Подскажите пожалуйста по Nat
-
ftp-хэлпер тем и прекрасен, что с ним работают оба режима, надо убедиться, что он включен на LAN и потом tcpdump'ить то, что происходит на LAN и OPT1 во время FTP сессии. Вариантов масса. Обычно в дампе видно, где проблема.
Я про то , что PPTP с хэлпером не пытается дружить…
-
Конечно не пытается - они живут друг другу не мешая. По-моему вопрос был про FTP или я чего-то пропустил?
-
âîïðîñ â ñèëå è áûë îí è ïî pptp è ïðî ftp. :'(
-
1. VPN. Если PPTP-сервер это не сам pfSense, а какая-то машина, подключенная к LAN, то на OPT1 должно быть два NAT-portforward'а для протокола GRE и для TCP port 1723. Соответственно должно быть два правила на OPT1.
2. FTP. Нужно смотреть tcpdump'ом, что у Вас не в порядке. Предположим вы с клиента IP x.x.x.x стучитесь на OPT1 пытаетесь достучаться до FTP-сервера IP y.y.y.y на LAN . Попробуйте с консоли следующее:
tcpdump -i <opt1_interface_name>-n -s0 host x.x.x.x
И одновременно с этим в другой консоле:
tcpdump -i <lan_interface_name>-n -s0 host x.x.x.x or host y.y.y.y</lan_interface_name></opt1_interface_name> -
1. PPTP ñàìà pfsense.
2. áóäó ïðîáîâàòü. -
1. И как выглядят правила на OPT1 для GRE и 1723?
-
1. à íåò òàì ïðàâèë, íåò Nat, íà wan òî íè÷åãî íåò è pptp ðàáîòàåò. Èëè òàì íàäî ïðàâèëà ïðîïèñûâàòü?
-
1. Думаю надо. Два правила на OPT1:
Разрешить протокол GRE от любого IP на interface OPT1 IP
Разрешить протокол TCP port 1723 от любого IP на interface OPT1 IP -
1. Ñäåëàë îòêðûë ïðàâèëà â RULES OPT1. Äîõîäèò ïðîâåðêà ïîëüçîâàòåëÿ è ïàðîëÿ è îòâàëèâàåòñÿ ñ îøèáêîé çàêðûòèÿ ïîðòà, ïî wan âñå èäåò íîðìàëüíî. Ãäå äàëüøå ðûòü?
-
Дальше рыть некуда.
- tcpdump на OPT1 должен показать проблему
или - дайте pfctl -sr | grep<opt1_interface_name></opt1_interface_name>
- tcpdump на OPT1 должен показать проблему
-
2 EUGENE - äàìïû ñäåëàë, íî ÷åñòíî ãîâîðÿ ìíå òàì ñìóòíî ïîíÿòíî, è ñ òîãî èíòåðôåéñà, ãäå ïðîõîäèò ñîåäèíåíèå è ñ òîãî, ãäå íå ïðîõîäèò, ÷òî òàì óñìîòðåòü íàäî
òàì ãäå ïðîõîäèò
tcpdump -i rl0 -vv | grep pptp
tcpdump: listening on rl0, link-type EN10MB (Ethernet), capture size 96 bytes
12:35:27.967724 IP (tos 0x20, ttl 101, id 625, offset 0, flags [DF], proto TCP (6), length 48) 193.201.231.34.30795 > 81.195.135.114.pptp: S, cksum 0x683f (correct), 2725853150:2725853150(0) win 16384 <mss 1300,nop,nop,sackok="">12:35:27.967984 IP (tos 0x0, ttl 64, id 319, offset 0, flags [DF], proto TCP (6), length 48) 81.195.135.114.pptp > 193.201.231.34.30795: S, cksum 0x6b41 (correct), 536813346:536813346(0) ack 2725853151 win 65228 <mss 1300,sackok,eol="">12:35:29.282942 IP (tos 0x20, ttl 101, id 626, offset 0, flags [DF], proto TCP (6), length 196) 193.201.231.34.30795 > 81.195.135.114.pptp: P 1:157(156) ack 1 win 16900: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
12:35:29.283159 IP (tos 0x0, ttl 64, id 57602, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9495 (correct), 1:1(0) ack 157 win 65535
12:35:29.284014 IP (tos 0x0, ttl 64, id 35158, offset 0, flags [DF], proto TCP (6), length 196) 81.195.135.114.pptp > 193.201.231.34.30795: P 1:157(156) ack 157 win 65535: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
12:35:30.072215 IP (tos 0x20, ttl 100, id 627, offset 0, flags [DF], proto TCP (6), length 208) 193.201.231.34.30795 > 81.195.135.114.pptp: P 157:325(168) ack 157 win 16744: pptp Length=168 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(61247) CALL_SER_NUM(2935) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
