Re: gif(4) tunnel through MSN DSL modem
I have this working fine. On the BSD machine behind NAT the tunnel looks like it's between a 192.168.x.x IP and the public IP of the machine across the internet. On the remote machine it looks like a normal tunnel between the two IPs. NAT takes care of the translation on the tunnel packets. I've used gif tunnels, vtund, and even IPSEC in this configuration just fine. Of course holes have to punched in NAT (bimap, port mapping or whatever it's called on your DSL). That's for reliability and so that the tunnel can be initiated from either end. Nate - Original Message - From: John Nielsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 13:20 Subject: gif(4) tunnel through MSN DSL modem Hi folks, I tried this on -questions without any luck, so I'm hoping for a better response here . :) I remotely administer a FreeBSD 4.5 machine that is connected to the internet through and MSN DSL modem. This modem does NAT (for a single client) rather than bridging the connection. So the FreeBSD machine thinks its public address is 192.168.1.2 (when in reality the modem is the only device with a public address). This machine is itself doing NAT, acting as a firewall and gateway for a private network. I would like to establish a gif(4) tunnel between this machine and my firewall here in order to link the two private networks into one virtual network. I have done this before with two machines that were directly connected to the internet, but in this case the DSL modem on the far end seems to be fouling things up. The modem seems to be passing everything through, but I haven't gotten gif to work. Any ideas? Here's what I've tried--this is how I'd set it up if the DSL modem weren't in the way. [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 [excerpts from rc.conf on this {my) end] # Private interface ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0 # Public interface ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=myend.public.ip DSL.public.ip ifconfig_gif0=192.168.0.1 192.168.6.1 static_routes=DSL route_DSL=-net 192.168.6 -interface gif0 I've tried both the modem's (real) public address and 192.168.1.1 (the public interface's address) for DSL.public.ip, but neither seems to work. Can this be made to work? Can gif be hacked so it will work? I can't justify switching to a more expensive provider just so this tunnel will work, since it will mostly be a convenience for me and not the client. As far as I know, there's no way to modify any settings on the DSL modem itself. I do have full access to both FreeBSD machines. Again, any suggestions or even a detailed description of why this won't work would be appreciated. Thanks, JN To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
- Original Message - From: Nielsen [EMAIL PROTECTED] To: John Nielsen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, June 14, 2002 1:31 AM Subject: Re: gif(4) tunnel through MSN DSL modem I have this working fine. On the BSD machine behind NAT the tunnel looks like it's between a 192.168.x.x IP and the public IP of the machine across the internet. On the remote machine it looks like a normal tunnel between the two IPs. NAT takes care of the translation on the tunnel packets. That's good news! However, I'm not sure I can do the same in this case. I've used gif tunnels, vtund, and even IPSEC in this configuration just fine. Of course holes have to punched in NAT (bimap, port mapping or whatever it's called on your DSL). That's for reliability and so that the tunnel can be initiated from either end. Do you mean the NAT that the modem is doing? If so, that's a problem. I'm using an Arescom NetDSL 800 series modem, which comes pre-configured per stringent specifications from MSN. And (as far as I know--and I've looked) there is no way for me to do any kind of configuration on it at all. If that weren't the case, I'd just put the thing in bridge mode and have done with it. If it were up to me, I'd switch to a sane ISP--but it's not up to me in this case. If I've misunderstood and you think this will work without being able to reconfigure the modem at all, then by all means please provide some more detail. :) JN - Original Message - From: John Nielsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 13:20 Subject: gif(4) tunnel through MSN DSL modem Hi folks, I tried this on -questions without any luck, so I'm hoping for a better response here . :) I remotely administer a FreeBSD 4.5 machine that is connected to the internet through and MSN DSL modem. This modem does NAT (for a single client) rather than bridging the connection. So the FreeBSD machine thinks its public address is 192.168.1.2 (when in reality the modem is the only device with a public address). This machine is itself doing NAT, acting as a firewall and gateway for a private network. I would like to establish a gif(4) tunnel between this machine and my firewall here in order to link the two private networks into one virtual network. I have done this before with two machines that were directly connected to the internet, but in this case the DSL modem