Re: gif(4) tunnel through MSN DSL modem
I have this working fine. On the BSD machine behind NAT the tunnel looks
like it's between a 192.168.x.x IP and the public IP of the machine across
the internet. On the remote machine it looks like a normal tunnel between
the two IPs. NAT takes care of the translation on the tunnel packets.
I've used gif tunnels, vtund, and even IPSEC in this configuration just
fine. Of course holes have to punched in NAT (bimap, port mapping or
whatever it's called on your DSL). That's for reliability and so that the
tunnel can be initiated from either end.
Nate
- Original Message -
From: John Nielsen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 11, 2002 13:20
Subject: gif(4) tunnel through MSN DSL modem
Hi folks,
I tried this on -questions without any luck, so I'm hoping for a better
response here . :)
I remotely administer a FreeBSD 4.5 machine that is connected to the
internet through and MSN DSL modem. This modem does NAT (for a single
client) rather than bridging the connection. So the FreeBSD machine
thinks
its public address is 192.168.1.2 (when in reality the modem is the only
device with a public address). This machine is itself doing NAT, acting
as
a firewall and gateway for a private network.
I would like to establish a gif(4) tunnel between this machine and my
firewall here in order to link the two private networks into one virtual
network. I have done this before with two machines that were directly
connected to the internet, but in this case the DSL modem on the far end
seems to be fouling things up. The modem seems to be passing everything
through, but I haven't gotten gif to work.
Any ideas? Here's what I've tried--this is how I'd set it up if the DSL
modem weren't in the way.
[excerpts from rc.conf on far (DSL) end]
# Private interface
ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0
# Public interface -- 192.168.1.2 netmask 255.255.255.252
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=DSL.public.ip myend.public.ip
ifconfig_gif0=192.168.6.1 192.168.0.1
static_routes=john
route_john=-net 192.168.0 -interface gif0
[excerpts from rc.conf on this {my) end]
# Private interface
ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0
# Public interface
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=myend.public.ip DSL.public.ip
ifconfig_gif0=192.168.0.1 192.168.6.1
static_routes=DSL
route_DSL=-net 192.168.6 -interface gif0
I've tried both the modem's (real) public address and 192.168.1.1 (the
public interface's address) for DSL.public.ip, but neither seems to work.
Can this be made to work? Can gif be hacked so it will work?
I can't justify switching to a more expensive provider just so this tunnel
will work, since it will mostly be a convenience for me and not the
client.
As far as I know, there's no way to modify any settings on the DSL modem
itself. I do have full access to both FreeBSD machines. Again, any
suggestions or even a detailed description of why this won't work would be
appreciated.
Thanks,
JN
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
- Original Message -
From: Nielsen [EMAIL PROTECTED]
To: John Nielsen [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, June 14, 2002 1:31 AM
Subject: Re: gif(4) tunnel through MSN DSL modem
I have this working fine. On the BSD machine behind NAT the tunnel looks
like it's between a 192.168.x.x IP and the public IP of the machine across
the internet. On the remote machine it looks like a normal tunnel between
the two IPs. NAT takes care of the translation on the tunnel packets.
That's good news! However, I'm not sure I can do the same in this case.
I've used gif tunnels, vtund, and even IPSEC in this configuration just
fine. Of course holes have to punched in NAT (bimap, port mapping or
whatever it's called on your DSL). That's for reliability and so that the
tunnel can be initiated from either end.
Do you mean the NAT that the modem is doing? If so, that's a problem. I'm
using an Arescom NetDSL 800 series modem, which comes pre-configured per
stringent specifications from MSN. And (as far as I know--and I've looked)
there is no way for me to do any kind of configuration on it at all. If
that weren't the case, I'd just put the thing in bridge mode and have done
with it.
If it were up to me, I'd switch to a sane ISP--but it's not up to me in this
case. If I've misunderstood and you think this will work without being able
to reconfigure the modem at all, then by all means please provide some more
detail. :)
JN
- Original Message -
From: John Nielsen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 11, 2002 13:20
Subject: gif(4) tunnel through MSN DSL modem
Hi folks,
I tried this on -questions without any luck, so I'm hoping for a better
response here . :)
I remotely administer a FreeBSD 4.5 machine that is connected to the
internet through and MSN DSL modem. This modem does NAT (for a single
client) rather than bridging the connection. So the FreeBSD machine
thinks
its public address is 192.168.1.2 (when in reality the modem is the only
device with a public address). This machine is itself doing NAT, acting
as
a firewall and gateway for a private network.
