Ermal Luçi schreef:
On Thu, Sep 8, 2011 at 1:34 PM, Johan Hendriks
<j.hendr...@schavemaker.com> wrote:
Once more
I am running the latest snapshot of today.
I do use the old pptp adsl way to make connection with our provider.
It works for us a really long time very well.
This works great on all versions of monowall and pfsense 1.2.3 and before.
But now with pfsense 2.0 i can not get traffic over the line.
At least no real data.
I can ping, but websites do not load or part of it, but most will not.
I am struggling with this for about 2 months now.
The thing is i see a lot of dropped packages on the vr1 interface.
This is the interface my modem is connected to and it runs on a 5501 soekris
board.
these drops looks like i have disabled the block rule of private networks
vr1 10.0.0.138 10.0.0.100 GRE
vr1 10.0.0.138 10.0.0.100 GRE
10.0.0.138 is the modem
10.0.0.100 is my WAN addres.
i have disabled the block rule of private networks
also tried all kinds of mtu settings.
Do you have your vr1 interface assigned in any way or any address
configured in it?
Afaik it should work as is, but its long time i have not used pptp as
a client so might have somthing wrong.
The way to test is to manually modify the rules.debug and include the
vr1 interface as in 1.2.3, load that ruleset and see if it works.
On the 2.0 version if i look at the /tmp/rules.debug file i see the WAN
interface WAN = "{ pptp1 }"
Also i see the pass rule for this GRE traffic on my WAN interface
pass in on $WAN proto gre from any to any keep state label "allow PPTP
client on WAN"
But here it goes wrong in my understanding!
The firewall log tells me it drops them on vr1 and the pass rule is for
pptp1 hence WAN = "{ pptp1 }"
On the old pfsence 1.2.3 i see wan = "{ vr1 ng0 }"
And also the pass rule.
# PPTPd rules
anchor "pptp"
pass in quick on $wan proto gre from any to 213.84.84.84 keep state label
"allow gre pptpd"
pass in quick on $wan proto tcp from any to 213.84.84.84 port = 1723
modulate state label "allow pptpd xxx.xxx.xxx.xxx"
So in the old version it also passes these GRE packages on the vr1 interface
and the ng0 interface.
So would it be wise to set WAN = "{ vr1 pptp1}" on 2.0
And how can i do that for a test.
regards
Johan Hendriks
Below are my /tmp/rules.debug files
The version 2.0 is from a cleanly installed sytem.
The version from 1.2.3 is from the working one, and i deleted some of the
rules that are not important as far as i know.
This is the output of /tmp/rules.debug (V2.0)
############### V 2.0 #################
#System aliases
loopback = "{ lo0 }"
WAN = "{ pptp1 }"
LAN = "{ vr0 }"
#SSH Lockout Table
table<sshlockout> persist
table<webConfiguratorlockout> persist
#pfSnortSam tables
table<snort2c>
table<virusprot>
# User Aliases
# Gateways
GWWAN = " route-to ( pptp1 xxx.190.242.xxx ) "
set loginterface vr0
set optimization normal
set limit states 48000
set limit src-nodes 48000
set skip on pfsync0
scrub in on $WAN all fragment reassemble
scrub in on $LAN all fragment reassemble
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# Outbound NAT rules
# Subnets to NAT
tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 ->
xxx.xxx.xxx.xxx/32 port 500
nat on $WAN from $tonatsubnets to any -> xxx.xxx.xxx.xxx/32 port 1024:65535
# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table<direct_networks> { xxx.xxx.xxx.xxx/32 192.168.1.0/24 }
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# pfSnortSam
block quick from<snort2c> to any label "Block snort2c hosts"
block quick from any to<snort2c> label "Block snort2c hosts"
block quick from<pfSnortSamout> to any label "Block pfSnortSamOut hosts"
block quick from any to<pfSnortSamin> label "Block pfSnortSamIn hosts"
# SSH lockout
block in log quick proto tcp from<sshlockout> to any port 22 label
"sshlockout"
# webConfigurator lockout
block in log quick proto tcp from<webConfiguratorlockout> to any port 443
label "webConfiguratorlockout"
block in quick from<virusprot> to any label "virusprot overload table"
antispoof for pptp1
# allow PPTP client
pass in on $WAN proto tcp from any to any port = 1723 flags S/SA modulate
state label "allow PPTP client on WAN"
pass in on $WAN proto gre from any to any keep state label "allow PPTP
client on WAN"
antispoof for vr0
# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall
host itself"
pass out route-to ( pptp1 xxx.190.242.xxx ) from xxx.xxx.xxx.xxx to
!xxx.xxx.xxx.xxx/32 keep state allow-opts label "let out anything from
firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on vr0 proto tcp from any to (vr0) port { 80 443 22 } keep
state label "anti-lockout rule"
# User-defined rules follow
anchor "userrules/*"
pass in quick on $WAN reply-to ( pptp1 xxx.190.242.xxx ) from any to any
keep state label "USER_RULE"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label
"USER_RULE: Default allow LAN to any rule"
# VPN Rules
anchor "tftp-proxy/*"
############### END V 2.0 #################
############### V 1.2.3 #################
This is /tmp.rules.debug on the working 1.2.3 system (relevant part for as
far i know)
