FreeBSD Dial up server

[Drew Robertson]

Hi all,

I've been trying to set up an ISP like setup for a home lan.  ie. have dial 
in client use cable modem to access the internet and other lan clients.

I'm using freebsd 4.8 and have just changed from ipfw/natd to ipf/ipnat.

I have the issue where clients dial in, authenticate, logon but can't access 
anything on the server or lan.

I've gone right back to basics and added the sample server section from the 
ppp.conf.sample.

server:
enable chap chap80 chap81 pap passwdauth
enable proxy
set ifaddr 10.0.0.1 10.0.0.100-10.0.0.199
accept dns
In ipnat.rules there is a map command used to map all the packets going out 
on the tun0 interface, but it's use looks to be for dial out isp connection.

With packets coming in from a dial in client should i map packets back in 
instead, or both ways??

i have the ipnat.rules file as follows

map tl0 192.168.1.0/24 -> 0/32
map tun0 192.168.1.0/24 -> 0/32
map tun0 0/32 <- 0/32
If so, will the last command allow packets being passed from the tun0 
interface coming into the server to just pass through with it's assigned ip 
address from ppp.conf?

I have included all the options in rc.conf from the handbook and it looks to 
be ok.

gateway_enable="YES"
hostname="SOMECOMPUTER.SOMEWHERE.COM"
ifconfig_sis0="inet 192.168.1.1  netmask 255.255.255.0"
ifconfig_tl0="DHCP"
ifconfig_tun0=
#defaultrouter="192.168.1.1"
router_enable="NO"
mrouted_enable="NO"
#arpproxy_all="YES"
local_startup="/usr/local/etc/rc.d /etc"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
lpd_enable="YES"
moused_enable="YES"
moused_port="/dev/psm0"
moused_type="auto"
nfs_reserved_port_only="YES"
usbd_enable="YES"
ipfilter_enable="YES"
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipnat_rules="/etc/ipnat.rules"
nfs_server_enable="YES"
portmap_enable="YES"
nfs_client_enable="YES"
Thanks for the help.

_
Get Extra Storage in 10MB, 25MB, 50MB and 100MB options now! Go to  
http://join.msn.com/?pgmarket=en-au&page=hotmail/es2

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: IPFW Rule set question...

[Drew Robertson]

Thanks for your reply.

I don't understand what you mean when you say NAT modifications... meaning 
how the packets are changed on the gateway to allow them to be seen as 
transparent from behind??

When I do a netstat -an while connected remotley it shows the connection on 
SSH as coming from 203.10.10.38, but when I add a rule to allow everything 
from that net it still won't allow access...

I did add the rule before the divert, but i still couldn't connect until i 
added an allow all manually...

i also tried opening up the ssh port to everyone, with allow tcp from any to 
me 22 via tl0, but that wouldn't allow a connection either...

It's a bit confusing...

Thanks again,

D


From: Lowell Gilbert <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: "Drew Robertson" <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED]
Subject: Re: IPFW Rule set question...
Date: 24 Dec 2003 16:43:49 -0500
"Drew Robertson" <[EMAIL PROTECTED]> writes:

> I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it
> is dual homed, 2 NICs one for the internal LAN one running my cable
> modem.  Everything works fine on the internal side.
>
> When accessing the box using any of those apps from work, the system
> looks to briefly connect and then returns a "Connection Lost" or
> "Connection closed by remote host error".
>
> The command setup to allow in access is as follows...
>
> 820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup
> 830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup
I assume these are supposed to have "keep-state" in them.
It *is* written that way in the full ruleset you posted lower down.
> when this didn't work I added another command at the start of the
> ruleset to just let everything in from a particular IP address range...
>
> 202 allow ip from 203.10.10.0/24 to any
>
> however this produced the same error...
>
> It wasn't until I allowed all from any to any that I was able to 
connect...

Then the packets aren't actually being seen as coming from that
address.  Maybe you're running into NAT modifications?
> When checking out the security log, it tells me that rule 820 is
> allowing access to my computer at home...
But only for SYN packets...

--
Lowell Gilbert, embedded/networking software engineer, Boston area:
resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
username/password "public"
_
Hot chart ringtones and polyphonics. Go to  
http://ninemsn.com.au/mobilemania/default.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: A Challenge... NAT for PPP dial in user

[Drew Robertson]

That's for that, I've added an entry to my rc.conf - ppp_nat="NO".  
Hopefully that will stop ppp trying to use nat...

Thanks,

D


From: Lowell Gilbert <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
CC: "Drew Robertson" <[EMAIL PROTECTED]>
Subject: Re: A Challenge... NAT for PPP dial in user
Date: 26 Dec 2003 09:45:52 -0500
"Drew Robertson" <[EMAIL PROTECTED]> writes:

> I've been playing around with this for a while.
>
> I have a FreeBSD 4.8 box set as a gateway on my home LAN.  I have 1 pc
> downstairs, and a few dial up users... FreeBSD box has 2 network
> cards, 1 for internal, 1 for external internet using cable & 1 56k
> modem.
>
> Very simple problem... when a dial in user connects to the FreeBSD
> gateway/router using PPP, NAT stops working on the PC downstairs and
> won't work on the dial in PC either...
>
> I have complete LAN access (telnet, ssh, samba, ping etc) on both the
> dial in PC and the downstairs PC, but somewhere my config is
> preventing everyone from being able to access the internet at once.
>
> In rc.conf, I have my Gateway_enable=YES, defaultrouter=192.168.1.1,
> router_enable=yes, proxyarp_all=yes...
>
> PPP.conf is simple...
>
>   enable pap
>   enable passwdauth
>   set ifaddr 192.168.1.1 192.168.1.100-192.168.1.199 255.255.255.0
>   add HISADDR 255.255.255.0 MYADDR
>   accept dns
>   set dns 203.2.75.132
>   enable proxy
>
> In natd.conf
>
> interface tl0
> sameports yes
> dynamic yes
>
> I'm running a firewall, but it is open for the TUN0 interface...
>
> I also have a divert natd (8668) allow all from any to any out via tl0
>
> All other PC's on the LAN are windows clients... the one downstairs I
> was able to just set a default gateway and it was up and running on
> the internet, unfortunately it isn't done like that on a dial in setup
> on windows...  I can't use DHCP for the clients, as I'm not supposed
> to have internet sharing running...
>
> Do I need to have an add statement in the PPP.conf, or do i have to
> enable proxyall rather than enable proxy??
>
> Worst thing about this is I can't find enough doco on it on the
> net... I'll write my own when I get it done...
I think that natd(8) and the NAT from ppp(8) are stepping on each
other's toes.  Try not enabling NAT in ppp(8) at all, and letting
natd(8) take care of it.  It's the same outside interface, after all;
it should "just work".
--
Lowell Gilbert, embedded/networking software engineer, Boston area:
resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
username/password "public"
_
Get less junk mail with ninemsn Premium. Click here  
http://ninemsn.com.au/premium/landing.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

A Challenge... NAT for PPP dial in user

[Drew Robertson]

Hey all,

I've been playing around with this for a while.

I have a FreeBSD 4.8 box set as a gateway on my home LAN.  I have 1 pc 
downstairs, and a few dial up users... FreeBSD box has 2 network cards, 1 
for internal, 1 for external internet using cable & 1 56k modem.

Very simple problem... when a dial in user connects to the FreeBSD 
gateway/router using PPP, NAT stops working on the PC downstairs and won't 
work on the dial in PC either...

I have complete LAN access (telnet, ssh, samba, ping etc) on both the dial 
in PC and the downstairs PC, but somewhere my config is preventing everyone 
from being able to access the internet at once.

In rc.conf, I have my Gateway_enable=YES, defaultrouter=192.168.1.1, 
router_enable=yes, proxyarp_all=yes...

PPP.conf is simple...

 enable pap
 enable passwdauth
 set ifaddr 192.168.1.1 192.168.1.100-192.168.1.199 255.255.255.0
 add HISADDR 255.255.255.0 MYADDR
 accept dns
 set dns 203.2.75.132
 enable proxy
In natd.conf

interface tl0
sameports yes
dynamic yes
I'm running a firewall, but it is open for the TUN0 interface...

