[pfSense] pptp issues.
Ermal Luçi
ermal.luci at gmail.com
Thu Sep 8 08:14:56 EDT 2011
On Thu, Sep 8, 2011 at 1:34 PM, Johan Hendriks
<j.hendriks at schavemaker.com> wrote:
> Once more
>
> I am running the latest snapshot of today.
> I do use the old pptp adsl way to make connection with our provider.
> It works for us a really long time very well.
>
> This works great on all versions of monowall and pfsense 1.2.3 and before.
>
> But now with pfsense 2.0 i can not get traffic over the line.
> At least no real data.
> I can ping, but websites do not load or part of it, but most will not.
>
> I am struggling with this for about 2 months now.
> The thing is i see a lot of dropped packages on the vr1 interface.
> This is the interface my modem is connected to and it runs on a 5501 soekris
> board.
> these drops looks like i have disabled the block rule of private networks
> vr1 10.0.0.138 10.0.0.100 GRE
> vr1 10.0.0.138 10.0.0.100 GRE
> 10.0.0.138 is the modem
> 10.0.0.100 is my WAN addres.
> i have disabled the block rule of private networks
> also tried all kinds of mtu settings.
>
Do you have your vr1 interface assigned in any way or any address
configured in it?
Afaik it should work as is, but its long time i have not used pptp as
a client so might have somthing wrong.
The way to test is to manually modify the rules.debug and include the
vr1 interface as in 1.2.3, load that ruleset and see if it works.
> On the 2.0 version if i look at the /tmp/rules.debug file i see the WAN
> interface WAN = "{ pptp1 }"
> Also i see the pass rule for this GRE traffic on my WAN interface
> pass in on $WAN proto gre from any to any keep state label "allow PPTP
> client on WAN"
>
> But here it goes wrong in my understanding!
> The firewall log tells me it drops them on vr1 and the pass rule is for
> pptp1 hence WAN = "{ pptp1 }"
>
> On the old pfsence 1.2.3 i see wan = "{ vr1 ng0 }"
> And also the pass rule.
> # PPTPd rules
> anchor "pptp"
> pass in quick on $wan proto gre from any to 213.84.84.84 keep state label
> "allow gre pptpd"
> pass in quick on $wan proto tcp from any to 213.84.84.84 port = 1723
> modulate state label "allow pptpd xxx.xxx.xxx.xxx"
>
> So in the old version it also passes these GRE packages on the vr1 interface
> and the ng0 interface.
>
> So would it be wise to set WAN = "{ vr1 pptp1}" on 2.0
> And how can i do that for a test.
>
> regards
> Johan Hendriks
>
> Below are my /tmp/rules.debug files
> The version 2.0 is from a cleanly installed sytem.
> The version from 1.2.3 is from the working one, and i deleted some of the
> rules that are not important as far as i know.
>
> This is the output of /tmp/rules.debug (V2.0)
>
> ############### V 2.0 #################
>
> #System aliases
>
> loopback = "{ lo0 }"
> WAN = "{ pptp1 }"
> LAN = "{ vr0 }"
>
> #SSH Lockout Table
> table <sshlockout> persist
> table <webConfiguratorlockout> persist
> #pfSnortSam tables
> table <snort2c>
>
> table <virusprot>
>
> # User Aliases
>
> # Gateways
> GWWAN = " route-to ( pptp1 xxx.190.242.xxx ) "
>
>
> set loginterface vr0
> set optimization normal
> set limit states 48000
> set limit src-nodes 48000
>
> set skip on pfsync0
>
> scrub in on $WAN all fragment reassemble
> scrub in on $LAN all fragment reassemble
>
>
> nat-anchor "natearly/*"
> nat-anchor "natrules/*"
>
>
> # Outbound NAT rules
>
> # Subnets to NAT
> tonatsubnets = "{ 192.168.1.0/24 127.0.0.0/8 }"
> nat on $WAN from $tonatsubnets port 500 to any port 500 ->
> xxx.xxx.xxx.xxx/32 port 500
> nat on $WAN from $tonatsubnets to any -> xxx.xxx.xxx.xxx/32 port 1024:65535
>
>
> # Load balancing anchor
> rdr-anchor "relayd/*"
> # TFTP proxy
> rdr-anchor "tftp-proxy/*"
> table <direct_networks> { xxx.xxx.xxx.xxx/32 192.168.1.0/24 }
> # UPnPd rdr anchor
> rdr-anchor "miniupnpd"
>
> anchor "relayd/*"
> #---------------------------------------------------------------------------
> # default deny rules
> #---------------------------------------------------------------------------
> block in log all label "Default deny rule"
> block out log all label "Default deny rule"
>
> # We use the mighty pf, we cannot be fooled.
