pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"

From: Rocco Caputo (rcaputo_at_pobox.com)
Date: 07/30/03

  • Next message: Julian Elischer: "Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work"" 
    Date: Wed, 30 Jul 2003 15:15:30 -0400
To: freebsd-net@freebsd.org

    [Originally posted to freebsd-questions, but someone suggested
    freebsd-net instead.]

    I've acquired DSL. My modem's PPPoE and NAT have a tendency to remap
    ports, so I switched it to bridged Ethernet. Now I'm using ppp(8) for
    PPPoE. I'm using ipfw2 for QOS things (pipes and queues). I'm using
    ipf for firewalling and ftp proxying.

    Almost everything works well, except (so far) active FTP and pinging the
    tun0 interface.

    tcpdump shows ICMP echo requests and responses, but ping does not see
    them. Opening ipf (pass in all, pass out all) "fixes" ping.

    ipfnat's active ftp proxy sees the PORT request and punches a hole
    through the firewall, but incoming packets don't arrive. Opening ipf
    "fixes" this, too.

    Other incoming connections seem to work fine. DNS works fine. TCP
    works fine.

    I've read the handbook, the howtos, searched the list archives, usenet,
    and the web. Nothing solved it.

    So. What have I overlooked? Where have I gone wrong? Would you like
    to see my cling-film collection? How about an extensive (but perhaps
    not exhaustive) collection of excerpts from my system configuration
    files? Ok, it is included. 