12:35:30.072349 IP (tos 0x0, ttl 64, id 59172, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9351 (correct), 157:157(0) ack 325 win 65535
12:35:30.074248 IP (tos 0x0, ttl 64, id 57405, offset 0, flags [DF], proto TCP (6), length 72) 81.195.135.114.pptp > 193.201.231.34.30795: P, cksum 0x21da (correct), 157:189(32) ack 325 win 65535: pptp Length=32 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(12380) PEER_CALL_ID(61247) RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(0)
12:35:30.907737 IP (tos 0x20, ttl 100, id 628, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xcacc (correct), 325:349(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
12:35:30.907876 IP (tos 0x0, ttl 64, id 60748, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9319 (correct), 189:189(0) ack 349 win 65535
12:35:32.363060 IP (tos 0x20, ttl 100, id 633, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xcab4 (correct), 349:373(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
12:35:32.363202 IP (tos 0x0, ttl 64, id 31283, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9301 (correct), 189:189(0) ack 373 win 65535
12:35:47.594406 IP (tos 0x20, ttl 100, id 711, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xca9c (correct), 373:397(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12380) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
12:35:47.594568 IP (tos 0x0, ttl 64, id 38925, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x92e9 (correct), 189:189(0) ack 397 win 65535
12:35:49.619933 IP (tos 0x0, ttl 64, id 11620, offset 0, flags [DF], proto TCP (6), length 56) 81.195.135.114.pptp > 193.201.231.34.30795: P, cksum 0x3945 (correct), 189:205(16) ack 397 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
12:35:49.620062 IP (tos 0x0, ttl 64, id 15108, offset 0, flags [DF], proto TCP (6), length 188) 81.195.135.114.pptp > 193.201.231.34.30795: P 205:353(148) ack 397 win 65535: pptp Length=148 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=CDN CALL_ID(12380) RESULT_CODE(3:Admin Shutdown) ERR_CODE(0:None) CAUSE_CODE(0) [|pptp]
12:35:51.206539 IP (tos 0x0, ttl 64, id 30238, offset 0, flags [DF], proto TCP (6), length 204) 81.195.135.114.pptp > 193.201.231.34.30795: P 189:353(164) ack 397 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
12:35:51.437511 IP (tos 0x20, ttl 100, id 719, offset 0, flags [DF], proto TCP (6), length 56) 193.201.231.34.30795 > 81.195.135.114.pptp: P, cksum 0xf9fb (correct), 397:413(16) ack 205 win 16696: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRP RESULT_CODE(1:OK) ERR_CODE(0:None)
12:35:51.437645 IP (tos 0x0, ttl 64, id 31245, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9235 (correct), 353:353(0) ack 413 win 65535
12:35:51.438392 IP (tos 0x0, ttl 64, id 31233, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: F, cksum 0x9234 (correct), 353:353(0) ack 413 win 65535
12:35:52.751589 IP (tos 0x20, ttl 100, id 726, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: ., cksum 0x5191 (correct), 413:413(0) ack 353 win 16548
12:35:52.771997 IP (tos 0x20, ttl 100, id 727, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: F, cksum 0x5190 (correct), 413:413(0) ack 353 win 16548
12:35:52.811899 IP (tos 0x20, ttl 100, id 728, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: ., cksum 0x518f (correct), 414:414(0) ack 354 win 16548
12:35:56.429730 IP (tos 0x20, ttl 100, id 731, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.30795 > 81.195.135.114.pptp: F, cksum 0x518f (correct), 413:413(0) ack 354 win 16548
