MPD-5.6, nat port redirection и PPTP

Open Discussion
Yuri Kurenkov
2012-01-24
2013-03-27

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-01-24

    Дано: домашний NanoBSD рутер на базе FreeBSD-8 от начала января, mpd-5.6. На mpd поднят PPPoE линк (клиент) к провайдеру. Также через этот линк поднят PPTP (клиент) на работу. И через этот же линк я ходил по PPTP (серевер) в домашнюю локалку и на работу с нетбука из "Сети". На рутере есть еще ethernet интерфейс в мир через другой канал. PPPoE - default. На выходных поднял у себя дома почтовую систему на сервере внутри LAN. Прописал форвардинг 25-го порта в ipfw nat на ethernet интерфейсе.

    В mpd-5.6 появилась в nat возможность редиректить порты. Решил использовать это и на втором внешем канале через PPPoE. Прописал соотвтетсвующие строки

    set nat red-port tcp 0.0.0.0 25 192.168.200.2 25

    в mpd.conf и рестартанул mpd. После этого отвалили все PPTP соединения, а в mpd.log об этом говорилось следующее:

    Jan 24 10:17:25 morisson mpd:  PPTP: can't attach pptpgre node: Protocol family not supported
    Jan 24 10:17:27 morisson mpd:  PPTP: can't attach pptpgre node: No such file or directory

    Причем, я пытался подключится к рутеру по PPTP как через PPPoE линк, так и через ethernet. Netgraph в виде модулей. Убрал пока port-redirection в mpd.

     

  • Dmitry S. Luhtionov
    Dmitry S. Luhtionov
    2012-01-25

    set iface enable nat стоит?

     

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-01-26

    set iface enable nat
    set nat enable incoming
    set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    set nat red-port tcp 0.0.0.0 993 192.168.200.2 993

     

  • Dmitry S. Luhtionov
    Dmitry S. Luhtionov
    2012-01-27

    А зачем там строчка set nat enable incoming ?
    У меня проброс портов во внутреннюю сеть отлично работал без нее.

     

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-01-27

    Убрал nat enable incoming, включил red-port. Попытка входящего подключения по PPTP к mpd через этот PPPoE линк не получилась без какого-либо упоминания в mpd.log, а подключение через ethernet не получилось с диагностикой:

    Jan 27 11:54:19 morisson mpd:  Accepting PPTP connection
    Jan 27 11:54:19 morisson mpd:  Link: OPEN event
    Jan 27 11:54:19 morisson mpd:  LCP: Open event
    Jan 27 11:54:19 morisson mpd:  LCP: state change Initial -> Starting
    Jan 27 11:54:19 morisson mpd:  LCP: LayerStart
    Jan 27 11:54:19 morisson mpd:  PPTP: attaching to peer's outgoing call
    Jan 27 11:54:20 morisson mpd:  PPTP: can't attach pptpgre node: No such file or directory
    Jan 27 11:54:20 morisson mpd:  PPTP call cancelled in state CONNECTING
    Jan 27 11:54:20 morisson mpd:  Link: DOWN event
    Jan 27 11:54:20 morisson mpd:  LCP: Close event
    Jan 27 11:54:20 morisson mpd:  LCP: state change Starting -> Initial
    Jan 27 11:54:20 morisson mpd:  LCP: LayerFinish
    Jan 27 11:54:20 morisson mpd:  LCP: Down event
    Jan 27 11:54:20 morisson mpd:  Link: SHUTDOWN event
    Jan 27 11:54:20 morisson mpd:  Link: Shutdown

     

  • Dmitry S. Luhtionov
    Dmitry S. Luhtionov
    2012-02-01

    Можно привести конфиг?