I would like to establish a gif(4) tunnel between this machine and my
firewall here in order to link the two private networks into one virtual
network. I have done this before with two machines that were directly
connected to the internet, but in this case the DSL modem on the far end
seems to be fouling things up. The modem seems to be passing everything
through, but I haven't gotten gif to work.
Any ideas? Here's what I've tried--this is how I'd set it up if the DSL
modem weren't in the way.
[excerpts from rc.conf on far (DSL) end]
# Private interface
ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0
# Public interface -- 192.168.1.2 netmask 255.255.255.252
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=DSL.public.ip myend.public.ip
ifconfig_gif0=192.168.6.1 192.168.0.1
static_routes=john
route_john=-net 192.168.0 -interface gif0
[excerpts from rc.conf on this {my) end]
# Private interface
ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0
# Public interface
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=myend.public.ip DSL.public.ip
ifconfig_gif0=192.168.0.1 192.168.6.1
static_routes=DSL
route_DSL=-net 192.168.6 -interface gif0
I've tried both the modem's (real) public address and 192.168.1.1 (the
public interface's address) for DSL.public.ip, but neither seems to
work.
Can this be made to work? Can gif be hacked so it will work?
I can't justify switching to a more expensive provider just so this
tunnel
will work, since it will mostly be a convenience for me and not the
client.
As far as I know, there's no way to modify any settings on the DSL modem
itself. I do have full access to both FreeBSD machines. Again, any
suggestions or even a detailed description of why this won't work would
be
appreciated.
Thanks,
JN
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
Do you mean the NAT that the modem is doing? If so, that's a problem. I'm using an Arescom NetDSL 800 series modem, which comes pre-configured per stringent specifications from MSN. And (as far as I know--and I've looked) there is no way for me to do any kind of configuration on it at all. If that weren't the case, I'd just put the thing in bridge mode and have done with it. I have an MSN/Arescom setup too. It is using NAT: the gateway is 192.168.1.1 and the client is 192.168.1.2. However I read on the net that it is setup to portforward everythig from the gateway to the 192.168.1.2 address. I belive this to be true as I'm getting MS SQL and IIS hacks hitting my firewall. I guess it is time to hack their stringent pre-config ;-) -Casey -- This E-mail message was created with Open Source Software. Using: FreeBSD, http://www.freebsd.org KDE's KMail, http://www.kde.org Vist these sites and support O.S.S. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
gif(4) tunnel through MSN DSL modem
Hi folks,
I tried this on -questions without any luck, so I'm hoping for a better
response here . :)
I remotely administer a FreeBSD 4.5 machine that is connected to the
internet through and MSN DSL modem. This modem does NAT (for a single
client) rather than bridging the connection. So the FreeBSD machine thinks
its public address is 192.168.1.2 (when in reality the modem is the only
device with a public address). This machine is itself doing NAT, acting as
a firewall and gateway for a private network.
I would like to establish a gif(4) tunnel between this machine and my
firewall here in order to link the two private networks into one virtual
network. I have done this before with two machines that were directly
connected to the internet, but in this case the DSL modem on the far end
seems to be fouling things up. The modem seems to be passing everything
through, but I haven't gotten gif to work.
Any ideas? Here's what I've tried--this is how I'd set it up if the DSL
modem weren't in the way.
[excerpts from rc.conf on far (DSL) end]
# Private interface
ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0
# Public interface -- 192.168.1.2 netmask 255.255.255.252
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=DSL.public.ip myend.public.ip
ifconfig_gif0=192.168.6.1 192.168.0.1
static_routes=john
route_john=-net 192.168.0 -interface gif0
[excerpts from rc.conf on this {my) end]
# Private interface
ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0
# Public interface
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=myend.public.ip DSL.public.ip
ifconfig_gif0=192.168.0.1 192.168.6.1
static_routes=DSL
route_DSL=-net 192.168.6 -interface gif0
I've tried both the modem's (real) public address and 192.168.1.1 (the
public interface's address) for DSL.public.ip, but neither seems to work.
Can this be made to work? Can gif be hacked so it will work?
I can't justify switching to a more expensive provider just so this tunnel
will work, since it will mostly be a convenience for me and not the client.
As far as I know, there's no way to modify any settings on the DSL modem
itself. I do have full access to both FreeBSD machines. Again, any
suggestions or even a detailed description of why this won't work would be
appreciated.
