Hi All: I have been trying to create an nppp connection across my property - about 100M for one of my friends who lives here. He wants less security than i like behind my firewall. I have not been able to get OpenBSD to route his connection out of the network. Here are my settings.
----
# uname -a
OpenBSD bernie.mesh.local 6.0 GENERIC.MP#2319 amd64
-------------
# $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $
# sample npppd configuration file. see npppd.conf(5)
tunnel L2TP protocol l2tp
tunnel PPTP protocol pptp
tunnel PPPOE protocol pppoe {
listen on interface em1
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 208.67.222.222 8.8.8.8
}
interface tun0 address 10.0.0.1 ipcp IPCP
authentication LOCAL type local {
users-file "/etc/npppd/npppd-users"
}
bind tunnel from L2TP authenticated by LOCAL to tun0
bind tunnel from PPTP authenticated by LOCAL to tun0
bind tunnel from PPPOE authenticated by LOCAL to tun0
---------------
-------------------
# more /etc/npppd/npppd
npppd-users npppd.conf npppd.conf.OLD
# more /etc/npppd/npppd-users
# $OpenBSD: npppd-users,v 1.1 2012/09/20 12:51:43 yasuoka Exp $
# sample npppd-users file. see npppd-users(5)
#taro:\
# :password=taro's password:\
# :framed-ip-address=10.0.0.101:
#hana:\
# :password=hana's password:\
# :framed-ip-address=10.0.0.102:
kevin:\
:password=XXXXXX:\
:framed-ip-address=10.0.0.103:
laura:\
:password=testvpn:\
:framed-ip-address=10.0.0.104:
#
-------------------
# npppctl session all
Ppp Id = 33
Ppp Id : 33
Username : kevin
Realm Name : LOCAL
Concentrated Interface : tun0
Assigned IPv4 Address : 10.0.0.103
Tunnel Protocol : PPPoE
Tunnel From : 74:44:01:7a:13:e7
Start Time : 2016/11/03 12:53:59
Elapsed Time : 3149 sec (52 minutes)
Input Bytes : 69314 (67.7 KB)
Input Packets : 1986
Input Errors : 1056 (34.7%)
Output Bytes : 13021 (12.7 KB)
Output Packets : 1100
Output Errors : 0 (0.0%)
#
--------------
# route show
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio
Iface
default c-73-114-67-1.hsd1 UGS 432 27284883 - 8
em0
BASE-ADDRESS.MCAST localhost URS 0 205 32768 8
lo0
10.0.0.128/26 localhost UGB 0 0 32768 56
lo0
10.0.0.64/26 localhost UGB 0 0 32768 56
lo0
10.0.0.192/27 localhost UGB 0 0 32768 56
lo0
10.0.0.32/27 localhost UGB 0 14 32768 56
lo0
10.0.0.8/29 localhost UGB 0 1 32768 56
lo0
10.0.0.4/30 localhost UGB 0 20 32768 56
lo0
10.0.0.2/31 localhost UGB 0 0 32768 56
lo0
10.0.0.1 tun0 UHl 1 45 - 1
tun0
10.0.0.1/32 10.0.0.1 UC 0 0 - 4
tun0
10.0.0.1 localhost UGH 0 0 32768 56
lo0
10.0.0.16/28 localhost UGB 0 0 32768 56
lo0
10.0.0.103 10.0.0.1 UGH 0 55 1492 56
tun0
10.0.0.224/28 localhost UGB 0 0 32768 56
lo0
10.0.0.240/29 localhost UGB 0 0 32768 56
lo0
10.0.0.248/30 localhost UGB 0 0 32768 56
lo0
10.0.0.252/31 localhost UGB 0 0 32768 56
lo0
10.0.0.254/32 localhost UGB 0 0 32768 56
lo0
73.114.67/24 c-73-114-67-57.hsd UC 1 0 - 4
em0
c-73-114-67-1.hsd1 00:5f:86:93:c4:22 UHLc 1 225 - 4
em0
c-73-114-67-57.hsd 00:00:24:d2:16:e0 UHLl 0 396542 - 1
em0