     

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-02-01

    Да, вот полный конфиг. PPTP (pptp_client и pptp_server) перестает аботать, если в pppoe_client раскоментарить red-port. Рутер кроме pppoe линка имеет еще ethernet линки, через которые pptp также перестает работать, если в секции pppoe_client включить red-port. На всякий случай сообщу, что на внешних ethernet интерфейсах рутера используется ipfw_nat с pot-redirect.

    code]
    startup:
    # configure mpd users
    set user *** *** admin
    set user *** ***
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open

    default:
    load pppoe_client
    load pptp_client
    load pptp_server

    pptp_server:
    #
    # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
    # Define dynamic IP address pool.
    set ippool add pptp_vpn 192.168.200.120 192.168.200.127

    # Create clonable bundle template named B
    create bundle template B
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
    set ipcp ranges 192.168.200.1/32 ippool pptp_vpn
    set ipcp dns 192.168.200.1
    #set ipcp nbns 192.168.200.2
    # The five lines below enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

    # Create clonable link template named L
    create link template L pptp
    # Set bundle template to use
    set link action bundle B
    # Multilink adds some overhead, but gives full 1500 MTU.
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap
    set link enable pap
    set link enable chap
    # We can use use RADIUS authentication/accounting by including
    # another config section with label 'radius'.
    # load radius
    set link keep-alive 10 60
    # We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1460
    # Configure PPTP
            #set pptp self 1.2.3.4
    # Allow to accept calls
            set link enable incoming

    pptp_client:
    #
    # PPTP client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle template B1
            set iface enable tcpmssfix
    ##set iface route default
    #set iface route 192.168.186.0/23
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
    set iface description "VPN to INIT"
    set iface enable nat
    #set nat disable incoming
    set nat enable incoming
    #set nat enable unreg-only
    set ccp yes mppc

    create link template common pptp
    set link action bundle B1
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set pptp disable windowing
    set auth authname **** 
    set auth password ****

    create link static vpn1 common
    set pptp peer x.x.x.4
    open

    create link static vpn2 common
    set pptp peer y.y.y.74
    open

    pppoe_client:
    #
    # PPPoE client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle static B2
    set iface route default
    set iface enable nat
    #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993
            set iface enable tcpmssfix
    #set nat disable incoming
    set nat enable incoming
    set nat enable unreg-only
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
    set iface description "PPPoE to ITT"

    create link static L2 pppoestartup:
    # configure mpd users
    set user *** *** admin
    set user *** ***
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open

    default:
    load pppoe_client
    #load pptp_client
    load pptp_server

    pptp_server:
    #
    # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
    # Define dynamic IP address pool.
    set ippool add pptp_vpn 192.168.200.120 192.168.200.127

    # Create clonable bundle template named B
    create bundle template B
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
    set ipcp ranges 192.168.200.1/32 ippool pptp_vpn
    set ipcp dns 192.168.200.1
    #set ipcp nbns 192.168.200.2
    # The five lines below enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

    # Create clonable link template named L
    create link template L pptp
    # Set bundle template to use
    set link action bundle B
    # Multilink adds some overhead, but gives full 1500 MTU.
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap
    set link enable pap
    set link enable chap
    # We can use use RADIUS authentication/accounting by including
    # another config section with label 'radius'.
    # load radius
    set link keep-alive 10 60
    # We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1460
    # Configure PPTP
            #set pptp self 1.2.3.4
    # Allow to accept calls
            set link enable incoming

    pptp_client:
    #
    # PPTP client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle template B1
            set iface enable tcpmssfix
    ##set iface route default
    #set iface route 192.168.186.0/23
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
    set iface description "VPN to INIT"
    set iface enable nat
    #set nat disable incoming
    set nat enable incoming
    #set nat enable unreg-only
    set ccp yes mppc

    create link template common pptp
    set link action bundle B1
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set pptp disable windowing
    set auth authname **** 
    set auth password ****

    create link static vpn1 common
    set pptp peer x.x.x.4
    open

    create link static vpn2 common
    set pptp peer y.y.y.74
    open

    pppoe_client:
    #
    # PPPoE client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle static B2
    set iface route default
    set iface enable nat
    #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993
            set iface enable tcpmssfix
    #set nat disable incoming
    set nat enable incoming
    set nat enable unreg-only
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
    set iface description "PPPoE to ITT"

    create link static L2 pppoe
    set link action bundle B2
    set auth authname **** 
    set auth password ****
    set link max-redial 0
    set link mtu 1492
    set link keep-alive 10 60
    set pppoe iface wlan1
    set pppoe service ""
    open

    set link action bundle B2
    set auth authname **** 
    set auth password ****
    set link max-redial 0
    set link mtu 1492
    set link keep-alive 10 60
    set pppoe iface wlan1
    set pppoe service ""
    open

