Problem with Nat (port forwarding)

Mon, 22 Jan 2007 01:01:37 -0800 

Hey all,

I've been spending hours trying to figure out why my machine at the office 
(Linux), cannot connect to my
FreeBSD (6.1) machine behind my nat'ed gateway.  This was working fine 
previously before my linksys
router decided to take a nose dive, so I am sure the Linux box that is 
attempting to establish the
connection is configured fine.

When the router crapped out, I decided to put all that old hardware I wasn't 
using for anything to
good use.  What I ended up with is a Pentium 3 200mhz machine with several 
network interfaces conncted
to my internet provider (BellSouth).  In order to continue working from home, 
it's necessary that I get
this tunnel up and running, and for the life of me, I can't seem to figure out 
what exactly I'm doing
wrong.  Here is my current configuration:


Gateway (FBSD 6.2) - IPFW / NATD
-------------------------------------


PPPoE Configuration for DSL (Works fine)
       ------------------
nat# cat /etc/ppp/ppp.conf 
default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)
 set device PPPoE:xl0:pppoe-in
 enable lqr echo
 set cd 5
 set dial
 set login
 set authname "username"
 set authkey "pass"
 set redial 0 0
 enable dns
 set ifaddr 0.0.0.0/0 0.0.0.0/0 255.255.255.0 0.0.0.0
 add default HISADDR


The above creates the following device without problems:
         -----------------------
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet xx.xx.xx.xx --> xx.xx.xx.xx netmask 0xffffff00 
        Opened by PID 492


Natd configuration (Works fine w/ the exception of port forwarding)
        ------------------------------
natd_enable="YES"
natd_flags="-dynamic -m -redirect_port tcp 10.5.21.246:5000 5000"
natd_interface="tun0"


IPFW RULES (works fine)
      ------------------------------------------
nat# ipfw show
00001     0       0 allow ip from any to any via lo0
00002     0       0 deny ip from any to 127.0.0.0/8
00003     0       0 deny ip from 127.0.0.0/8 to any
00050     6     444 allow ip from any to any via xl0
00051 10646 2950467 allow ip from any to any via fxp0
00052  1212  101901 allow ip from any to any via dc0
00053   534  261533 allow ip from any to any via rl0
00100  4316 2156348 divert 8668 ip from any to any in via tun0
00101     0       0 check-state
00150  1121  332120 skipto 500 udp from any to any out via tun0 keep-state
00160  5795 2319421 skipto 500 tcp from any to any out via tun0 setup keep-state
00170    91    8551 skipto 500 icmp from any to any out via tun0 keep-state
00180  1013   87013 skipto 500 gre from any to any out via tun0 keep-state
00301   941   57268 allow tcp from any to 10.5.21.246 dst-port 5000 in via tun0 
setup keep-state
00400   264   19399 deny log ip from any to any
00500  4182  622757 divert 8668 ip from any to any out via tun0
00501  8020 2747105 allow ip from any to any
65535    44    4726 allow ip from any to any


Do note, the interfaces housing the vtund application that I'm concerned with 
lives over the fxp0 interace.
In addition rule number 00301 triggers appropriately when a packet destined for 
port 5000 is inbound.  
/var/log/security makes no mention of anything being denied by this firewall 
ruleset destined for or
originating from port 5000 by any host.  This is certainly the case, as the 
host where vtund is running
is recieving packets from the gateway on port 5000 (info showing this follows). 
 I also see the vtund
box responding to the inbound packets, but it never creates the tunnel device 
as it should, and nothing
gets logged.



VTUND HOST
------------------------------------------

IPFW RULES  (NONE)
       -----------------------------

NETSTAT
       -----------------------------
nat# netstat -nat | fgrep 5000
tcp4       0      0  *.5000                 *.*                    LISTEN



IS IT LISTENING???   -- YES
       -----------------------------
nat# telnet 10.5.21.246 5000
Trying 10.5.21.246...
Connected to work_machine.
Escape character is '^]'.
VTUN server ver  12/20/2006



