Hi,I've just upgraded my old old old FreeBSD 6.3 firewall box to FreeBSD 7.1-p2.
However, now my firewall will suddenly no longer NAT GRE, so none of client connections to remote (PPTP) VPNs are working.
When trying to connect from the client (10.1.0.6) to internet, everything works fine (tcp/udp are natted), but when trying to set up a VPN my firewall log says:
3. 004630 rule 6/0(match): block out on vr0: 10.1.0.6 > 193.46.80.81: GREv1, call 55191, seq 10, proto PPP (0x880b), length 36: [|ppp]
(vr0 is my external interface, which is connected to the ADSL modem) The rule that is blocking is: @6 block drop out log quick on vr0 inet from ! 192.168.1.2 to any(192.168.1.2 is my "external" address). This rule is supposed to block any internal stuff going out that is not NATted properly. It is correct to block my client (10.1.0.6), since it should have had its address translated.
My nat rule is simple (and DOES NAT tcp/udp):
nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
The entire config is attached. Am I doing something stupid? Does anybody
know what I'm doing wrong?
Thanks in advance, Sebastiaan
#============================================================================
# MACROS
#----------------------------------------------------------------------------
# External (internet, natted) interface.
ext_if = "vr0"
ext_net = $ext_if:network
ext_ip = "192.168.1.2"
ext_gw = "192.168.1.1"
# Internal (trusted) interface.
int_if = "rl0"
int_net = $int_if:network
int_ip = "10.0.0.1"
# Wifi (untrusted) interface.
wifi_if = "rl1"
wifi_net = $wifi_if:network
wifi_ip = "10.1.0.1"
# Allowed ICMP types.
icmp_types = "{ echoreq, echorep, timex, unreach }"
# Services.
tcp_services = "{ ssh, http, https, 8881 }"
udp_services = "{ 8881 }"
# Internal IPs.
blauwoor_ip = "10.1.0.6"
printer_ip = "10.0.0.2"
# Interal ports.
blauwoor_torrent_port = 7880
#============================================================================
# TABLES
#----------------------------------------------------------------------------
table <self> const { self }
table <private> const { $int_net }
#============================================================================
# OPTIONS
#----------------------------------------------------------------------------
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
#============================================================================
# NORMALIZATION
#----------------------------------------------------------------------------
# Reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
#============================================================================
# QUEUING
#----------------------------------------------------------------------------
altq on $ext_if priq bandwidth 900Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
#============================================================================
# NAT
#----------------------------------------------------------------------------
# Packets going out through $ext_if with source address $int_net or $wifi_net
# will get translated as coming from the address of $ext_if, a state is
# created for such packets, and incoming packets will be redirected to the
# internal address.
nat on $ext_if from { $int_net, $wifi_net } to any -> $ext_if
#============================================================================
# REDIRECTS
#----------------------------------------------------------------------------
# Torrent for blauwoor.
rdr on $ext_if proto { tcp, udp } from any to $ext_ip port
$blauwoor_torrent_port -> $blauwoor_ip
#============================================================================
# BASIC FILTERING RULES
#----------------------------------------------------------------------------
# Skip loopback interface.
set skip on lo0
# Activate spoofing protection for all interfaces.
antispoof for { vr0, rl0, rl1 } inet
# Block and log packets going out the external interface that do
# not have the external ip address. They are either spoofed or # else something
is misconfigured (e.g. NAT disabled).
block out log quick on $ext_if from !$ext_ip to any
# Silently drop broadcasts (so they do not clog the logs).
block in quick on $ext_if from any to 255.255.255.255
# Setup default deny policy.
block log all
# Prioritize TCP acks.
pass out on $ext_if proto tcp from $ext_if to any queue (q_def, q_pri)
pass in on $ext_if proto tcp from any to $ext_if queue (q_def, q_pri)
#============================================================================
# CUSTOM FILTERING RULES
#----------------------------------------------------------------------------
# Open up for allowed ICMP types.
pass in quick inet proto icmp all icmp-type $icmp_types
# Open up GRE for VPNs
pass quick proto gre
# Open up LAN network.
pass in quick on $int_if from $int_net to any
pass out quick on $int_if from any to $int_net
# Open up WIFI network, but block access to private networks.
pass in quick on $wifi_if from $wifi_net to any
pass out quick on $wifi_if from any to $wifi_net
block in on $wifi_if from $wifi_net to <private>
# Open up outgoing traffic to internet.
pass out quick on $ext_if proto tcp all
pass out quick on $ext_if proto { udp, icmp } all
# Open up services to internet.
pass in quick on $ext_if proto tcp from any to $ext_ip port $tcp_services
pass in quick on $ext_if proto udp from any to $ext_ip port $udp_services
# Open up services and dns to wifi
pass in quick on $wifi_if proto tcp from any to <self> port $tcp_services
pass in quick on $wifi_if proto udp from any to <self> port $udp_services
pass in quick on $wifi_if proto udp from $wifi_net to $int_ip port domain
# Printer for wifi
pass in quick on $wifi_if proto { tcp, udp } from any to $printer_ip
# Torrent for blauwoor.
pass in quick on $ext_if proto { tcp, udp } from any to $blauwoor_ip port
$blauwoor_torrent_port
smime.p7s
Description: S/MIME Cryptographic Signature