Thanks,
JN
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
On Tue, 11 Jun 2002, John Nielsen wrote:
Hi folks,
I tried this on -questions without any luck, so I'm hoping for a better
response here . :)
I remotely administer a FreeBSD 4.5 machine that is connected to the
internet through and MSN DSL modem. This modem does NAT (for a single
client) rather than bridging the connection. So the FreeBSD machine
thinks its public address is 192.168.1.2 (when in reality the modem is
the only device with a public address). This machine is itself doing
NAT, acting as a firewall and gateway for a private network.
Why run nat on the internal machine? No need to do nat
twice. Just do basic routing between interfaces unless you need
this functionality.
I would like to establish a gif(4) tunnel between this machine and my
firewall here in order to link the two private networks into one
virtual network. I have done this before with two machines that were
directly connected to the internet, but in this case the DSL modem on
the far end seems to be fouling things up. The modem seems to be
passing everything through, but I haven't gotten gif to work.
Any ideas? Here's what I've tried--this is how I'd set it up if the
DSL modem weren't in the way.
Are you receiving any packets on the remote BSD machine that are
of type ipencap? Either log it via ipfw log or use a packet
sniffer (like tcpdump or snort) to evaluate these packets.
[excerpts from rc.conf on far (DSL) end]
# Private interface
ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0
# Public interface -- 192.168.1.2 netmask 255.255.255.252
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=DSL.public.ip myend.public.ip
ifconfig_gif0=192.168.6.1 192.168.0.1
static_routes=john
route_john=-net 192.168.0 -interface gif0
[excerpts from rc.conf on this {my) end]
# Private interface
ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0
# Public interface
ifconfig_ed0=DHCP
gif_interfaces=gif0
gifconfig_gif0=myend.public.ip DSL.public.ip
ifconfig_gif0=192.168.0.1 192.168.6.1
static_routes=DSL
route_DSL=-net 192.168.6 -interface gif0
I've tried both the modem's (real) public address and 192.168.1.1 (the
public interface's address) for DSL.public.ip, but neither seems to
work. Can this be made to work? Can gif be hacked so it will work?
You will need to use the DSL's public IP probably.
I can't justify switching to a more expensive provider just so this
tunnel will work, since it will mostly be a convenience for me and not
the client. As far as I know, there's no way to modify any settings on
the DSL modem itself. I do have full access to both FreeBSD machines.
Again, any suggestions or even a detailed description of why this
won't work would be appreciated.
My best guess would be that the modem is doing some anti-spoofing
between it's interfaces to prevent packets coming from the inside
having it's outside IP. You will be able to tell if NO ipencap
packets are received on the remote BSD machine.
On the other hand, If you are receiving these ipencap packets on
the remote side, something else is going on (like nat
interrupting).
Nick Rogness [EMAIL PROTECTED]
- Don't mind me...I'm just sniffing your packets
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
John Nielsen wrote: [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? Lars -- Lars Eggert [EMAIL PROTECTED] USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: gif(4) tunnel through MSN DSL modem
- Original Message - From: Lars Eggert [EMAIL PROTECTED] To: John Nielsen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 4:13 PM Subject: Re: gif(4) tunnel through MSN DSL modem John Nielsen wrote: [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. I have another tunnel set up this way and it works fine. Why should the tunnel addresses be on a different subnet? Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? The public interface (ed0) always gets the same address from the DSL modem, even though it's using DHCP. I think you associated the comment with the wrong ifconfig line (I've added a break between them to clarify). I'm starting to think that it would be easier to use ppp/tun and ssh rather than gif in this instance, even though I'm less familiar with that arrangement. JN To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
John Nielsen wrote: # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. I have another tunnel set up this way and it works fine. Why should the tunnel addresses be on a different subnet? Because your routing table will have an entry that says to reach net X use gateway Y, and there will appear to be multiple ways to reach gateway Y if you have multiple addresses attached to the same subnet. Also, assigning the same IP address to multiple interfaces is usually a bad idea. (It is useful in some setups, but this ain't one.) Add encapsulation, and you've a fine example of black hole due to infinite encapsulation. Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? The public interface (ed0) always gets the same address from the DSL modem, even though it's using DHCP. I think you associated the comment with the wrong ifconfig line (I've added a break between them to clarify). Oh, you're right, sorry. But then you're assigning the same IP address to THREE interfaces! I'm starting to think that it would be easier to use ppp/tun and ssh rather than gif in this instance, even though I'm less familiar with that arrangement. I'm willing to bet a beer that these problems will dissappear if you pick different subnets and IP addresses for your interfaces. This is a pretty straightforward setup. Lars -- Lars Eggert [EMAIL PROTECTED] USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