# System Aliases
loopback = "{ lo0 }"
lan = "{ vr0 }"
ng0 = "{ vr1 ng0 }"
wan = "{ vr1 ng0 }"
enc0 = "{ enc0 }"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 ng15
ng16 }"
# User Aliases
set loginterface vr1
set loginterface vr0
set loginterface vr2
set optimization normal
set skip on pfsync0
scrub all random-id fragment reassemble
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
# Outbound NAT rules
nat on $ng0 from 192.168.1.0/24 port 500 to any port 500 -> (ng0) port 500
nat on $ng0 from 192.168.1.0/24 port 5060 to any port 5060 -> (ng0) port
5060
nat on $ng0 from 192.168.1.0/24 to any -> (ng0) port 1024:65535
nat on $ng0 from 192.168.1.208/28 port 500 to any port 500 -> (ng0) port 500
nat on $ng0 from 192.168.1.208/28 port 5060 to any port 5060 -> (ng0) port
5060
nat on $ng0 from 192.168.1.208/28 to any -> (ng0) port 1024:65535
#SSH Lockout Table
table<sshlockout> persist
# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP Proxy/helper
table<vpns> { }
no rdr on vr0 proto tcp from any to<vpns> port 21
rdr on vr0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
no rdr on vr2 proto tcp from any to<vpns> port 21
rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
# NAT Inbound Redirects
# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/*"
anchor "firewallrules"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# snort2c
table<snort2c> persist
block quick from<snort2c> to any label "Block snort2c hosts"
block quick from any to<snort2c> label "Block snort2c hosts"
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# loopback
anchor "loopback"
pass in quick on $loopback all label "pass loopback"
pass out quick on $loopback all label "pass loopback"
# package manager early specific hook
anchor "packageearly"
# carp
anchor "carp"
# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from xxx.xxx.xxx.xxx to any keep state
# NAT Reflection rules
# allow PPTP client
anchor "pptpclient"
pass in quick on $wan proto gre from any to any modulate state label "allow
PPTP client"
pass in quick on $wan proto gre from any to any modulate state label "allow
PPTP client"
pass in quick on $wan proto tcp from any port = 1723 to any flags S/SA
modulate state label "allow PPTP client"
pass in quick on $wan proto tcp from any to any port = 1723 flags S/SA
modulate state label "allow PPTP client"
block in log quick on $wan proto udp from any port = 67 to 192.168.1.0/24
port = 68 label "block dhcp client out wan"
# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
antispoof for vr0
antispoof for vr2
anchor "spoofing"
# Support for allow limiting of TCP connections by establishment rate
anchor "limitingesr"
table<virusprot>
block in quick from<virusprot> to any label "virusprot overload table"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table<bogons> persist file "/etc/bogons"
block in log quick on $wan from<bogons> to any label "block bogon networks
from wan"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything from
firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything from
firewall host itself"
# tcp.closed 5 is a workaround for load balancing, squid and a few other
issues.
# ticket (FEN-857512) in centipede tracker.
pass out quick on ng0 all keep state ( tcp.closed 5 ) label "let out
anything from firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on vr1 all keep state label "let out anything from firewall
host itself"
pass out quick on vr0 all keep state label "let out anything from firewall
host itself"
pass out quick on vr2 all keep state label "let out anything from firewall
host itself"
pass out quick on $pptp all keep state label "let out anything from firewall
host itself pptp"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on vr2 proto icmp keep state ( tcp.closed 5 ) label "let out
anything from firewall host itself"
pass out quick on $WLAN all keep state ( tcp.closed 5 ) label "let out
anything from firewall host itself"
# make sure the user cannot lock himself out of the webGUI or SSH
anchor "anti-lockout"
pass in quick on vr0 from any to 192.168.1.250 keep state label
"anti-lockout web rule"
# PPTPd rules
anchor "pptp"
pass in quick on $wan proto gre from any to xxx.xxx.xxx.xxx keep state label
"allow gre pptpd"
pass in quick on $wan proto tcp from any to xxx.xxx.xxx.xxx port = 1723
modulate state label "allow pptpd xxx.xxx.xxx.xxx"
# SSH lockout
block in log quick proto tcp from<sshlockout> to any port 22 label
"sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"
# IMSpector
anchor "imspector"
# uPnPd
anchor "miniupnpd"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"
############### END V 1.2.3 #################
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
No the vr1 interface is not connected to any other interface at all.
Only configured on the WAN page to pptp.
I was told that editing the rules.debug file was not on option because
it was not used to load rules.
But i will try that on thursday when i am on lacotion again.
regards
Johan
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