73.114.67.255 c-73-114-67-57.hsd UHb 0 0 - 1
em0
loopback localhost UGRS 0 0 32768 8
lo0
localhost localhost UHl 15 15 32768 1
lo0
192.168.1/24 apache UC 6 749 - 4
em1
apache 00:00:24:d2:16:e1 UHLl 0 137387 - 1
em1
192.168.1.15 40:8d:5c:18:94:22 UHLc 0 2505472 - 4
em1
192.168.1.22 40:8d:5c:83:01:16 UHLc 1 4272213 - 4
em1
192.168.1.29 d0:50:99:7c:c7:95 UHLc 3 4213308 - 4
em1
192.168.1.51 90:6e:bb:03:3e:ff UHLc 0 466079 - 4
em1
192.168.1.56 10:1f:74:5e:8b:67 UHLc 0 1173 - 4
em1
192.168.1.126 4c:cc:6a:09:fd:14 UHLc 0 4434626 - 4
em1
192.168.1.255 apache UHb 0 6472 - 1
em1
192.168.2/24 192.168.2.1 C 0 0 - 4
em2
192.168.2.1 00:00:24:d2:16:e2 UHLl 0 0 - 1
em2
192.168.2.255 192.168.2.1 Hb 0 0 - 1
em2
192.168.3/24 192.168.3.1 C 0 0 - 4
em3
192.168.3.1 00:00:24:d2:16:e3 UHLl 0 0 - 1
em3
192.168.3.255 192.168.3.1 Hb 0 0 - 1
em3
Internet6:
Destination Gateway Flags Refs Use Mtu Prio
Iface
::/96 localhost UGRS 0 0 32768 8
lo0
::/104 localhost UGRS 0 0 32768 8
lo0
localhost localhost UHl 14 14 32768 1
lo0
::127.0.0.0/104 localhost UGRS 0 0 32768 8
lo0
::224.0.0.0/100 localhost UGRS 0 0 32768 8
lo0
::255.0.0.0/104 localhost UGRS 0 0 32768 8
lo0
::ffff:0.0.0.0/96 localhost UGRS 0 0 32768 8
lo0
2002::/24 localhost UGRS 0 0 32768 8
lo0
2002:7f00::/24 localhost UGRS 0 0 32768 8
lo0
2002:e000::/20 localhost UGRS 0 0 32768 8
lo0
2002:ff00::/24 localhost UGRS 0 0 32768 8
lo0
fe80::/10 localhost UGRS 0 0 32768 8
lo0
fec0::/10 localhost UGRS 0 0 32768 8
lo0
fe80::1%lo0 fe80::1%lo0 UHl 0 0 32768 1
lo0
ff01::/16 localhost UGRS 0 0 32768 8
lo0
ff01::%lo0/32 localhost Um 0 1 32768 4
lo0
ff02::/16 localhost UGRS 0 0 32768 8
lo0
ff02::%lo0/32 localhost Um 0 1 32768 4
lo0
#
----------------
-------------------------------------
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# NAT Rule to translate from internal to External NET
pass out on em0 inet from em1:network to any nat-to (em0)
internal = em1
external = em0
vpn_if = "pppx"
vpn_net = "10.0.0.0/24"
#queue std on $internal bandwidth 1000M
#queue inbound parent std bandwidth 800M default
#queue inbound_a parent std bandwidth 8000K
queue std on $internal bandwidth 1000M
queue inbound_a parent std bandwidth 8M
queue inbound_b parent std bandwidth 10M
#queue d_default parent std bandwidth 800M default
#queue std1 on $external bandwidth 1000M
#queue outbound parent std1 bandwidth 800M default
#queue outbound_a parent std1 bandwidth 8000K
queue std on $external bandwidth 1000M
queue outbound_a parent std bandwidth 8M
queue outbound_b parent std bandwidth 10M
queue d_default parent std bandwidth 800M default
dhcppool = "{ 192.168.1.225, 192.168.1.226, 192.168.1.227,
192.168.1.228, 192.168.1.229, 192.168.1.230,
192.168.1.231, 192.168.1.232, 192.168.1.233,
192.168.1.234, 192.168.1.235, 192.168.1.236,
192.168.1.237, 192.168.1.238, 192.168.1.239,
192.168.1.240, 192.168.1.241, 192.168.1.242,
192.168.1.243, 192.168.1.244, 192.168.1.245,
192.168.1.246, 192.168.1.247, 192.168.1.248,
192.168.1.249, 192.169.1.250 }"
wireless = 192.168.1.130
pop = 192.168.1.126
chickencoop = 192.168.1.26
kevinnet = " {192.168.100/24} "
marinanet = "192.168.1.0/24"
marina = 192.168.1.29
laura = 192.168.1.22
erica = 192.168.1.15
# HP5E8B67 printer
printer = 192.168.1.56
pass quick proto { esp, ah } from any to any
pass in quick on egress proto udp from any to any port {500, 4500, 1701}
keep state
pass on enc0 from any to any keep state (if-bound)
pass on tun0 from any to any keep state (if-bound)
pass out on tun0 from any to any keep state (if-bound)
pass out on tun0 from any to any keep state
# allow all trafic in the VPN network
pass quick on $vpn_if from $vpn_net
# allow all trafic out to the VPN network
pass quick on $vpn_if to $vpn_net
block in on $internal
pass in on $internal from { 192.168.1.129 }
pass in quick on $internal from { 192.168.1.32, 192.168.1.29,
192.168.1.126, 192.168.1.129, 192.168.1.22, 192.168.1.15, 192.168.1.51,
192.168.1.1 }
# Kevin
pass in quick on $internal from 10.0.0.103/32 to any
pass out quick on $internal from any to 10.0.0.103/32
pass in quick on $external from any to 10.0.0.103/32
pass out quick on $external from 10.0.0.103/32 to any
pass in quick on $internal from 192.168.1.127 to any
pass out quick on $internal from any to 192.168.1.127
######### P@P #######
#pass in on $internal from $pop
#pass out quick on $internal from any to $pop queue inbound_a
#pass out quick on $external from $pop to any queue outbound_a
block in quick on $internal proto { tcp, udp } from $pop to any port
{6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889}
block in quick on $internal proto { tcp, udp } from $pop to any port
60000:65535
######## Marina ###########
pass in quick on $internal proto tcp from $marina to any port 22
#pass in quick on $internal from $marina to any
#pass out quick on $internal from any to $marina set queue inbound_a
#pass in quick on $external from any to $marina
#pass out quick on $external from $marina to any set queue outbound_a
###################
## Steam Clients ##
###################
# Start removing bits from steamclients obviously the chickencoop does
not need this #
steamclients = "{ 192.168.1.0/24, 192.168.100.0/24 }"
table <steamblocks> const { 45.121.184.0/23, 45.121.186.0/23,
103.10.124.0/24, 103.10.125.0/24, 103.28.54.0/23, 143.137.146.0/24,
146.66.152.0/23, 146.66.154.0/24, 146.66.155.0/24, 146.66.156.0/23,
146.66.158.0/23, 153.254.86.0/24, 155.133.233.0/24, 155.133.234.0/24,
155.133.239.0/24, 155.133.240.0/23, 155.133.242.0/23, 155.133.244.0/24,
155.133.245.0/24, 155.133.246.0/23, 155.133.248.0/24, 155.133.249.0/24,
155.133.252.0/24, 155.133.253.0/24, 162.254.192.0/24, 162.254.193.0/24,
162.254.194.0/23, 162.254.196.0/24, 162.254.197.0/24, 162.254.198.0/24,
162.254.199.0/24, 185.25.180.0/23, 185.25.182.0/24, 185.25.183.0/24,
190.217.33.0/24, 192.69.96.0/22, 205.185.194.0/24, 205.196.6.0/24,
208.64.200.0/24, 208.64.201.0/24, 208.64.202.0/24, 208.64.203.0/24,
208.78.164.0/22, 2001:df0:22f::/48, 2001:df0:26c::/48,