     

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-02-01

    Что-то глюкнуло

    startup:
    # configure mpd users
    set user *** *** admin
    set user *** *** 
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open
default:
    load pppoe_client
    #load pptp_client
    load pptp_server
pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
# Define dynamic IP address pool.
    set ippool add pptp_vpn 192.168.200.120 192.168.200.127
# Create clonable bundle template named B
    create bundle template B
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
    set ipcp ranges 192.168.200.1/32 ippool pptp_vpn 
    set ipcp dns 192.168.200.1
    #set ipcp nbns 192.168.200.2
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless
# Create clonable link template named L
    create link template L pptp
# Set bundle template to use
    set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap
    set link enable pap
    set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
#   load radius
    set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1460
# Configure PPTP
        #set pptp self 1.2.3.4
# Allow to accept calls
        set link enable incoming
pptp_client:
#
# PPTP client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
    create bundle template B1
        set iface enable tcpmssfix
    ##set iface route default
    #set iface route 192.168.186.0/23 
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
        set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
        set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
    set iface description "VPN to INIT"
    set iface enable nat
    #set nat disable incoming
    set nat enable incoming
    #set nat enable unreg-only
    set ccp yes mppc

    create link template common pptp
    set link action bundle B1
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set pptp disable windowing
    set auth authname ****  
    set auth password **** 
    create link static vpn1 common
    set pptp peer x.x.x.4
    open
    create link static vpn2 common
    set pptp peer y.y.y.74 
    open
pppoe_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#
    create bundle static B2
    set iface route default
    set iface enable nat
    #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587 
    #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143 
    #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993 
        set iface enable tcpmssfix
    #set nat disable incoming
    set nat enable incoming
    set nat enable unreg-only
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
        set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
        set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
    set iface description "PPPoE to ITT"

    create link static L2 pppoe
    set link action bundle B2
    set auth authname ****  
    set auth password **** 
    set link max-redial 0
    set link mtu 1492
    set link keep-alive 10 60
    set pppoe iface wlan1
    set pppoe service ""
    open
     

  • Dmitry S. Luhtionov
    Dmitry S. Luhtionov
    2012-02-03

    Честно говоря на pppoe я nat не тестировал. Я использовал его только с pptp клиентом.
    Можно ли попробовать повторить попытку, но с более полным логом?
    как-то так: log +iface +iface2 +link
    Возможно дело таки в самом ng_nat

     

  • Yuri Kurenkov
    Yuri Kurenkov
    2012-02-03

    Добавил в конфиг log +iface +iface2 +link. 

    Feb  3 13:15:54 morisson mpd: [L-2] Accepting PPTP connection
Feb  3 13:15:54 morisson mpd: [L-2] Link: OPEN event
Feb  3 13:15:54 morisson mpd: [L-2] LCP: Open event
Feb  3 13:15:54 morisson mpd: [L-2] LCP: state change Initial --> Starting
Feb  3 13:15:54 morisson mpd: [L-2] LCP: LayerStart
Feb  3 13:15:54 morisson mpd: [L-2] PPTP: attaching to peer's outgoing call
Feb  3 13:15:54 morisson mpd: [L-2] PPTP: can't attach pptpgre node: No such file or directory
Feb  3 13:15:54 morisson mpd: [L-2] PPTP call cancelled in state CONNECTING
Feb  3 13:15:54 morisson mpd: [L-2] Link: DOWN event
Feb  3 13:15:54 morisson mpd: [L-2] LCP: Close event
Feb  3 13:15:54 morisson mpd: [L-2] LCP: state change Starting --> Initial
Feb  3 13:15:54 morisson mpd: [L-2] LCP: LayerFinish
Feb  3 13:15:54 morisson mpd: [L-2] LCP: Down event
Feb  3 13:15:54 morisson mpd: [L-2] Link: SHUTDOWN event
Feb  3 13:15:54 morisson mpd: [L-2] Link: Shutdown
     

  • Dmitry S. Luhtionov
    Dmitry S. Luhtionov
    2012-02-03

    Скорее всего проблема в ядре. Так сразу не разобраться. Попробуй создать PR или написать в мэйллист.