MPD-5.6, nat port redirection и PPTP

2012-01-24
2013-03-27
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-01-24

    Дано: домашний NanoBSD рутер на базе FreeBSD-8 от начала января, mpd-5.6. На mpd поднят PPPoE линк (клиент) к провайдеру. Также через этот линк поднят PPTP (клиент) на работу. И через этот же линк я ходил по PPTP (серевер) в домашнюю локалку и на работу с нетбука из "Сети". На рутере есть еще ethernet интерфейс в мир через другой канал. PPPoE - default. На выходных поднял у себя дома почтовую систему на сервере внутри LAN. Прописал форвардинг 25-го порта в ipfw nat на ethernet интерфейсе.

    В mpd-5.6 появилась в nat возможность редиректить порты. Решил использовать это и на втором внешем канале через PPPoE. Прописал соотвтетсвующие строки

    set nat red-port tcp 0.0.0.0 25 192.168.200.2 25

    в mpd.conf и рестартанул mpd. После этого отвалили все PPTP соединения, а в mpd.log об этом говорилось следующее:

    Jan 24 10:17:25 morisson mpd:  PPTP: can't attach pptpgre node: Protocol family not supported
    Jan 24 10:17:27 morisson mpd:  PPTP: can't attach pptpgre node: No such file or directory

    Причем, я пытался подключится к рутеру по PPTP как через PPPoE линк, так и через ethernet. Netgraph в виде модулей. Убрал пока port-redirection в mpd.

     
  • Dmitry S. Luhtionov

    set iface enable nat стоит?

     
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-01-26

    set iface enable nat
    set nat enable incoming
    set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    set nat red-port tcp 0.0.0.0 993 192.168.200.2 993

     
  • Dmitry S. Luhtionov

    А зачем там строчка set nat enable incoming ?
    У меня проброс портов во внутреннюю сеть отлично работал без нее.

     
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-01-27

    Убрал nat enable incoming, включил red-port. Попытка входящего подключения по PPTP к mpd через этот PPPoE линк не получилась без какого-либо упоминания в mpd.log, а подключение через ethernet не получилось с диагностикой:

    Jan 27 11:54:19 morisson mpd:  Accepting PPTP connection
    Jan 27 11:54:19 morisson mpd:  Link: OPEN event
    Jan 27 11:54:19 morisson mpd:  LCP: Open event
    Jan 27 11:54:19 morisson mpd:  LCP: state change Initial -> Starting
    Jan 27 11:54:19 morisson mpd:  LCP: LayerStart
    Jan 27 11:54:19 morisson mpd:  PPTP: attaching to peer's outgoing call
    Jan 27 11:54:20 morisson mpd:  PPTP: can't attach pptpgre node: No such file or directory
    Jan 27 11:54:20 morisson mpd:  PPTP call cancelled in state CONNECTING
    Jan 27 11:54:20 morisson mpd:  Link: DOWN event
    Jan 27 11:54:20 morisson mpd:  LCP: Close event
    Jan 27 11:54:20 morisson mpd:  LCP: state change Starting -> Initial
    Jan 27 11:54:20 morisson mpd:  LCP: LayerFinish
    Jan 27 11:54:20 morisson mpd:  LCP: Down event
    Jan 27 11:54:20 morisson mpd:  Link: SHUTDOWN event
    Jan 27 11:54:20 morisson mpd:  Link: Shutdown

     
  • Dmitry S. Luhtionov

    Можно привести конфиг?

     
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-02-01

    Да, вот полный конфиг. PPTP (pptp_client и pptp_server) перестает аботать, если в pppoe_client раскоментарить red-port. Рутер кроме pppoe линка имеет еще ethernet линки, через которые pptp также перестает работать, если в секции pppoe_client включить red-port. На всякий случай сообщу, что на внешних ethernet интерфейсах рутера используется ipfw_nat с pot-redirect.

    code]
    startup:
    # configure mpd users
    set user *** *** admin
    set user *** ***
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open

    default:
    load pppoe_client
    load pptp_client
    load pptp_server

    pptp_server:
    #
    # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
    # Define dynamic IP address pool.
    set ippool add pptp_vpn 192.168.200.120 192.168.200.127

    # Create clonable bundle template named B
    create bundle template B
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
    set ipcp ranges 192.168.200.1/32 ippool pptp_vpn
    set ipcp dns 192.168.200.1
    #set ipcp nbns 192.168.200.2
    # The five lines below enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