12:35:56.429855 IP (tos 0x0, ttl 64, id 15199, offset 0, flags [DF], proto TCP (6), length 40) 81.195.135.114.pptp > 193.201.231.34.30795: ., cksum 0x9234 (correct), 354:354(0) ack 414 win 65534
^C11135 packets captured
11175 packets received by filter
0 packets dropped by kernelãäå íå ïðîõîäèò
tcpdump -i rl1 -vv | grep pptp
tcpdump: listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes
12:30:05.941170 IP (tos 0x20, ttl 101, id 610, offset 0, flags [DF], proto TCP (6), length 48) 193.201.231.34.50835 > 81.195.169.34.pptp: S, cksum 0x16d6 (correct), 4076914887:4076914887(0) win 16384 <mss 1300,nop,nop,sackok="">12:30:05.941481 IP (tos 0x0, ttl 64, id 65022, offset 0, flags [DF], proto TCP (6), length 48) 81.195.169.34.pptp > 193.201.231.34.50835: S, cksum 0x51a6 (correct), 3574739520:3574739520(0) ack 4076914888 win 65228 <mss 1300,sackok,eol="">12:30:07.660204 IP (tos 0x20, ttl 101, id 611, offset 0, flags [DF], proto TCP (6), length 196) 193.201.231.34.50835 > 81.195.169.34.pptp: P 1:157(156) ack 1 win 16900: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MAX_CHAN(0) FIRM_REV(2600) [|pptp]
12:30:07.660444 IP (tos 0x0, ttl 64, id 30967, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x7afa (correct), 1:1(0) ack 157 win 65535
12:30:07.661293 IP (tos 0x0, ttl 64, id 18083, offset 0, flags [DF], proto TCP (6), length 196) 81.195.169.34.pptp > 193.201.231.34.50835: P 1:157(156) ack 157 win 65535: pptp Length=156 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1:Successful channel establishment) ERR_CODE(0:None) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
12:30:08.512164 IP (tos 0x20, ttl 100, id 612, offset 0, flags [DF], proto TCP (6), length 208) 193.201.231.34.50835 > 81.195.169.34.pptp: P 157:325(168) ack 157 win 16744: pptp Length=168 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRQ CALL_ID(57281) CALL_SER_NUM(2934) MIN_BPS(300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY(0) PHONE_NO_LEN(0) [|pptp]
12:30:08.512304 IP (tos 0x0, ttl 64, id 29657, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x79b6 (correct), 157:157(0) ack 325 win 65535
12:30:08.514217 IP (tos 0x0, ttl 64, id 6110, offset 0, flags [DF], proto TCP (6), length 72) 81.195.169.34.pptp > 193.201.231.34.50835: P, cksum 0x17be (correct), 157:189(32) ack 325 win 65535: pptp Length=32 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=OCRP CALL_ID(12379) PEER_CALL_ID(57281) RESULT_CODE(1:Connected) ERR_CODE(0:None) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) PHY_CHAN_ID(0)
12:30:09.487822 IP (tos 0x20, ttl 100, id 613, offset 0, flags [DF], proto TCP (6), length 64) 193.201.231.34.50835 > 81.195.169.34.pptp: P, cksum 0xb132 (correct), 325:349(24) ack 189 win 16712: pptp Length=24 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=SLI PEER_CALL_ID(12379) SEND_ACCM(0xffffffff) RECV_ACCM(0xffffffff)
12:30:09.487955 IP (tos 0x0, ttl 64, id 61384, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x797e (correct), 189:189(0) ack 349 win 65535
12:30:25.924914 IP (tos 0x0, ttl 64, id 24554, offset 0, flags [DF], proto TCP (6), length 56) 81.195.169.34.pptp > 193.201.231.34.50835: P, cksum 0x1fda (correct), 189:205(16) ack 349 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown)
12:30:25.925056 IP (tos 0x0, ttl 64, id 55425, offset 0, flags [DF], proto TCP (6), length 188) 81.195.169.34.pptp > 193.201.231.34.50835: P 205:353(148) ack 349 win 65535: pptp Length=148 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=CDN CALL_ID(12379) RESULT_CODE(3:Admin Shutdown) ERR_CODE(0:None) CAUSE_CODE(0) [|pptp]