on the far end seems to be fouling things up. The modem seems to be passing everything through, but I haven't gotten gif to work. Any ideas? Here's what I've tried--this is how I'd set it up if the DSL modem weren't in the way. [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 [excerpts from rc.conf on this {my) end] # Private interface ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0 # Public interface ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=myend.public.ip DSL.public.ip ifconfig_gif0=192.168.0.1 192.168.6.1 static_routes=DSL route_DSL=-net 192.168.6 -interface gif0 I've tried both the modem's (real) public address and 192.168.1.1 (the public interface's address) for DSL.public.ip, but neither seems to work. Can this be made to work? Can gif be hacked so it will work? I can't justify switching to a more expensive provider just so this tunnel will work, since it will mostly be a convenience for me and not the client. As far as I know, there's no way to modify any settings on the DSL modem itself. I do have full access to both FreeBSD machines. Again, any suggestions or even a detailed description of why this won't work would be appreciated. Thanks, JN To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
Do you mean the NAT that the modem is doing? If so, that's a problem. I'm using an Arescom NetDSL 800 series modem, which comes pre-configured per stringent specifications from MSN. And (as far as I know--and I've looked) there is no way for me to do any kind of configuration on it at all. If that weren't the case, I'd just put the thing in bridge mode and have done with it. I have an MSN/Arescom setup too. It is using NAT: the gateway is 192.168.1.1 and the client is 192.168.1.2. However I read on the net that it is setup to portforward everythig from the gateway to the 192.168.1.2 address. I belive this to be true as I'm getting MS SQL and IIS hacks hitting my firewall. I guess it is time to hack their stringent pre-config ;-) -Casey -- This E-mail message was created with Open Source Software. Using: FreeBSD, http://www.freebsd.org KDE's KMail, http://www.kde.org Vist these sites and support O.S.S. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
gif(4) tunnel through MSN DSL modem
Hi folks, I tried this on -questions without any luck, so I'm hoping for a better response here . :) I remotely administer a FreeBSD 4.5 machine that is connected to the internet through and MSN DSL modem. This modem does NAT (for a single client) rather than bridging the connection. So the FreeBSD machine thinks its public address is 192.168.1.2 (when in reality the modem is the only device with a public address). This machine is itself doing NAT, acting as a firewall and gateway for a private network. I would like to establish a gif(4) tunnel between this machine and my firewall here in order to link the two private networks into one virtual network. I have done this before with two machines that were directly connected to the internet, but in this case the DSL modem on the far end seems to be fouling things up. The modem seems to be passing everything through, but I haven't gotten gif to work. Any ideas? Here's what I've tried--this is how I'd set it up if the DSL modem weren't in the way. [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 [excerpts from rc.conf on this {my) end] # Private interface ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0 # Public interface ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=myend.public.ip DSL.public.ip ifconfig_gif0=192.168.0.1 192.168.6.1 static_routes=DSL route_DSL=-net 192.168.6 -interface gif0 I've tried both the modem's (real) public address and 192.168.1.1 (the public interface's address) for DSL.public.ip, but neither seems to work. Can this be made to work? Can gif be hacked so it will work? I can't justify switching to a more expensive provider just so this tunnel will work, since it will mostly be a convenience for me and not the client. As far as I know, there's no way to modify any settings on the DSL modem itself. I do have full access to both FreeBSD machines. Again, any suggestions or even a detailed description of why this won't work would be appreciated. Thanks, JN To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
On Tue, 11 Jun 2002, John Nielsen wrote: Hi folks, I tried this on -questions without any luck, so I'm hoping for a better response here . :) I remotely administer a FreeBSD 4.5 machine that is connected to the internet through and MSN DSL modem. This modem does NAT (for a single client) rather than bridging the connection. So the FreeBSD machine thinks its public address is 192.168.1.2 (when in reality the modem is the only device with a public address). This machine is itself doing NAT, acting as a firewall and gateway for a private network. Why run nat on the internal machine? No need to do nat twice. Just do basic routing between interfaces unless you need this functionality. I would like to establish a gif(4) tunnel between this machine and my firewall here in order to link the two private networks into one virtual network. I