Hi All: I have been trying to create an nppp connection across my property - about 100M for one of my friends who lives here. He wants less security than i like behind my firewall. I have not been able to get OpenBSD to route his connection out of the network. Here are my settings.
---- # uname -a OpenBSD bernie.mesh.local 6.0 GENERIC.MP#2319 amd64 ------------- # $OpenBSD: npppd.conf,v 1.2 2014/03/22 04:32:39 yasuoka Exp $ # sample npppd configuration file. see npppd.conf(5) tunnel L2TP protocol l2tp tunnel PPTP protocol pptp tunnel PPPOE protocol pppoe { listen on interface em1 } ipcp IPCP { pool-address 10.0.0.2-10.0.0.254 dns-servers 208.67.222.222 8.8.8.8 } interface tun0 address 10.0.0.1 ipcp IPCP authentication LOCAL type local { users-file "/etc/npppd/npppd-users" } bind tunnel from L2TP authenticated by LOCAL to tun0 bind tunnel from PPTP authenticated by LOCAL to tun0 bind tunnel from PPPOE authenticated by LOCAL to tun0 --------------- ------------------- # more /etc/npppd/npppd npppd-users npppd.conf npppd.conf.OLD # more /etc/npppd/npppd-users # $OpenBSD: npppd-users,v 1.1 2012/09/20 12:51:43 yasuoka Exp $ # sample npppd-users file. see npppd-users(5) #taro:\ # :password=taro's password:\ # :framed-ip-address=10.0.0.101: #hana:\ # :password=hana's password:\ # :framed-ip-address=10.0.0.102: kevin:\ :password=XXXXXX:\ :framed-ip-address=10.0.0.103: laura:\ :password=testvpn:\ :framed-ip-address=10.0.0.104: # ------------------- # npppctl session all Ppp Id = 33 Ppp Id : 33 Username : kevin Realm Name : LOCAL Concentrated Interface : tun0 Assigned IPv4 Address : 10.0.0.103 Tunnel Protocol : PPPoE Tunnel From : 74:44:01:7a:13:e7 Start Time : 2016/11/03 12:53:59 Elapsed Time : 3149 sec (52 minutes) Input Bytes : 69314 (67.7 KB) Input Packets : 1986 Input Errors : 1056 (34.7%) Output Bytes : 13021 (12.7 KB) Output Packets : 1100 Output Errors : 0 (0.0%) # -------------- # route show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Prio Iface default c-73-114-67-1.hsd1 UGS 432 27284883 - 8 em0 BASE-ADDRESS.MCAST localhost URS 0 205 32768 8 lo0 10.0.0.128/26 localhost UGB 0 0 32768 56 lo0 10.0.0.64/26 localhost UGB 0 0 32768 56 lo0 10.0.0.192/27 localhost UGB 0 0 32768 56 lo0 10.0.0.32/27 localhost UGB 0 14 32768 56 lo0 10.0.0.8/29 localhost UGB 0 1 32768 56 lo0 10.0.0.4/30 localhost UGB 0 20 32768 56 lo0 10.0.0.2/31 localhost UGB 0 0 32768 56 lo0 10.0.0.1 tun0 UHl 1 45 - 1 tun0 10.0.0.1/32 10.0.0.1 UC 0 0 - 4 tun0 10.0.0.1 localhost UGH 0 0 32768 56 lo0 10.0.0.16/28 localhost UGB 0 0 32768 56 lo0 10.0.0.103 10.0.0.1 UGH 0 55 1492 56 tun0 10.0.0.224/28 localhost UGB 0 0 32768 56 lo0 10.0.0.240/29 localhost UGB 0 0 32768 56 lo0 10.0.0.248/30 localhost UGB 0 0 32768 56 lo0 10.0.0.252/31 localhost UGB 0 0 32768 56 lo0 10.0.0.254/32 localhost UGB 0 0 32768 56 lo0 73.114.67/24 c-73-114-67-57.hsd UC 1 0 - 4 em0 c-73-114-67-1.hsd1 00:5f:86:93:c4:22 UHLc 1 225 - 4 em0 c-73-114-67-57.hsd 00:00:24:d2:16:e0 UHLl 0 396542 - 1 em0 73.114.67.255 c-73-114-67-57.hsd UHb 0 0 - 1 em0 loopback localhost UGRS 0 0 32768 8 lo0 localhost localhost UHl 15 15 32768 1 lo0 192.168.1/24 apache UC 6 749 - 4 em1 apache 00:00:24:d2:16:e1 UHLl 0 137387 - 1 em1 192.168.1.15 40:8d:5c:18:94:22 UHLc 0 2505472 - 4 em1 192.168.1.22 40:8d:5c:83:01:16 UHLc 1 4272213 - 4 em1 192.168.1.29 d0:50:99:7c:c7:95 UHLc 3 4213308 - 4 em1 192.168.1.51 90:6e:bb:03:3e:ff UHLc 0 466079 - 4 em1 192.168.1.56 10:1f:74:5e:8b:67 UHLc 0 1173 - 4 em1 192.168.1.126 4c:cc:6a:09:fd:14 UHLc 0 4434626 - 4 em1 192.168.1.255 apache UHb 0 6472 - 1 em1 192.168.2/24 192.168.2.1 C 0 0 - 4 em2 192.168.2.1 00:00:24:d2:16:e2 UHLl 0 0 - 1 em2 192.168.2.255 192.168.2.1 Hb 0 0 - 1 em2 192.168.3/24 192.168.3.1 C 0 0 - 4 em3 192.168.3.1 00:00:24:d2:16:e3 UHLl 0 0 - 1 em3 192.168.3.255 192.168.3.1 Hb 0 0 - 1 em3 Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface ::/96 localhost UGRS 0 0 32768 8 lo0 ::/104 localhost UGRS 0 0 32768 8 lo0 localhost localhost UHl 14 14 32768 1 lo0 ::127.0.0.0/104 localhost UGRS 0 0 32768 8 lo0 ::224.0.0.0/100 localhost UGRS 0 0 32768 8 lo0 ::255.0.0.0/104 localhost UGRS 0 0 32768 8 lo0 ::ffff:0.0.0.0/96 localhost UGRS 0 0 32768 8 lo0 2002::/24 localhost UGRS 0 0 32768 8 lo0 2002:7f00::/24 localhost UGRS 0 0 32768 8 lo0 2002:e000::/20 localhost UGRS 0 0 32768 8 lo0 2002:ff00::/24 localhost UGRS 0 0 32768 8 lo0 fe80::/10 localhost UGRS 0 0 32768 8 lo0 fec0::/10 localhost UGRS 0 0 32768 8 lo0 fe80::1%lo0 fe80::1%lo0 UHl 0 0 32768 1 lo0 ff01::/16 localhost UGRS 0 0 32768 8 lo0 ff01::%lo0/32 localhost Um 0 1 32768 4 lo0 ff02::/16 localhost UGRS 0 0 32768 8 lo0 ff02::%lo0/32 localhost Um 0 1 32768 4 lo0 # ---------------- ------------------------------------- # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # NAT Rule to translate from internal to External NET pass out on em0 inet from em1:network to any nat-to (em0) internal = em1 external = em0 vpn_if = "pppx" vpn_net = "10.0.0.0/24" #queue std on $internal bandwidth 1000M #queue inbound parent std bandwidth 800M default #queue inbound_a parent std bandwidth 8000K queue std on $internal bandwidth 1000M queue inbound_a parent std bandwidth 8M queue inbound_b parent std bandwidth 10M #queue d_default parent std bandwidth 800M default #queue std1 on $external bandwidth 1000M #queue outbound parent std1 bandwidth 800M default #queue outbound_a parent std1 bandwidth 8000K queue std on $external bandwidth 1000M queue outbound_a parent std bandwidth 8M queue outbound_b parent std bandwidth 10M queue d_default parent std bandwidth 800M default dhcppool = "{ 192.168.1.225, 192.168.1.226, 192.168.1.227, 192.168.1.228, 192.168.1.229, 192.168.1.230, 192.168.1.231, 192.168.1.232, 192.168.1.233, 192.168.1.234, 192.168.1.235, 192.168.1.236, 192.168.1.237, 192.168.1.238, 192.168.1.239, 192.168.1.240, 192.168.1.241, 192.168.1.242, 192.168.1.243, 192.168.1.244, 192.168.1.245, 192.168.1.246, 192.168.1.247, 192.168.1.248, 192.168.1.249, 192.169.1.250 }" wireless = 192.168.1.130 pop = 192.168.1.126 chickencoop = 192.168.1.26 kevinnet = " {192.168.100/24} " marinanet = "192.168.1.0/24" marina = 192.168.1.29 laura = 192.168.1.22 erica = 192.168.1.15 # HP5E8B67 printer printer = 192.168.1.56 pass quick proto { esp, ah } from any to any pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep state pass on enc0 from any to any keep state (if-bound) pass on tun0 from any to any keep state (if-bound) pass out on tun0 from any to any keep state (if-bound) pass out on tun0 from any to any keep state # allow all trafic in the VPN network pass quick on $vpn_if from $vpn_net # allow all trafic out to the VPN network pass quick on $vpn_if to $vpn_net block in on $internal pass in on $internal from { 192.168.1.129 } pass in quick on $internal from { 192.168.1.32, 192.168.1.29, 192.168.1.126, 192.168.1.129, 192.168.1.22, 192.168.1.15, 192.168.1.51, 192.168.1.1 } # Kevin pass in quick on $internal from 10.0.0.103/32 to any pass out quick on $internal from any to 10.0.0.103/32 pass in quick on $external from any to 10.0.0.103/32 pass out quick on $external from 10.0.0.103/32 to any pass in quick on $internal from 192.168.1.127 to any pass out quick on $internal from any to 192.168.1.127 ######### P@P ####### #pass in on $internal from $pop #pass out quick on $internal from any to $pop queue inbound_a #pass out quick on $external from $pop to any queue outbound_a block in quick on $internal proto { tcp, udp } from $pop to any port {6881, 6882, 6883, 6884, 6885, 6886, 6887, 6888, 6889} block in quick on $internal proto { tcp, udp } from $pop to any port 60000:65535 ######## Marina ########### pass in quick on $internal proto tcp from $marina to any port 22 #pass in quick on $internal from $marina to any #pass out quick on $internal from any to $marina set queue inbound_a #pass in quick on $external from any to $marina #pass out quick on $external from $marina to any set queue outbound_a ################### ## Steam Clients ## ################### # Start removing bits from steamclients obviously the chickencoop does not need this # steamclients = "{ 192.168.1.0/24, 192.168.100.0/24 }" table <steamblocks> const { 45.121.184.0/23, 45.121.186.0/23, 103.10.124.0/24, 103.10.125.0/24, 103.28.54.0/23, 143.137.146.0/24, 146.66.152.0/23, 146.66.154.0/24, 146.66.155.0/24, 146.66.156.0/23, 146.66.158.0/23, 153.254.86.0/24, 155.133.233.0/24, 155.133.234.0/24, 155.133.239.0/24, 155.133.240.0/23, 155.133.242.0/23, 155.133.244.0/24, 155.133.245.0/24, 155.133.246.0/23, 155.133.248.0/24, 155.133.249.0/24, 155.133.252.0/24, 155.133.253.0/24, 162.254.192.0/24, 162.254.193.0/24, 162.254.194.0/23, 162.254.196.0/24, 162.254.197.0/24, 162.254.198.0/24, 162.254.199.0/24, 185.25.180.0/23, 185.25.182.0/24, 185.25.183.0/24, 190.217.33.0/24, 192.69.96.0/22, 205.185.194.0/24, 205.196.6.0/24, 208.64.200.0/24, 208.64.201.0/24, 208.64.202.0/24, 208.64.203.0/24, 208.78.164.0/22, 2001:df0:22f::/48, 2001:df0:26c::/48, 2001:df5:d400::/48, 2001:df5:d401::/48, 2620:f9::/48, 2620:f9:1::/48, 2620:f9:2::/48, 2620:f9:4::/48, 2620:f9:5::/48, 2620:f9:6::/48, 2620:f9:7::/48, 2620:f9:8::/48, 2a01:bc80::/48, 2a01:bc80:1::/48, 2a01:bc80:2::/48, 2a01:bc80:3::/48, 2a01:bc80:4::/48, 2a01:bc80:5::/48, 2a01:bc80:6::/48, 2a01:bc80:7::/48, 2a01:bc80:8::/48 } steamtcpports = " { 80, 443, 27015, 27016, 27017, 27018, 27019, 27020, 27021, 27022, 27023, 27024, 27025, 27026, 27027, 27028, 27029, 27030, 27036, 27037 } " steamudpports = " { 27000, 27001, 27002, 27003, 27004, 27004, 27005, 27006, 27007, 27008, 27009, 27010, 27011, 27012, 27013, 27014, 27015, 27016, 27017, 27018, 27019, 27020, 27021, 27022, 27023, 27024, 27025, 27026, 27027, 27028, 27029, 27030, 27031, 27032, 27033, 27034, 27035, 27036, 4380, 3478, 4379, 4380 } " pass in quick on $internal proto tcp from $steamclients to <steamblocks> port $steamtcpports pass in quick on $internal proto udp from $steamclients to <steamblocks> port $steamudpports ########### # printer # ########### block in quick on $internal from $printer ###################### # untrusted wireless # ###################### block in on $internal from $wireless pass in on $internal proto { tcp, udp } from $wireless to { 192.168.1.1, 8.8.8.8, 208.67.222.222 } port 53 pass in on $internal proto tcp from $wireless to any port { 443, 80, 9001 } block in on $internal proto { tcp, udp } from $wireless to 192.168.0.0/16 ###################### # DHCP Pool # ###################### block in on $internal from $dhcppool pass in quick on $internal proto { tcp, udp } from $dhcppool to { 192.168.1.1, 8.8.8.8, 208.67.222.222 } port 53 pass in on $internal proto tcp from $dhcppool to any port { 443, 80, 9001 } # cable model block in quick on $internal proto tcp from $dhcppool to 192.168.100.1 ## Chicken Coop ### block in on $internal from $chickencoop pass in quick on $internal proto tcp from $chickencoop to any port 21 pass in quick on $internal proto { tcp, udp } from $chickencoop to any port 123 pass in quick on $internal proto { tcp, udp } from $chickencoop to any port 53 # --------------------------------- I am connecting successfully to the npppd server with a ddwrt router. When i connect to the router a traceroute to the outside say 8.8.8.8 ends at the Openbsd router. ----------------- # more /etc/host hostname.em0 hostname.em1 hostname.em2 hostname.em3 hosts ------------------ When i do a tcpdump i see hosts trying to get out but nothing going back in. 13:54:36.965879 10.0.0.103.21953 > 208.67.222.222.53: 28396+ A? secure.informaction.com. (41) (DF) 13:54:36.965910 10.0.0.103.21953 > 8.8.8.8.53: 28396+ A? secure.informaction.com. (41) (DF) 13:54:36.966261 10.0.0.103.30174 > 208.67.222.222.53: 62104+ AAAA? secure.informaction.com. (41) (DF) 13:54:36.966289 10.0.0.103.30174 > 8.8.8.8.53: 62104+ AAAA? secure.informaction.com. (41) (DF) 13:54:37.121965 10.0.0.103 > 8.8.8.8: icmp: echo request (DF) Thanks in advance for any help
signature.asc
Description: OpenPGP digital signature