TCPDUMP from destination machine(Packets are making it this far)
       -----------------------------
fileserv# tcpdump -i em0 port 5000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes
01:18:16.831396 IP 10.5.21.246.commplex-main > <foreign_host>.20342: S 
2762324279:2762324279(0) ack 1110928859 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:19.846872 IP <foreign_host>.20342 > 10.5.21.246.commplex-main: S 
1110928858:1110928858(0) win 5840 <mss 1380,sackOK,timestamp 116412145[|tcp]>
01:18:19.846894 IP 10.5.21.246.commplex-main > <foreign_host>.20342: S 
2762324279:2762324279(0) ack 1110928859 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:25.876180 IP 10.5.21.246.commplex-main > <foreign_host>.20342: S 
2762324279:2762324279(0) ack 1110928859 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:31.912374 IP <foreign_host>.20342 > 10.5.21.246.commplex-main: S 
1110928858:1110928858(0) win 5840 <mss 1380,sackOK,timestamp 116415145[|tcp]>
01:18:31.912406 IP 10.5.21.246.commplex-main > <foreign_host>.20342: S 
2762324279:2762324279(0) ack 1110928859 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:43.971794 IP 10.5.21.246.commplex-main > <foreign_host>.20342: S 
2762324279:2762324279(0) ack 1110928859 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:46.024173 IP <foreign_host>.20373 > 10.5.21.246.commplex-main: S 
1145016457:1145016457(0) win 5840 <mss 1380,sackOK,timestamp 116418655[|tcp]>
01:18:46.024208 IP 10.5.21.246.commplex-main > <foreign_host>.20373: S 
2258110650:2258110650(0) ack 1145016458 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:47.821762 IP <foreign_host>.20232 > 10.5.21.246.commplex-main: . ack 0 
win 0
01:18:47.821788 IP 10.5.21.246.commplex-main > <foreign_host>.20232: R 0:0(0) 
win 0
01:18:49.038886 IP 10.5.21.246.commplex-main > <foreign_host>.20373: S 
2258110650:2258110650(0) ack 1145016458 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:18:49.038942 IP <foreign_host>.20373 > 10.5.21.246.commplex-main: S 
1145016457:1145016457(0) win 5840 <mss 1380,sackOK,timestamp 116419405[|tcp]>
01:18:49.038959 IP 10.5.21.246.commplex-main > <foreign_host>.20373: S 
2258110650:2258110650(0) ack 1145016458 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
.....
.....
<snip>



TCPDUMP on the interal nic (gateway - fxp0)
       -----------------------------
nat# tcpdump -i fxp0 port 5000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 68 bytes
01:25:36.734256 IP work_machine.commplex-main > <foreign_host>.20488: S 
3180151438:3180151438(0) ack 332523228 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:25:36.735776 IP <foreign_host>.20488 > work_machine.commplex-main: S 
332523227:332523227(0) win 5840 <mss 1380,sackOK,timestamp 116520217[|tcp]>
01:25:36.735984 IP work_machine.commplex-main > <foreign_host>.20488: S 
3180151438:3180151438(0) ack 332523228 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
01:25:37.202142 IP <foreign_host>.20406 > work_machine.commplex-main: . ack 0 
win 0
01:25:37.202299 IP work_machine.commplex-main > <foreign_host>.20406: R 0:0(0) 
win 0
01:25:50.744236 IP <foreign_host>.20500 > work_machine.commplex-main: S 
1092281427:1092281427(0) win 5840 <mss 1380,sackOK,timestamp 116523718[|tcp]>
01:25:50.744460 IP work_machine.commplex-main > <foreign_host>.20500: S 
2038175112:2038175112(0) ack 1092281428 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp[|tcp]>
.....
.....
<snip>



TCPDUMP on the external nic (gateway)
       -----------------------------
nat# tcpdump -i tun0 host  <foreign_host>
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 68 bytes
01:28:10.872333 IP <foeign_host>.20533 > 
adsl-241-161-118.bna.bellsouth.net.commplex-main: S 2029663877:2029663877(0) 
win 5840 <mss 1380,sackOK,timestamp 116558747 0,nop,wscale 4>
01:28:10.872786 IP work_machine.commplex-main > <foeign_host>.20533: S 
1854728145:1854728145(0) ack 2029663878 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 3546006 116558747,sackOK,eol>
01:28:12.185971 IP work_machine.commplex-main > <foeign_host>.20428: . ack 
618288056 win 0
01:28:12.186129 IP work_machine.commplex-main > <foeign_host>.20428: R 0:0(0) 
win 0
01:28:13.869476 IP <foeign_host>.20533 > 
adsl-241-161-118.bna.bellsouth.net.commplex-main: S 2029663877:2029663877(0) 
win 5840 <mss 1380,sackOK,timestamp 116559497 0,nop,wscale 4>
01:28:13.869843 IP work_machine.commplex-main > <foeign_host>.20533: S 
1854728145:1854728145(0) ack 2029663878 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 3549004 116559497,sackOK,eol>
01:28:16.869646 IP work_machine.commplex-main > <foeign_host>.20533: S 
1854728145:1854728145(0) ack 2029663878 win 65535 <mss 1460,nop,wscale 
1,nop,nop,timestamp 3552004 116559497,sackOK,eol>
.....
.....
<snip>


If anyone has any ideas, I've be much appreciated.

Thanks!
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to