    # Create clonable link template named L
    create link template L pptp
    # Set bundle template to use
    set link action bundle B
    # Multilink adds some overhead, but gives full 1500 MTU.
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap
    set link enable pap
    set link enable chap
    # We can use use RADIUS authentication/accounting by including
    # another config section with label 'radius'.
    # load radius
    set link keep-alive 10 60
    # We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1460
    # Configure PPTP
            #set pptp self 1.2.3.4
    # Allow to accept calls
            set link enable incoming

    pptp_client:
    #
    # PPTP client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle template B1
            set iface enable tcpmssfix
    ##set iface route default
    #set iface route 192.168.186.0/23
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
    set iface description "VPN to INIT"
    set iface enable nat
    #set nat disable incoming
    set nat enable incoming
    #set nat enable unreg-only
    set ccp yes mppc

    create link template common pptp
    set link action bundle B1
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set pptp disable windowing
    set auth authname **** 
    set auth password ****

    create link static vpn1 common
    set pptp peer x.x.x.4
    open

    create link static vpn2 common
    set pptp peer y.y.y.74
    open

    pppoe_client:
    #
    # PPPoE client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle static B2
    set iface route default
    set iface enable nat
    #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993
            set iface enable tcpmssfix
    #set nat disable incoming
    set nat enable incoming
    set nat enable unreg-only
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
    set iface description "PPPoE to ITT"

    create link static L2 pppoestartup:
    # configure mpd users
    set user *** *** admin
    set user *** ***
    # configure the console
    set console self 127.0.0.1 5005
    set console open
    # configure the web server
    set web self 0.0.0.0 5006
    set web open

    default:
    load pppoe_client
    #load pptp_client
    load pptp_server

    pptp_server:
    #
    # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
    # Define dynamic IP address pool.
    set ippool add pptp_vpn 192.168.200.120 192.168.200.127

    # Create clonable bundle template named B
    create bundle template B
    set iface enable proxy-arp
    set iface idle 1800
    set iface enable tcpmssfix
    set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
    set ipcp ranges 192.168.200.1/32 ippool pptp_vpn
    set ipcp dns 192.168.200.1
    #set ipcp nbns 192.168.200.2
    # The five lines below enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type.
    set bundle enable compression
    set ccp yes mppc
    set mppc yes e40
    set mppc yes e128
    set mppc yes stateless

    # Create clonable link template named L
    create link template L pptp
    # Set bundle template to use
    set link action bundle B
    # Multilink adds some overhead, but gives full 1500 MTU.
    set link enable multilink
    set link yes acfcomp protocomp
    #set link no pap chap
    set link enable pap
    set link enable chap
    # We can use use RADIUS authentication/accounting by including
    # another config section with label 'radius'.
    # load radius
    set link keep-alive 10 60
    # We reducing link mtu to avoid GRE packet fragmentation.
    set link mtu 1460
    # Configure PPTP
            #set pptp self 1.2.3.4
    # Allow to accept calls
            set link enable incoming

    pptp_client:
    #
    # PPTP client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle template B1
            set iface enable tcpmssfix
    ##set iface route default
    #set iface route 192.168.186.0/23
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
    set iface description "VPN to INIT"
    set iface enable nat
    #set nat disable incoming
    set nat enable incoming
    #set nat enable unreg-only
    set ccp yes mppc

    create link template common pptp
    set link action bundle B1
    set link max-redial 0
    set link mtu 1460
    set link keep-alive 20 75
    set pptp disable windowing
    set auth authname **** 
    set auth password ****

    create link static vpn1 common
    set pptp peer x.x.x.4
    open

    create link static vpn2 common
    set pptp peer y.y.y.74
    open

    pppoe_client:
    #
    # PPPoE client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #

    create bundle static B2
    set iface route default
    set iface enable nat
    #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
    #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587
    #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143
    #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993
            set iface enable tcpmssfix
    #set nat disable incoming
    set nat enable incoming
    set nat enable unreg-only
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
    set iface description "PPPoE to ITT"

    create link static L2 pppoe
    set link action bundle B2
    set auth authname **** 
    set auth password ****
    set link max-redial 0
    set link mtu 1492
    set link keep-alive 10 60
    set pppoe iface wlan1
    set pppoe service ""
    open

    set link action bundle B2
    set auth authname **** 
    set auth password ****
    set link max-redial 0
    set link mtu 1492
    set link keep-alive 10 60
    set pppoe iface wlan1
    set pppoe service ""
    open