I also have a divert natd (8668) allow all from any to any out via tl0

All other PC's on the LAN are windows clients... the one downstairs I was 
able to just set a default gateway and it was up and running on the 
internet, unfortunately it isn't done like that on a dial in setup on 
windows...  I can't use DHCP for the clients, as I'm not supposed to have 
internet sharing running...

Do I need to have an add statement in the PPP.conf, or do i have to enable 
proxyall rather than enable proxy??

Worst thing about this is I can't find enough doco on it on the net... I'll 
write my own when I get it done...

Thanks

D

_
E-mail just got a whole lot better. New ninemsn Premium. Click here  
http://ninemsn.com.au/premium/landing.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

IPFW Rule set question...

[Drew Robertson]

Hi everyone,

Thanks to those who take the time to read and reply to these emails.

I have a strange issue regarding my firewall (IPFW)...

I have enabled SSH, TELNET and FTP on my freeBSD 4.8 box at home... it is 
dual homed, 2 NICs one for the internal LAN one running my cable modem.  
Everything works fine on the internal side.

When accessing the box using any of those apps from work, the system looks 
to briefly connect and then returns a "Connection Lost" or "Connection 
closed by remote host error".

The command setup to allow in access is as follows...

820 allow log tcp from any to me 22 limit src-addr 4 in recv tl0 setup
830 allow log tcp from any to me 23 limit src-addr 4 in recv tl0 setup
when this didn't work I added another command at the start of the ruleset to 
just let everything in from a particular IP address range...

202 allow ip from 203.10.10.0/24 to any

however this produced the same error...

It wasn't until I allowed all from any to any that I was able to connect...

When checking out the security log, it tells me that rule 820 is allowing 
access to my computer at home...

Ruleset is attached completely below

/sbin/ipfw -q -f flush

# Set rules command prefix
# The -q option on the command is for quite mode.
# Do not display rules as they load. Remove during development to see.
cmd="/sbin/ipfw -q add"
# Set defaults
oif="tl0"# Nic card to cable modem public internet 
connection
odns1="203.2.75.132"  # ISP's dns server IP address

$cmd 00200 divert natd all from any to any via $oif

  control section  
# Start of IPFW advanced Stateful Filtering using "dynamic" rules.
# The check-state statement behavior is to match bi-directional packet 
traffic
# flow between source and destination using protocol/IP/port/sequence 
number.
# The dynamic rule has a limited lifetime which is controlled by a set of
# sysctl(8) variables. The lifetime is refreshed every time a matching
# packet is found in the dynamic table.

# Allow the packet through if it has previous been added to the
# the "dynamic" rules table by an allow keep-state statement.
$cmd 00202 allow log all from 203.10.10.0/24 to any
$cmd 00203 allow log all from any to any via tun0
$cmd 00400 check-state

# SAMBA File/Printer Sharing on Internal LAN
$cmd 0410 allow log tcp from 192.168.1.0/24 to 192.168.1.0/24
$cmd 0411 allow log udp from 192.168.1.0/24 to 192.168.1.0/24
# Run all private LAN xl0 packet traffic through the dynamic rules
# table so the IP address are in sync with Natd.
$cmd 00500 allow log all from any to any via sis0 keep-state
# Deny all fragments as bogus packets
$cmd 00530 deny log all from any to any frag in via $oif
# Deny  ACK packets that did not match the dynamic rule table
$cmd 00540 deny log tcp from any to any established in via $oif
  outbound section  
# Interrogate packets originating from behind the firewall, private net.
# Upon a rule match, it's keep-state option will create a dynamic rule.
# Allow out non-secure standard http function
$cmd 00600 allow log tcp  from any to any 80  out via $oif setup keep-state
# Allow out secure www function https over TLS SSL
$cmd 00601 allow log tcp  from any to any 443 out via $oif setup keep-state
# Allow out access to my ISP's Domain name server.
$cmd 00610 allow log tcp  from any to $odns1 53 out via $oif setup 
keep-state
$cmd 00611 allow log udp  from any to $odns1 53 out via $oif keep-state

