FreeBSD, NetBSD, OpenBSD, DragonFly и т. д.
Модератор: arachnid
Marduk
Сообщения: 247
Сообщение Marduk 19.01.2008 17:54
Здравствуйте,
Необходимо выделять VPN-клиентам "серые" IP-адреса из пула и выполнять NAT. Под FreeBSD 6.2 установлен poptop, конфиги следующие:
/etc/ppp/ppp.conf:
Код: Выделить всё
pptp:
set timeout 0
set log command phase chat connect lcp ipcp
set dial
set login
enable mssfixup
set ifaddr 66.X.Y.Z 10.0.0.2-10.0.0.254 255.255.255.0
set server /tmp/loop "" 0177
enable chap
enable mschapv2
disable pap
enable proxy
nat enable yes
nat log yes
#nat same_ports yes
#nat unregistered_only yes
accept dns
set dns 192.168.0.1 192.168.0.2
set nbns 192.168.0.1
set device !/etc/ppp/secure
/usr/local/etc/pptpd.conf:
Код: Выделить всё
option pptp
noipparam
localip 66.X.Y.Z
remoteip 10.0.0.2-254
pidfile /var/run/pptpd.pid
nobsdcomp
proxyarp
+chapms-v2
mppe-40
mppe-128
mppe-stateless
Рельутат: Windows VPN client подключается к серверу без проблем, но NAT не работает; в tcpdump видно, что пакеты уходят в мир с "серыми" адресами. В чем может быть проблема?
Кросс-пост на bsdportal.ru.
[ Arch Linux || xmonad || dzen2 ]
Marduk
Сообщения: 247
Сообщение Marduk 19.01.2008 20:22
Лог:
Код: Выделить всё
Jan 19 10:20:29 spare ppp[9630]: Phase: Using interface: tun0
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: Created in closed state
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set dial
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set login
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: enable mssfixup
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set ifaddr 66.X.Y.Z 10.0.0.2-10.0.0.254 255.255.255.0
Jan 19 10:20:29 spare ppp[9630]: IPCP: Selected IP address 10.0.0.22
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set server /tmp/loop ******** 0177
Jan 19 10:20:29 spare ppp[9630]: Phase: Listening at local socket /tmp/loop.
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: enable chap
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: enable mschapv2
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: disable pap
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: enable proxy
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: nat enable yes
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: nat log yes
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: accept dns
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set dns 192.168.0.1 192.168.0.2
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set nbns 192.168.0.1
Jan 19 10:20:29 spare ppp[9630]: Command: pptp: set device !/etc/ppp/secure
Jan 19 10:20:29 spare ppp[9630]: Phase: PPP Started (direct mode).
Jan 19 10:20:29 spare ppp[9630]: Phase: bundle: Establish
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: closed -> opening
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: Connected!
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: opening -> carrier
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: carrier -> lcp
Jan 19 10:20:29 spare ppp[9630]: LCP: FSM: Using "deflink" as a transport
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: State change Initial --> Closed
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: State change Closed --> Stopped
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: RecvConfigReq(0) state = Stopped
Jan 19 10:20:29 spare ppp[9630]: LCP: MRU[4] 1400
Jan 19 10:20:29 spare ppp[9630]: LCP: MAGICNUM[6] 0x65f71212
Jan 19 10:20:29 spare ppp[9630]: LCP: PROTOCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: ACFCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: CALLBACK[3] CBCP
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: SendConfigReq(1) state = Stopped
Jan 19 10:20:29 spare ppp[9630]: LCP: ACFCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: PROTOCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: ACCMAP[6] 0x00000000
Jan 19 10:20:29 spare ppp[9630]: LCP: MRU[4] 1500
Jan 19 10:20:29 spare ppp[9630]: LCP: MAGICNUM[6] 0x3618edf0
Jan 19 10:20:29 spare ppp[9630]: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x05)
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: SendConfigRej(0) state = Stopped
Jan 19 10:20:29 spare ppp[9630]: LCP: CALLBACK[3] CBCP
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: LayerStart
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: State change Stopped --> Req-Sent
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: RecvConfigAck(1) state = Req-Sent
Jan 19 10:20:29 spare ppp[9630]: LCP: ACFCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: PROTOCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: ACCMAP[6] 0x00000000
Jan 19 10:20:29 spare ppp[9630]: LCP: MRU[4] 1500
Jan 19 10:20:29 spare ppp[9630]: LCP: MAGICNUM[6] 0x3618edf0
Jan 19 10:20:29 spare ppp[9630]: LCP: AUTHPROTO[5] 0xc223 (CHAP 0x05)
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: State change Req-Sent --> Ack-Rcvd
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: RecvConfigReq(1) state = Ack-Rcvd
Jan 19 10:20:29 spare ppp[9630]: LCP: MRU[4] 1400
Jan 19 10:20:29 spare ppp[9630]: LCP: MAGICNUM[6] 0x65f71212
Jan 19 10:20:29 spare ppp[9630]: LCP: PROTOCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: ACFCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: SendConfigAck(1) state = Ack-Rcvd
Jan 19 10:20:29 spare ppp[9630]: LCP: MRU[4] 1400
Jan 19 10:20:29 spare ppp[9630]: LCP: MAGICNUM[6] 0x65f71212
Jan 19 10:20:29 spare ppp[9630]: LCP: PROTOCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: ACFCOMP[2]
