[FUG-BR] Ajuda com regras PF/NAT
Ricardo Augusto de Souza
ricardo.souza em cmtsp.com.br
Quarta Março 25 13:03:05 BRT 2009
Estou com problemas para fazer o roteamento correto para minha rede local quando clientes se conectam na VPN.
Servidor é um OpenBSD 4.4 com PF + poptop.
Mesmo esta lista sendo de FreeBSD, o problema aqui esta nas regras do PF.
Os clientes se conectam na VPN e pegam um IP 172.16.0.0/24 e o servidor fica como 172.16.0.1
Os clientes pingam o 172.16.0.1 e a rede 10.100.0.0/16 só não consegui acessar a rede 10.10.0/16.
Quando rodo o tcpdump na interface da rede 10, e pingo um endereço do cliente VPN, o pacote passa pela vic2 só que com origem a rede 172.16.0.0 e acho que teria q ser o ip atribuído na vic2, certo?
Podem me ajudar por favor?
# route show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default 189-57-43-1.custom UGS 1 397 - 48
vic0
10.10/16 link#3 UC 2 0 - 48
vic2
10.10.0.2 00:11:0a:a0:a8:c4 UHLc 0 11 - 48
vic2
10.10.100.254 00:0a:5e:63:7e:2e UHLc 0 27 - 48
vic2
10.100.0/24 10.100.1.1 UGS 0 86 - 48
vic3
10.100.1/24 link#4 UC 1 0 - 48
vic3
10.100.1.1 00:60:2e:10:10:6b UHLc 7 6 - 48
vic3
10.100.2/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.3/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.4/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.5/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.6/24 10.100.1.1 UGS 0 0 - 48
vic3
10.100.7/24 10.100.1.1 UGS 0 0 - 48
vic3
loopback localhost UGRS 0 0 33204 48
lo0
localhost localhost UH 1 0 33204 48
lo0
172.16.0.2 172.16.0.1 UH 0 96 1400 48
tun0
189-57-43-0.custom link#1 UC 3 0 - 48
vic0
189-57-43-1.custom 00:16:e0:33:3b:e4 UHLc 1 0 - 48
vic0
189-57-43-3.custom 00:10:18:16:0e:8a UHLc 1 1288 - 48
vic0
189-57-43-5.custom 00:0c:29:4c:b2:d4 UHLc 2 473 - 48
vic0
200.162.41.32/28 link#2 UC 1 0 - 48
vic1
200.162.41.33 00:60:2e:10:1e:a3 UHLc 0 0 - 48
vic1
BASE-ADDRESS.MCAST localhost URS 0 0 33204 48
lo0
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
vic0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:05
groups: egress
media: Ethernet autoselect
status: active
inet 189.57.XXX.XXX netmask 0xfffffff8 broadcast 189.57.43.7
inet6 fe80::20c:29ff:fe92:4d05%vic0 prefixlen 64 scopeid 0x1
vic1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:0f
media: Ethernet autoselect
status: active
inet 200.162.XXX.XXX netmask 0xfffffff0 broadcast 200.162.41.47
inet6 fe80::20c:29ff:fe92:4d0f%vic1 prefixlen 64 scopeid 0x2
vic2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:19
media: Ethernet autoselect
status: active
inet 10.10.100.252 netmask 0xffff0000 broadcast 10.10.255.255
inet6 fe80::20c:29ff:fe92:4d19%vic2 prefixlen 64 scopeid 0x3
vic3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:92:4d:23
media: Ethernet autoselect
status: active
inet 10.100.1.33 netmask 0xffffff00 broadcast 10.100.1.255
inet6 fe80::20c:29ff:fe92:4d23%vic3 prefixlen 64 scopeid 0x4
enc0: flags=0<> mtu 1536
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
groups: pflog
pf.conf:
# cat /etc/pf.conf
ext_if="vic0"
ext2_if="vic1"
int_if="vic2"
mpls_if="vic3"
vpn_net="{ 172.16.0.0/24 }"
vpn_if="{ tun0, tun1, tun2, tun3 }"
dtc_mpls="10.100.0.0/24"
dtc_internet="200.143.33.0/24"
rede_cmt="10.10.0.0/24"
set skip on { lo $int_if }
#
nat on $mpls_if from $vpn_net to $dtc_mpls tag VPN_DTC -> $mpls_if
nat on $int_if from $vpn_net to $rede_cmt -> $int_if
#
#block in
pass in all
pass out keep state
pptpd.conf:
speed 230400
debug
option /etc/ppp/ppp.conf
logfile /var/log/pptpd.log
localip 172.16.0.1
remoteip 172.16.0.2-10
listen 189.57.XXX.XXXX
nobsdcomp
+chapms-v2
mppe-40
mppe-128
mppe-stateless
noipparam
Logs:
# tcpdump -i vic3 'dst host 10.100.0.1'
tcpdump: listening on vic3, link-type EN10MB
09:28:56.888286 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:57.745042 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:58.754855 10.100.1.33 > 10.100.0.1: icmp: echo request
09:28:59.727557 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:00.725761 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:01.848215 10.100.1.33 > 10.100.0.1: icmp: echo request
09:29:02.822952 10.100.1.33 > 10.100.0.1: icmp: echo request
# tcpdump -i vic2 'dst host 10.10.0.2'
tcpdump: listening on vic2, link-type EN10MB
09:31:44.415521 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:46.452796 172.16.0.2 > 10.10.0.2: icmp: echo request
09:31:51.429198 172.16.0.2 > 10.10.0.2: icmp: echo request
^C
2382 packets received by filter
0 packets dropped by kernel
# pfctl -sn
nat on vic3 inet from 172.16.0.0/24 to 10.100.0.0/24 tag VPN_DTC ->
10.100.1.33
nat on vic2 inet from 172.16.0.0/24 to 10.10.0.0/24 -> 10.10.100.252
#
Mais detalhes sobre a lista de discussão freebsd