    --
Rocco Caputo - rcaputo@pobox.com - http://poe.perl.org/
=== ppp.conf
default:
  ident user-ppp VERSION (built COMPILATIONDATE)
  set log      CBCP CCP Chat Connect Command IPCP tun Phase Warning
papchap:
  add default     HISADDR
  disable         ipv6cp
  disable         vjcomp
  enable          iface-alias
  enable          lqr
  enable          tcpmssfixup
  nat enable      yes
  nat log         yes
  nat same_ports  yes
  set authkey     *****
  set authname    *****
  set cd          5
  set crtscts     off
  set device      PPPoE:dc0
  set dia
  set ifaddr      68.213.211.142/0 192.168.36.176/0
  set login
  set lqrperiod   1
  set mru         1492
  set mtu         1492
  set redial      1 0
  set server      /var/run/tun0 "" 0177
  set speed       sync
  set timeout     0
=== netstat -rn
Routing tables
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.36.176     UGSc       80  1377475   tun0
10                 link#2             UC          4        0    rl0
10.0.0.7           link#2             UHLW        0        8    rl0
10.0.0.18          00:e0:18:0b:ac:22  UHLW        1   115334    rl0    303
10.0.0.25          00:e0:18:30:68:32  UHLW        0   292874    lo0
10.0.0.100         00:e0:18:30:65:f6  UHLW        1   111019    rl0    163
127.0.0.1          127.0.0.1          UH          6   196295    lo0
192.168.1          link#1             UC          2        0    dc0
192.168.1.25       00:04:5a:59:8e:92  UHLW        0   142112    lo0
192.168.1.254      00:60:0f:31:c7:86  UHLW        0    75153    dc0    865
192.168.36.176     68.213.211.142     UH         76    71059   tun0
=== ipfstat -i
block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 224.0.0.0/4 to any
block in quick on tun0 from 240.0.0.0/4 to any
pass in quick on lo0 from any to any
pass in quick on rl0 from any to any
pass in quick on dc0 from any to any
pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags
block in quick from any to any
=== ipfstat -o
block out quick on tun0 from 0.0.0.0/8 to any
block out quick on tun0 from 127.0.0.0/8 to any
block out quick on tun0 from 169.254.0.0/16 to any
block out quick on tun0 from 172.16.0.0/12 to any
block out quick on tun0 from 192.0.2.0/24 to any
block out quick on tun0 from 192.168.0.0/16 to any
block out quick on tun0 from 224.0.0.0/4 to any
block out quick on tun0 from 240.0.0.0/4 to any
pass out quick on lo0 from any to any
pass out quick on rl0 from any to any
pass out quick on dc0 from any to any
pass out quick on tun0 proto icmp from any to any keep state
pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from any to any keep state keep frags
block out quick from any to any
=== ipnat -l
List of active MAP/Redirect filters:
map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp
List of active sessions:
(none)
=== various rc.conf bits
ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0"
network_interfaces="lo0 rl0 dc0 tun0"
firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/rc.firewall.custom"
firewall_flags="-p /usr/bin/cpp"
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipnat_enable="YES"
ppp_enable="yes"
ppp_mode="ddial"
ppp_nat="yes"
ppp_profile="papchap"
=== ipfw show
01110 queue 18 icmp from any to any in via tun0
01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01300 queue 14 ip from any to any in via tun0 iptos lowdelay
01310 queue 14 tcp from any 6666-6669 to any in via tun0
01320 queue 14 tcp from any 80 to any in via tun0
01400 queue 11 tcp from any 119 to any in via tun0
01410 queue 11 tcp from any 5999 to any in via tun0
01420 queue 11 tcp from any to any in via tun0 iplen 1500
01430 queue 11 tcp from any 6881-6889 to any in via tun0
01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0
01900 queue 12 ip from any to any in via tun0
02100 queue 28 icmp from any to any out via tun0
02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput
02120 queue 28 tcp from any to any out via tun0 tcpflags ack
02130 queue 28 tcp from any to any out via tun0 setup
02300 queue 24 ip from any to any out via tun0 iptos lowdelay
02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0
02400 queue 21 tcp from any 80 to any out via tun0
02410 queue 21 tcp from any 443 to any out via tun0
02420 queue 21 tcp from any 11512 to any out via tun0
02430 queue 21 tcp from any to any dst-port 119 out via tun0
02440 queue 21 tcp from any to any dst-port 5999 out via tun0
02450 queue 21 tcp from any to any out via tun0 iplen 1500
02460 queue 21 tcp from any 6881-6889 to any out via tun0
02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0
02900 queue 22 ip from any to any out via tun0
60000 allow ip from any to any via lo0
60010 allow ip from any to any via rl0
60020 allow ip from any to any via dc0
60030 allow ip from any to any via tun0
60040 allow ip from any to any
65535 deny ip from any to any
=== ipfw queue show
00010: 368.000 Kbit/s    0 ms  36 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00011: 736.000 Kbit/s    0 ms  73 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00012:   1.472 Mbit/s    0 ms  147 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00020:  64.000 Kbit/s    0 ms  6144 B 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00021: 128.000 Kbit/s    0 ms  12 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00022: 256.000 Kbit/s    0 ms  25 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
=== end
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
  • Next message: Julian Elischer: "Re: pppoe, can't ping tun0, ipfnat ftp proxy "doesn't work""

    Relevant Pages

    • pppoe, cant ping tun0 from dmz machine
      ... tun0 interface. ... pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags ... 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput ...
      (freebsd-questions)
    • Re: pppoe, cant ping tun0, ipfnat ftp proxy "doesnt work"
      ... I've verified that the packets cross tun0: ... pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags ... 01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput ...
      (freebsd-net)
    • Problem with ppp and pf on FreeBSD 5.3
      ... #scrub in on tun0 all random-id no-df ... port 5900 ... flags S/SA synproxy state queue q_pri ... pass out quick on tun0 proto tcp from any to any flags S/SA synproxy ...
      (freebsd-stable)
    • Re: pf/ppp timing problem at startup
      ... and doesn't recognize ext_if (tun0), ... set log Phase LCP IPCP CCP Warning Error Alert ... # rdr pass on $ext_if proto tcp from any to any port XXXX ... pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services ...
      (freebsd-questions)
    • running ruleset for pf does not reset dhcp based macros
      ... leg fw for my adsl home account in which tun0 is the internet ... I have declared a macro for this interface and use only that ... running rulesets do not get updated with the new address. ... rdr on $internetfw_Inf proto tcp from any to any port 5900 -> ...
      (comp.unix.bsd.openbsd.misc)