Hi,
I have this enviroment:
Server A ( OpenBSD 4.4 ), with poptop and PF and windows clients
connecting via pptp client.
Problem: vpn clients cannot access network 10.10.0.0/24 but they are
able to access 10.100.0.0/24.
The rules are the same, just this is different:
# route show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 189-57-43-1.custom UGS 1 397 - 48
vic0
10.10/16 link#3 UC 2 0 - 48
vic2
10.10.0.2 00:11:0a:a0:a8:c4 UHLc 0 11 - 48
vic2
10.10.100.254 00:0a:5e:63:7e:2e UHLc 0 27 - 48
vic2
10.100.0/24 10.100.1.1 UGS 0 86 - 48
vic3
10.100.1/24 link#4 UC 1 0 - 48
vic3
10.100.1.1 00:60:2e:10:10:6b UHLc 7 6 - 48
vic3
10.100.2/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.3/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.4/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.5/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.6/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.7/24 10.100.1.1 UGS 0 0 - 48
vic3
loopback localhost UGRS 0 0 33204 48
lo0
localhost localhost UH 1 0 33204 48
lo0
172.16.0.2 172.16.0.1 UH 0 96 1400 48
tun0
189-57-43-0.custom link#1 UC 3 0 - 48
vic0
189-57-43-1.custom 00:16:e0:33:3b:e4 UHLc 1 0 - 48
vic0
189-57-43-3.custom 00:10:18:16:0e:8a UHLc 1 1288 - 48
vic0
189-57-43-5.custom 00:0c:29:4c:b2:d4 UHLc 2 473 - 48
vic0
200.162.41.32/28 link#2 UC 1 0 - 48
vic1
200.162.41.33 00:60:2e:10:1e:a3 UHLc 0 0 - 48
vic1
BASE-ADDRESS.MCAST localhost URS 0 0 33204 48
lo0
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:05
groups: egress
media: Ethernet autoselect
status: active
inet 189.57.XXX.XXX netmask 0xfffffff8 broadcast 189.57.43.7
inet6 fe80::20c:29ff:fe92:4d05%vic0 prefixlen 64 scopeid 0x1
vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:0f
media: Ethernet autoselect
status: active
inet 200.162.XXX.XXX netmask 0xfffffff0 broadcast 200.162.41.47
inet6 fe80::20c:29ff:fe92:4d0f%vic1 prefixlen 64 scopeid 0x2
vic2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:19
media: Ethernet autoselect
status: active
inet 10.10.100.252 netmask 0xffff0000 broadcast 10.10.255.255
inet6 fe80::20c:29ff:fe92:4d19%vic2 prefixlen 64 scopeid 0x3
vic3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:23
media: Ethernet autoselect
status: active
inet 10.100.1.33 netmask 0xffffff00 broadcast 10.100.1.255
inet6 fe80::20c:29ff:fe92:4d23%vic3 prefixlen 64 scopeid 0x4
enc0: flags=0<> mtu 1536
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
groups: pflog
pf.conf:
# cat /etc/pf.conf
ext_if="vic0"
ext2_if="vic1"
int_if="vic2"
mpls_if="vic3"
vpn_net="{ 172.16.0.0/24 }"
vpn_if="{ tun0, tun1, tun2, tun3 }"
dtc_mpls="10.100.0.0/24"
dtc_internet="200.143.33.0/24"
rede_cmt="10.10.0.0/24"
set skip on { lo $int_if }
#
nat on $mpls_if from $vpn_net to $dtc_mpls tag VPN_DTC -> $mpls_if
nat on $int_if from $vpn_net to $rede_cmt -> $int_if
#
#block in
pass in all
pass out keep state
pptpd.conf:
speed 230400
debug
option /etc/ppp/ppp.conf
logfile /var/log/pptpd.log
localip 172.16.0.1
remoteip 172.16.0.2-10
listen 189.57.XXX.XXXX
nobsdcomp
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam
Logs:
# tcpdump -i vic3 'dst host 10.100.0.1'
tcpdump: listening on vic3, link-type EN10MB
09:28:56.888286 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:57.745042 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:58.754855 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:59.727557 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:00.725761 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:01.848215 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:02.822952 10.100.1.33 > 10.100.0.1: icmp: echo request
# tcpdump -i vic2 'dst host 10.10.0.2'
tcpdump: listening on vic2, link-type EN10MB
09:31:44.415521 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:46.452796 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:51.429198 172.16.0.2 > 10.10.0.2: icmp: echo request
^C
2382 packets received by filter
0 packets dropped by kernel
# pfctl -sn
nat on vic3 inet from 172.16.0.0/24 to 10.100.0.0/24 tag VPN_DTC ->
10.100.1.33
nat on vic2 inet from 172.16.0.0/24 to 10.10.0.0/24 -> 10.10.100.252
#
Dmesg:
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz ("GenuineIntel" 686-class) 3.40 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,
CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,DS-CPL
real mem = 536375296 (511MB)
avail mem = 510218240 (486MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 0xfd880,
SMBIOS rev. 2.31 @ 0xe0010 (45 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 04/17/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev
0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xc8000/0x1000 0xc9000/0x1000
0xca000/0x1000 0xcb000/0x1000 0xdc000/0x4000! 0xe0000/0x4000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd0 at pciide0 channel 0 drive 0: <VMware Virtual IDE Hard Drive>
wd0: 64-sector PIO, LBA, 8192MB, 16777216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: <HL-DT-ST, DVD-ROM GDR8082N, 0L03> ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
agp0 at vga1: aperture at 0xec000000, size 0x4000000
drm at vga1 unsupported
bha3 at pci0 dev 16 function 0 "BusLogic MultiMaster" rev 0x01: irq 11,
BusLogic 9xxC SCSI
bha3: model BT-958, firmware 5.07B
bha3: sync, parity
scsibus1 at bha3: 8 targets, initiator 7
vic0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 9,
address 00:0c:29:92:4d:05
vic1 at pci0 dev 18 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 10,
address 00:0c:29:92:4d:0f
vic2 at pci0 dev 19 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 5,
address 00:0c:29:92:4d:19
vic3 at pci0 dev 20 function 0 "AMD 79c970 PCnet-PCI" rev 0x10: irq 11,
address 00:0c:29:92:4d:23
isa0 at piixpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pmsi0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pmsi0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask e945 netmask ef65 ttymask ffff
mtrr: CPU supports MTRRs but not enabled
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
#
Thanks