have done this before with two machines that were directly connected to the internet, but in this case the DSL modem on the far end seems to be fouling things up. The modem seems to be passing everything through, but I haven't gotten gif to work. Any ideas? Here's what I've tried--this is how I'd set it up if the DSL modem weren't in the way. Are you receiving any packets on the remote BSD machine that are of type ipencap? Either log it via ipfw log or use a packet sniffer (like tcpdump or snort) to evaluate these packets. [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 [excerpts from rc.conf on this {my) end] # Private interface ifconfig_ep0=inet 192.168.0.1 netmask 255.255.255.0 # Public interface ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=myend.public.ip DSL.public.ip ifconfig_gif0=192.168.0.1 192.168.6.1 static_routes=DSL route_DSL=-net 192.168.6 -interface gif0 I've tried both the modem's (real) public address and 192.168.1.1 (the public interface's address) for DSL.public.ip, but neither seems to work. Can this be made to work? Can gif be hacked so it will work? You will need to use the DSL's public IP probably. I can't justify switching to a more expensive provider just so this tunnel will work, since it will mostly be a convenience for me and not the client. As far as I know, there's no way to modify any settings on the DSL modem itself. I do have full access to both FreeBSD machines. Again, any suggestions or even a detailed description of why this won't work would be appreciated. My best guess would be that the modem is doing some anti-spoofing between it's interfaces to prevent packets coming from the inside having it's outside IP. You will be able to tell if NO ipencap packets are received on the remote BSD machine. On the other hand, If you are receiving these ipencap packets on the remote side, something else is going on (like nat interrupting). Nick Rogness [EMAIL PROTECTED] - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
John Nielsen wrote: [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? Lars -- Lars Eggert [EMAIL PROTECTED] USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature
Re: gif(4) tunnel through MSN DSL modem
- Original Message - From: Lars Eggert [EMAIL PROTECTED] To: John Nielsen [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, June 11, 2002 4:13 PM Subject: Re: gif(4) tunnel through MSN DSL modem John Nielsen wrote: [excerpts from rc.conf on far (DSL) end] # Private interface ifconfig_xl0=inet 192.168.6.1 netmask 255.255.255.0 # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. I have another tunnel set up this way and it works fine. Why should the tunnel addresses be on a different subnet? Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? The public interface (ed0) always gets the same address from the DSL modem, even though it's using DHCP. I think you associated the comment with the wrong ifconfig line (I've added a break between them to clarify). I'm starting to think that it would be easier to use ppp/tun and ssh rather than gif in this instance, even though I'm less familiar with that arrangement. JN To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-hackers in the body of the message
Re: gif(4) tunnel through MSN DSL modem
John Nielsen wrote: # Public interface -- 192.168.1.2 netmask 255.255.255.252 ifconfig_ed0=DHCP gif_interfaces=gif0 gifconfig_gif0=DSL.public.ip myend.public.ip ifconfig_gif0=192.168.6.1 192.168.0.1 static_routes=john route_john=-net 192.168.0 -interface gif0 The problem (one part, at least) is that you use the same IP address (192.168.6.1) on your xl0 and gif0 interfaces (on both ends). You'll want the tunnel addresses to be in a different subnet. I have another tunnel set up this way and it works fine. Why should the tunnel addresses be on a different subnet? Because your routing table will have an entry that says to reach net X use gateway Y, and there will appear to be multiple ways to reach gateway Y if you have multiple addresses attached to the same subnet. Also, assigning the same IP address to multiple interfaces is usually a bad idea. (It is useful in some setups, but this ain't one.) Add encapsulation, and you've a fine example of black hole due to infinite encapsulation. Also, the netmask in the infconfig_xl0 line doesn't match the comment, which one is wrong? The public interface (ed0) always gets the same address from the DSL modem, even though it's using DHCP. I think you associated the comment with the wrong ifconfig line (I've added a break between them to clarify). Oh, you're right, sorry. But then you're assigning the same IP address to THREE interfaces! I'm starting to think that it would be easier to use ppp/tun and ssh rather than gif in this instance, even though I'm less familiar with that arrangement. I'm willing to bet a beer that these problems will dissappear if you pick different subnets and IP addresses for your interfaces. This is a pretty straightforward setup. Lars -- Lars Eggert [EMAIL PROTECTED] USC Information Sciences Institute smime.p7s Description: S/MIME Cryptographic Signature