> block quick proto { tcp, udp } from any port = 0 to any
> block quick proto { tcp, udp } from any to any port = 0
>
> # Block all IPv6
> block in quick inet6 all
> block out quick inet6 all
>
> # pfSnortSam
> block quick from <snort2c> to any label "Block snort2c hosts"
> block quick from any to <snort2c> label "Block snort2c hosts"
> block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts"
> block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts"
>
> # SSH lockout
> block in log quick proto tcp from <sshlockout> to any port 22 label
> "sshlockout"
>
> # webConfigurator lockout
> block in log quick proto tcp from <webConfiguratorlockout> to any port 443
> label "webConfiguratorlockout"
> block in quick from <virusprot> to any label "virusprot overload table"
> antispoof for pptp1
> # allow PPTP client
> pass in on $WAN proto tcp from any to any port = 1723 flags S/SA modulate
> state label "allow PPTP client on WAN"
> pass in on $WAN proto gre from any to any keep state label "allow PPTP
> client on WAN"
> antispoof for vr0
>
> # loopback
> pass in on $loopback all label "pass loopback"
> pass out on $loopback all label "pass loopback"
> # let out anything from the firewall host itself and decrypted IPsec traffic
> pass out all keep state allow-opts label "let out anything from firewall
> host itself"
> pass out route-to ( pptp1 xxx.190.242.xxx ) from xxx.xxx.xxx.xxx to
> !xxx.xxx.xxx.xxx/32 keep state allow-opts label "let out anything from
> firewall host itself"
> # make sure the user cannot lock himself out of the webConfigurator or SSH
> pass in quick on vr0 proto tcp from any to (vr0) port { 80 443 22 } keep
> state label "anti-lockout rule"
>
> # User-defined rules follow
>
> anchor "userrules/*"
> pass in quick on $WAN reply-to ( pptp1 xxx.190.242.xxx ) from any to any
> keep state label "USER_RULE"
> pass in quick on $LAN from 192.168.1.0/24 to any keep state label
> "USER_RULE: Default allow LAN to any rule"
>
> # VPN Rules
> anchor "tftp-proxy/*"
>
> ############### END V 2.0 #################
>
> ############### V 1.2.3 #################
> This is /tmp.rules.debug on the working 1.2.3 system (relevant part for as
> far i know)
>
> # System Aliases
> loopback = "{ lo0 }"
> lan = "{ vr0 }"
> ng0 = "{ vr1 ng0 }"
> wan = "{ vr1 ng0 }"
> enc0 = "{ enc0 }"
> pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 ng15
> ng16 }"
> # User Aliases
>
> set loginterface vr1
> set loginterface vr0
> set loginterface vr2
> set optimization normal
>
> set skip on pfsync0
> scrub all random-id fragment reassemble
>
>
> nat-anchor "pftpx/*"
> nat-anchor "natearly/*"
> nat-anchor "natrules/*"
> # FTP proxy
> rdr-anchor "pftpx/*"
>
> # Outbound NAT rules
> nat on $ng0 from 192.168.1.0/24 port 500 to any port 500 -> (ng0) port 500
> nat on $ng0 from 192.168.1.0/24 port 5060 to any port 5060 -> (ng0) port
> 5060
> nat on $ng0 from 192.168.1.0/24 to any -> (ng0) port 1024:65535
> nat on $ng0 from 192.168.1.208/28 port 500 to any port 500 -> (ng0) port 500
> nat on $ng0 from 192.168.1.208/28 port 5060 to any port 5060 -> (ng0) port
> 5060
> nat on $ng0 from 192.168.1.208/28 to any -> (ng0) port 1024:65535
>
>
> #SSH Lockout Table
> table <sshlockout> persist
>
>
> # Load balancing anchor - slbd updates
> rdr-anchor "slb"
>
> # FTP Proxy/helper
> table <vpns> { }
> no rdr on vr0 proto tcp from any to <vpns> port 21
> rdr on vr0 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> no rdr on vr2 proto tcp from any to <vpns> port 21
> rdr on vr2 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
>
> # NAT Inbound Redirects
>
>
> # IMSpector rdr anchor
> rdr-anchor "imspector"
> # UPnPd rdr anchor
> rdr-anchor "miniupnpd"
>
>
> anchor "ftpsesame/*"
> anchor "firewallrules"
>
> # We use the mighty pf, we cannot be fooled.