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: State change Ack-Rcvd --> Opened
Jan 19 10:20:29 spare ppp[9630]: LCP: deflink: LayerUp
Jan 19 10:20:29 spare ppp[9630]: Phase: bundle: Authenticate
Jan 19 10:20:29 spare ppp[9630]: Phase: deflink: his = none, mine = CHAP 0x05
Jan 19 10:20:29 spare ppp[9630]: Phase: Chap Output: CHALLENGE
Jan 19 10:20:30 spare ppp[9630]: LCP: deflink: RecvIdent(2) state = Opened
Jan 19 10:20:30 spare ppp[9630]: LCP: MAGICNUM 65f71212
Jan 19 10:20:30 spare ppp[9630]: LCP: TEXT MSRA
Jan 19 10:20:30 spare ppp[9630]: LCP: deflink: RecvIdent(3) state = Opened
Jan 19 10:20:30 spare ppp[9630]: LCP: MAGICNUM 65f71212
Jan 19 10:20:30 spare ppp[9630]: LCP: TEXT MSRAS-
Jan 19 10:20:33 spare ppp[9630]: Phase: Chap Output: CHALLENGE
Jan 19 10:20:33 spare ppp[9630]: Phase: Chap Input: RESPONSE (16 bytes from andrew)
Jan 19 10:20:33 spare ppp[9630]: Phase: Chap Output: SUCCESS
Jan 19 10:20:33 spare ppp[9630]: Phase: deflink: lcp -> open
Jan 19 10:20:33 spare ppp[9630]: Phase: bundle: Network
Jan 19 10:20:33 spare ppp[9630]: IPCP: FSM: Using "deflink" as a transport
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: State change Initial --> Closed
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: LayerStart.
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: SendConfigReq(1) state = Closed
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 66.X.Y.Z
Jan 19 10:20:33 spare ppp[9630]: IPCP: COMPPROTO[6] 16 VJ slots with slot compression
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: State change Closed --> Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: RecvConfigReq(5) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: 0.0.0.0: Address invalid or already in use
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRIDNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRINBNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECDNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECNBNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: NBNS REQ - rejected - nbns not set
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: SendConfigRej(5) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECNBNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: RecvConfigRej(1) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: COMPPROTO[6] 16 VJ slots with slot compression
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: SendConfigReq(2) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 66.X.Y.Z
Jan 19 10:20:33 spare ppp[9630]: LCP: deflink: RecvProtocolRej(6) state = Opened
Jan 19 10:20:33 spare ppp[9630]: LCP: deflink: -- Protocol 0x8057 (Internet Protocol V6 Control Protocol) was rejected!
Jan 19 10:20:33 spare ppp[9630]: Phase: deflink: IPV6CP protocol reject closes IPV6CP !
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: RecvConfigReq(8) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: 0.0.0.0: Address invalid or already in use
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRIDNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRINBNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECDNS[6] 0.0.0.0
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: SendConfigNak(8) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 10.0.0.22
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRIDNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRINBNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECDNS[6] 192.168.0.2
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: RecvConfigAck(2) state = Req-Sent
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 66.X.Y.Z
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: State change Req-Sent --> Ack-Rcvd
Jan 19 10:20:33 spare ppp[9630]: LCP: deflink: RecvProtocolRej(9) state = Opened
Jan 19 10:20:33 spare ppp[9630]: LCP: deflink: -- Protocol 0x8057 (Internet Protocol V6 Control Protocol) was rejected!
Jan 19 10:20:33 spare ppp[9630]: Phase: deflink: IPV6CP protocol reject closes IPV6CP !
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: RecvConfigReq(10) state = Ack-Rcvd
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 10.0.0.22
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRIDNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRINBNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECDNS[6] 192.168.0.2
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: SendConfigAck(10) state = Ack-Rcvd
Jan 19 10:20:33 spare ppp[9630]: IPCP: IPADDR[6] 10.0.0.22
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRIDNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: PRINBNS[6] 192.168.0.1
Jan 19 10:20:33 spare ppp[9630]: IPCP: SECDNS[6] 192.168.0.2
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: State change Ack-Rcvd --> Opened
Jan 19 10:20:33 spare ppp[9630]: IPCP: deflink: LayerUp.
Jan 19 10:20:33 spare ppp[9630]: IPCP: myaddr 66.X.Y.Z hisaddr = 10.0.0.22[ Arch Linux || xmonad || dzen2 ]
unax
Сообщения: 275ОС: Linux
Сообщение unax 20.01.2008 20:48
А фаервол не включен вообще?
Marduk
Сообщения: 247
Сообщение Marduk 20.01.2008 20:53
unax писал(а): ↑ 20.01.2008 20:48
А фаервол не включен вообще?
Не включен, ибо хэндбук говорит, что user-level PPP сам "умеет" нат:
http://www.freebsd.org/doc/ru_RU.KOI8-R/bo...ok/userppp.html
PPP имеет возможность использовать встроенный NAT без преобразования пакетов в ядре. Эта возможность может быть включена следующей строкой в /etc/ppp/ppp.conf:
Впрочем, появилось у меня несколько идей - проверю, отпишусь...
[ Arch Linux || xmonad || dzen2 ]