     
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-02-01

    Что-то глюкнуло

    startup:
        # configure mpd users
        set user *** *** admin
        set user *** *** 
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open
    default:
        load pppoe_client
        #load pptp_client
        load pptp_server
    pptp_server:
    #
    # Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
    # Define dynamic IP address pool.
        set ippool add pptp_vpn 192.168.200.120 192.168.200.127
    # Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
    # Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.200.1/32 ippool pptp_vpn 
        set ipcp dns 192.168.200.1
        #set ipcp nbns 192.168.200.2
    # The five lines below enable Microsoft Point-to-Point encryption
    # (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
    # Create clonable link template named L
        create link template L pptp
    # Set bundle template to use
        set link action bundle B
    # Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        #set link no pap chap
        set link enable pap
        set link enable chap
    # We can use use RADIUS authentication/accounting by including
    # another config section with label 'radius'.
    #   load radius
        set link keep-alive 10 60
    # We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
    # Configure PPTP
            #set pptp self 1.2.3.4
    # Allow to accept calls
            set link enable incoming
    pptp_client:
    #
    # PPTP client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #
        create bundle template B1
            set iface enable tcpmssfix
        ##set iface route default
        #set iface route 192.168.186.0/23 
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
        set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.init_vpn
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.init_vpn
        set iface description "VPN to INIT"
        set iface enable nat
        #set nat disable incoming
        set nat enable incoming
        #set nat enable unreg-only
        set ccp yes mppc
    
        create link template common pptp
        set link action bundle B1
        set link max-redial 0
        set link mtu 1460
        set link keep-alive 20 75
        set pptp disable windowing
        set auth authname ****  
        set auth password **** 
        create link static vpn1 common
        set pptp peer x.x.x.4
        open
        create link static vpn2 common
        set pptp peer y.y.y.74 
        open
    pppoe_client:
    #
    # PPPoE client: only outgoing calls, auto reconnect,
    # ipcp-negotiated address, one-sided authentication,
    # default route points on ISP's end
    #
        create bundle static B2
        set iface route default
        set iface enable nat
        #set nat red-port tcp 0.0.0.0 25 192.168.200.2 25
        #set nat red-port tcp 0.0.0.0 587 192.168.200.2 587 
        #set nat red-port tcp 0.0.0.0 143 192.168.200.2 143 
        #set nat red-port tcp 0.0.0.0 993 192.168.200.2 993 
            set iface enable tcpmssfix
        #set nat disable incoming
        set nat enable incoming
        set nat enable unreg-only
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
        set ipcp enable req-pri-dns req-sec-dns
            set iface up-script /usr/local/etc/mpd5/mpd.d/mpd.linkup.itt
            set iface down-script /usr/local/etc/mpd5/mpd.d/mpd.linkdown.itt
        set iface description "PPPoE to ITT"
    
        create link static L2 pppoe
        set link action bundle B2
        set auth authname ****  
        set auth password **** 
        set link max-redial 0
        set link mtu 1492
        set link keep-alive 10 60
        set pppoe iface wlan1
        set pppoe service ""
        open
    
     
  • Dmitry S. Luhtionov

    Честно говоря на pppoe я nat не тестировал. Я использовал его только с pptp клиентом.
    Можно ли попробовать повторить попытку, но с более полным логом?
    как-то так: log +iface +iface2 +link
    Возможно дело таки в самом ng_nat

     
  • Yuri Kurenkov

    Yuri Kurenkov - 2012-02-03

    Добавил в конфиг log +iface +iface2 +link.

    Feb  3 13:15:54 morisson mpd: [L-2] Accepting PPTP connection
    Feb  3 13:15:54 morisson mpd: [L-2] Link: OPEN event
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: Open event
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: state change Initial --> Starting
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: LayerStart
    Feb  3 13:15:54 morisson mpd: [L-2] PPTP: attaching to peer's outgoing call
    Feb  3 13:15:54 morisson mpd: [L-2] PPTP: can't attach pptpgre node: No such file or directory
    Feb  3 13:15:54 morisson mpd: [L-2] PPTP call cancelled in state CONNECTING
    Feb  3 13:15:54 morisson mpd: [L-2] Link: DOWN event
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: Close event
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: state change Starting --> Initial
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: LayerFinish
    Feb  3 13:15:54 morisson mpd: [L-2] LCP: Down event
    Feb  3 13:15:54 morisson mpd: [L-2] Link: SHUTDOWN event
    Feb  3 13:15:54 morisson mpd: [L-2] Link: Shutdown
    
     
  • Dmitry S. Luhtionov

    Скорее всего проблема в ядре. Так сразу не разобраться. Попробуй создать PR или написать в мэйллист.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks