.625028 kpunset!  (gre encap)
10:42:25.646819 kpunset!  (gre encap)
10:42:25.667412 kpunset!  (gre encap)
10:42:25.674801 kpunset!  (gre encap)
10:42:25.674842 kpunset!  (gre encap)
10:42:25.676222 kpunset!  (gre encap)
10:42:25.695672 {outside-addr}.1408 > fw.pptp: . ack 213 win 8548 (DF)
10:42:25.704002 kpunset!  (gre encap)
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
10:42:25.705324 kpunset!  (gre encap)
10:42:25.706660 kpunset!  (gre encap)
10:42:25.717380 kpunset!  (gre encap)
10:42:25.730646 kpunset!  (gre encap)
10:42:25.734959 {outside-addr}.1408 > fw.pptp: . ack 213 win 8548 (DF)
10:42:25.740732 kpunset!  (gre encap)
.. Snip ..

10:42:26.668716 kpunset! (gre encap)
10:42:26.669675 fw.pptp > {outside-addr}.1408: P 213:237(24) ack 325 win 63916 (DF)

10:42:26.670390 kpunset!  (gre encap)
10:42:26.670898 kpunset!  (gre encap)
10:42:26.695170 fw.pptp > {outside-addr}.1408: P 213:237(24) ack 325 win

63916 (DF)

10:42:26.699111 kpunset!  (gre encap)
10:42:26.702867 kpunset!  (gre encap)
10:42:26.711069 kpunset!  (gre encap)
10:42:26.737060 {outside-addr}.1408 > fw.pptp: P 325:341(16) ack 237 win

8524 (DF)
10:42:26.745152 kpunset! (gre encap)
10:42:26.776998 {outside-addr}.1408 > fw.pptp: P 325:341(16) ack 237 win 8524 (DF)
10:42:26.777410 fw.pptp > {outside-addr}.1408: P 237:401(164) ack 341 win 63900 (DF)
10:42:26.817098 fw.pptp > {outside-addr}.1408: P 237:401(164) ack 341 win 63900 (DF)
10:42:26.817359 {outside-addr}.1408 > fw.pptp: P 341:357(16) ack 401 win 8360 (DF)
10:42:26.859186 {outside-addr}.1408 > fw.pptp: P 341:357(16) ack 401 win 8360 (DF)
10:42:26.859467 fw.pptp > {outside-addr}.1408: P 401:417(16) ack 357 win 63884 (DF)
10:42:26.884640 fw.pptp > {outside-addr}.1408: P 401:417(16) ack 357 win 63884 (DF)
10:42:26.884807 {outside-addr}.1408 > fw.pptp: F 357:357(0) ack 417 win 8344 (DF)
10:42:26.911131 {outside-addr}.1408 > fw.pptp: F 357:357(0) ack 417 win 8344 (DF)
10:42:26.911391 fw.pptp > {outside-addr}.1408: F 417:417(0) ack 358 win 63884 (DF)
10:42:26.935652 fw.pptp > {outside-addr}.1408: F 417:417(0) ack 358 win 63884 (DF)
10:42:26.935986 {outside-addr}.1408 > fw.pptp: . ack 418 win 8344 (DF) 10:42:26.960882 {outside-addr}.1408 > fw.pptp: . ack 418 win 8344 (DF)

Received on Tue Nov 12 12:31:13 2002

This message: [ Message body ]
Next message: Bruno Saverio Delbono: "Re: ANTISpam and Sendmail"
Previous message: Marc Matteo: "Re: ADSL Modems"
Reply: Will Walsh: "pf error loading new rules"
Reply: Christoph Schneeberger: "ipv6 udp and keep state"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:31:30 EDT