# Allow out send & get email function
$cmd 00630 allow log tcp from any to any 25,110 out via $oif setup 
keep-state

# Allow out & in FBSD (make install & CVSUP)  functions
# Basically give user id [ROOT]  "GOD"  privileges.
$cmd 00640 allow log tcp from me to any out via $oif setup keep-state uid 
root

  inbound section  
# Interrogate packets originating from in front of the firewall, public net.
# Allow in www http access to my apache server
#$cmd 00800 allow log tcp from any to any 80 in via $oif setup keep-state 
limit src-addr 4

# Allow  TCP FTP control channel in & data channel out
$cmd 00810 allow log tcp from any to me 21  in via $oif setup keep-state 
limit src-addr 4
$cmd 00811 allow log tcp from any 20 to any 1024-49151 out via $oif setup 
keep limit src-addr 4

# Allow in ssh function
$cmd 00820 allow log tcp from any to me 22 in via $oif setup keep-state 
limit src-addr 4

# Allow in Telnet
$cmd 00830 allow log tcp from any to me 23 in via $oif setup keep-state 
limit src-addr 4

Thanks.

D

_
ninemsn Premium transforms your e-mail with colours, photos and animated 
text. Click here  http://ninemsn.com.au/premium/landing.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED

Re: FreeBSD as dial up server...

[Drew Robertson]

Thanks for your help.

Would you happen to know if setting up the FreeBSD box as a DNS server would 
allow network browsing over the PPP link???

I have no idea how to bimap a broadcast address along subnets!!!  But that 
is something I'm gonna have to learn!  I only have one subnet, so I'm not 
sure that'll work in this case.

Thanks again.


From: Harald Schmalzbauer <[EMAIL PROTECTED]>
To: "Drew Robertson" 
<[EMAIL PROTECTED]>,[EMAIL PROTECTED]
Subject: Re: FreeBSD as dial up server...
Date: Sat, 20 Dec 2003 12:46:29 +0100

On Saturday 20 December 2003 02:57, Drew Robertson wrote:
> Hi,
>
> I'm working at getting my FreeBSd 4.8 system to act as a dial up RAS
> server...
>
> At the moment, I have almost everything working... yay!
>
> My question to anyone that knows... my FreeBSD system is running SAMBA 
and
> is part of a workgroup in my home...
>
> Is it possible from a dial up client to view the Network using network
> neighbourhood??  I read somewhere that as the PPP server is a router,
> network browsing will not work... is this true?

That is true. You'd need at least one server at each subnet.
But once I did a ugly hack to make it working: I bimapped broadcast 
addresses
along the subnets. As far as I can remember this worked, but it was just 
for
fun, I never used it. Also prividing a WINS at SAMBA and using that on the
ppp link was usefull but that was long ago (WinNT WinCE and Samba 1)

-Harry

>
> Thanks.
>
> _
> ninemsn Premium transforms your e-mail with colours, photos and animated
> text. Click here  http://ninemsn.com.au/premium/landing.asp
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
<< attach3 >>
_
Get less junk mail with ninemsn Premium. Click here  
http://ninemsn.com.au/premium/landing.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD as dial up server...

[Drew Robertson]

Hi,

I'm working at getting my FreeBSd 4.8 system to act as a dial up RAS 
server...

At the moment, I have almost everything working... yay!

My question to anyone that knows... my FreeBSD system is running SAMBA and 
is part of a workgroup in my home...

Is it possible from a dial up client to view the Network using network 
neighbourhood??  I read somewhere that as the PPP server is a router, 
network browsing will not work... is this true?

Thanks.

_
ninemsn Premium transforms your e-mail with colours, photos and animated 
text. Click here  http://ninemsn.com.au/premium/landing.asp

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Connect to internal lan using PPP

[Drew Robertson]

Hi all,

I've set up my freebsd box to accept incoming connections via userPPP as 
per the handbook using mgetty and autoPPP.