2001:df5:d400::/48, 2001:df5:d401::/48, 2620:f9::/48, 2620:f9:1::/48,
2620:f9:2::/48, 2620:f9:4::/48, 2620:f9:5::/48, 2620:f9:6::/48,
2620:f9:7::/48, 2620:f9:8::/48, 2a01:bc80::/48, 2a01:bc80:1::/48,
2a01:bc80:2::/48, 2a01:bc80:3::/48, 2a01:bc80:4::/48, 2a01:bc80:5::/48,
2a01:bc80:6::/48, 2a01:bc80:7::/48, 2a01:bc80:8::/48 }
steamtcpports = " { 80, 443, 27015, 27016, 27017, 27018, 27019, 27020,
27021, 27022, 27023, 27024, 27025, 27026, 27027, 27028, 27029, 27030,
27036, 27037 } "
steamudpports = " { 27000, 27001, 27002, 27003, 27004, 27004, 27005,
27006, 27007, 27008, 27009, 27010, 27011, 27012, 27013, 27014, 27015,
27016, 27017, 27018, 27019, 27020, 27021, 27022, 27023, 27024, 27025,
27026, 27027, 27028, 27029, 27030, 27031, 27032, 27033, 27034, 27035,
27036, 4380, 3478, 4379, 4380 } "
pass in quick on $internal proto tcp from $steamclients to <steamblocks>
port $steamtcpports
pass in quick on $internal proto udp from $steamclients to <steamblocks>
port $steamudpports
###########
# printer #
###########
block in quick on $internal from $printer
######################
# untrusted wireless #
######################
block in on $internal from $wireless
pass in on $internal proto { tcp, udp } from $wireless to { 192.168.1.1,
8.8.8.8, 208.67.222.222 } port 53
pass in on $internal proto tcp from $wireless to any port { 443, 80, 9001 }
block in on $internal proto { tcp, udp } from $wireless to 192.168.0.0/16
######################
# DHCP Pool #
######################
block in on $internal from $dhcppool
pass in quick on $internal proto { tcp, udp } from $dhcppool to {
192.168.1.1, 8.8.8.8, 208.67.222.222 } port 53
pass in on $internal proto tcp from $dhcppool to any port { 443, 80, 9001 }
# cable model
block in quick on $internal proto tcp from $dhcppool to 192.168.100.1
## Chicken Coop ###
block in on $internal from $chickencoop
pass in quick on $internal proto tcp from $chickencoop to any port 21
pass in quick on $internal proto { tcp, udp } from $chickencoop to any
port 123
pass in quick on $internal proto { tcp, udp } from $chickencoop to any
port 53
#
---------------------------------
I am connecting successfully to the npppd server with a ddwrt router.
When i connect to the router a traceroute to the outside say 8.8.8.8
ends at the Openbsd router.
-----------------
# more /etc/host
hostname.em0 hostname.em1 hostname.em2 hostname.em3 hosts
------------------
When i do a tcpdump i see hosts trying to get out but nothing going back in.
13:54:36.965879 10.0.0.103.21953 > 208.67.222.222.53: 28396+ A?
secure.informaction.com. (41) (DF)
13:54:36.965910 10.0.0.103.21953 > 8.8.8.8.53: 28396+ A?
secure.informaction.com. (41) (DF)
13:54:36.966261 10.0.0.103.30174 > 208.67.222.222.53: 62104+ AAAA?
secure.informaction.com. (41) (DF)
13:54:36.966289 10.0.0.103.30174 > 8.8.8.8.53: 62104+ AAAA?
secure.informaction.com. (41) (DF)
13:54:37.121965 10.0.0.103 > 8.8.8.8: icmp: echo request (DF)
Thanks in advance for any help
signature.asc
Description: OpenPGP digital signature