> block quick proto { tcp, udp } from any port = 0 to any
> block quick proto { tcp, udp } from any to any port = 0
>
> # snort2c
> table <snort2c> persist
> block quick from <snort2c> to any label "Block snort2c hosts"
> block quick from any to <snort2c> label "Block snort2c hosts"
> # Block all IPv6
> block in quick inet6 all
> block out quick inet6 all
> # loopback
> anchor "loopback"
> pass in quick on $loopback all label "pass loopback"
> pass out quick on $loopback all label "pass loopback"
>
> # package manager early specific hook
> anchor "packageearly"
>
>
> # carp
> anchor "carp"
>
> # permit wan interface to ping out (ping_hosts.sh)
> pass quick proto icmp from xxx.xxx.xxx.xxx to any keep state
>
> # NAT Reflection rules
>
> # allow PPTP client
> anchor "pptpclient"
> pass in quick on $wan proto gre from any to any modulate state label "allow
> PPTP client"
> pass in quick on $wan proto gre from any to any modulate state label "allow
> PPTP client"
> pass in quick on $wan proto tcp from any port = 1723 to any flags S/SA
> modulate state label "allow PPTP client"
> pass in quick on $wan proto tcp from any to any port = 1723 flags S/SA
> modulate state label "allow PPTP client"
> block in log quick on $wan proto udp from any port = 67 to 192.168.1.0/24
> port = 68 label "block dhcp client out wan"
>
> # LAN/OPT spoof check (needs to be after DHCP because of broadcast
> addresses)
> antispoof for vr0
> antispoof for vr2
>
> anchor "spoofing"
> # Support for allow limiting of TCP connections by establishment rate
> anchor "limitingesr"
> table <virusprot>
> block in quick from <virusprot> to any label "virusprot overload table"
>
> # block bogon networks
> # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
> anchor "wanbogons"
> table <bogons> persist file "/etc/bogons"
> block in log quick on $wan from <bogons> to any label "block bogon networks
> from wan"
>
> # let out anything from the firewall host itself and decrypted IPsec traffic
> pass out quick on $lan proto icmp keep state label "let out anything from
> firewall host itself"
> pass out quick on $wan proto icmp keep state label "let out anything from
> firewall host itself"
>
> # tcp.closed 5 is a workaround for load balancing, squid and a few other
> issues.
> # ticket (FEN-857512) in centipede tracker.
> pass out quick on ng0 all keep state ( tcp.closed 5 ) label "let out
> anything from firewall host itself"
> # pass traffic from firewall -> out
> anchor "firewallout"
> pass out quick on vr1 all keep state label "let out anything from firewall
> host itself"
> pass out quick on vr0 all keep state label "let out anything from firewall
> host itself"
> pass out quick on vr2 all keep state label "let out anything from firewall
> host itself"
> pass out quick on $pptp all keep state label "let out anything from firewall
> host itself pptp"
> pass out quick on $enc0 keep state label "IPSEC internal host to host"
>
> # let out anything from the firewall host itself and decrypted IPsec traffic
> pass out quick on vr2 proto icmp keep state ( tcp.closed 5 ) label "let out
> anything from firewall host itself"
> pass out quick on $WLAN all keep state ( tcp.closed 5 ) label "let out
> anything from firewall host itself"
>
> # make sure the user cannot lock himself out of the webGUI or SSH
> anchor "anti-lockout"
> pass in quick on vr0 from any to 192.168.1.250 keep state label
> "anti-lockout web rule"
>
> # PPTPd rules
> anchor "pptp"
> pass in quick on $wan proto gre from any to xxx.xxx.xxx.xxx keep state label
> "allow gre pptpd"
> pass in quick on $wan proto tcp from any to xxx.xxx.xxx.xxx port = 1723
> modulate state label "allow pptpd xxx.xxx.xxx.xxx"
>
> # SSH lockout
> block in log quick proto tcp from <sshlockout> to any port 22 label
> "sshlockout"
>
> anchor "ftpproxy"
> anchor "pftpx/*"
>
> # IMSpector
> anchor "imspector"
>
> # uPnPd
> anchor "miniupnpd"
>
> #---------------------------------------------------------------------------
> # default deny rules
> #---------------------------------------------------------------------------
> block in log quick all label "Default deny rule"
> block out log quick all label "Default deny rule"
>
> ############### END V 1.2.3 #################
>
>
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
--
Ermal
More information about the List
mailing list