It's currently the default gateway for an internal lan and I'd like to 
enable dial in users to access both network and internet services.  It's 
IP 192.168.1.1.

It is dual homed with 2 net cards (plus a modem), one external for 
internet cable, one internal for home and runs natd for the other local pc.

Everything works fine.  Home network sharing, samba etc, even dial out.

PPP will accept an incoming connection and allow log on for a user on my 
modem on ttyd0, assigning a dynamic IP address in the range between 
192.168.1.100-199.

On the client side, usually WINDOWS 98 from a friends house, I cannot 
see anything.  No PC's in net neighbourhood, no internet, and i cannot 
ping either of the PC's at home.  There are entries in the hosts file 
for both home clients.

If i do an IPCONFIG from the windows client, it will reply as:

IP Address: 192.168.1.199
S/N: 255.255.255.0
Default Gateway: 192.168.1.199
If i delete this route on the windows client (route delete 0.0.0.0) and 
add the correct route (route add 0.0.0.0 192.168.1.1), it shows up under 
IPCONFIG correctly as:

IP Address: 192.168.1.199
S/N: 255.255.255.0
default gateway: 192.168.1.1
but I still cannot view the home LAN.

I've changed ppp.conf and added a ppp.linkup, but when logging on 
externally i cannot fix what seems to be a routing/gateway issue.

My config is pretty standard, but for reference please find it all below:

MY RC.CONF FILE:

gateway_enable="YES"
hostname="MATRIX-SERVER"
ifconfig_sis0="inet 192.168.1.1  netmask 255.255.255.0"
ifconfig_tl0="DHCP"
#defaultrouter="192.168.1.1"
router_enable="YES"
arpproxy_all="YES"
local_startup="/usr/local/etc/rc.d /etc"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
lpd_enable="YES"
moused_enable="YES"
#moused_flags="-z 5"
moused_port="/dev/psm0"
moused_type="auto"
nfs_reserved_port_only="YES"
saver="fire"
blanktime="180"
sendmail_enable="NONE"
#sshd_enable="YES"
usbd_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_flags="-f /etc/natd.conf"
nfs_server_enable="YES"
portmap_enable="YES"
nfs_client_enable="YES"
MY PPP.CONF FILE:

default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)
 # Ensure that "device" references the correct serial port
 # for your modem. (cuaa0 = COM1, cuaa1 = COM2)
 #
 set device /dev/cuaa0
 set speed 115200
 set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
   \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
 set timeout 0  # 3 minute idle timer (the default)
 enable dns # request DNS info (for resolv.conf)
 allow users matrix_admin pentium ppp courtobrien
pap:
 enable pap
 enable passwdauth
 set ifaddr 192.168.1.99 192.168.1.100-192.168.1.199 255.255.255.0
 #add 0.0.0.0 192.168.1.1
 accept dns
 set dns 203.2.75.132
 enable proxy
#cuaa0:
# set ifaddr 192.168.1.99 192.168.1.100-192.168.1.199 255.255.255.0
# add default MYADDR
# enable passwdauth
# allow users matrix_admin pentium courtobrien ppp
# accept dns
# set dns 203.2.75.132
# enable proxy
ttyd0:
 set ifaddr 192.168.1.99 192.168.1.100-192.168.1.199 255.255.255.0
 add 192.168.1.1
 enable passwdauth
 accept dns
 set dns 203.2.75.132
 enable proxy
optusnet:
 #
 # edit the next three lines and replace the items in caps with
 # the values which have been assigned by your ISP.
 #
 set phone 66
 set authname username
 set authkey password
 set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
 add default HISADDR# Add a (sticky) default route
MY PPP.LINKUP FILE

MYADDR:
 delete ALL
 add 0 0 HISADDR
Going through the PPP.LOG, it seems to rely on the pap section of 
PPP.CONF and I notice a error when the default route is being set.

WARNING: add route failed: 0.0.0.0/0 already exists.

It has to be something easy I've overlooked, but I'm spending all my 
girlfriends money on phone calls!!!

Cheers,

DR



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"