12:30:27.118941 IP (tos 0x20, ttl 100, id 620, offset 0, flags [DF], proto TCP (6), length 56) 193.201.231.34.50835 > 81.195.169.34.pptp: P, cksum 0xe090 (correct), 349:365(16) ack 205 win 16696: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRP RESULT_CODE(1:OK) ERR_CODE(0:None)
12:30:27.119105 IP (tos 0x0, ttl 64, id 25327, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x78ca (correct), 353:353(0) ack 365 win 65535
12:30:27.119678 IP (tos 0x0, ttl 64, id 51709, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: F, cksum 0x78c9 (correct), 353:353(0) ack 365 win 65535
12:30:27.159304 IP (tos 0x20, ttl 100, id 621, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: ., cksum 0x3826 (correct), 365:365(0) ack 353 win 16548
12:30:27.895540 IP (tos 0x20, ttl 100, id 622, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: F, cksum 0x3825 (correct), 365:365(0) ack 353 win 16548
12:30:27.915437 IP (tos 0x20, ttl 100, id 623, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: ., cksum 0x3824 (correct), 366:366(0) ack 354 win 16548
12:30:31.542210 IP (tos 0x20, ttl 100, id 624, offset 0, flags [DF], proto TCP (6), length 40) 193.201.231.34.50835 > 81.195.169.34.pptp: F, cksum 0x3824 (correct), 365:365(0) ack 354 win 16548
12:30:31.542342 IP (tos 0x0, ttl 64, id 56252, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x78c9 (correct), 354:354(0) ack 366 win 65534pfctr opt1
pfctl -sr | grep rl1
block drop in on ! rl1 inet from 81.195.169.0/24 to any
block drop in on rl1 inet6 from fe80::21c:c0ff:fe9d:fe25 to any
pass out quick on rl1 all flags S/SA keep state label "let out anything from firewall host itself"
pass out quick on rl1 proto icmp all keep state (tcp.closed 5) label "let out anything from firewall host itself"
pass out quick on rl1 all flags S/SA keep state (tcp.closed 5) label "let out anything from firewall host itself"
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = ftp flags S/SA keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = pptp flags S/SA keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto gre from any to 81.195.169.34 keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = ntp flags S/SA keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto udp from any to 81.195.169.34 port = ntp keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = smtp flags S/SA keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = pop3 flags S/SA keep state label "USER_RULE: NAT "
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = 3155 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 192.168.0.240 port = 8010 flags S/SA keep state label "USER_RULE: NAT "
block drop in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp all label "USER_RULE"
pass in quick on sis0 route-to { (rl0 81.195.135.113), (rl1 81.195.169.33) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE"
pass in quick on sis0 route-to { (rl0 81.195.135.113), (rl1 81.195.169.33) } round-robin inet proto tcp from any to any port = 8080 flags S/SA keep state label "USER_RULE"
pass in quick on sis0 route-to (rl1 81.195.169.33) inet proto tcp from any to any port = pop3 flags S/SA keep state label "USER_RULE"
pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = 8022 flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"
pass in quick on rl1 inet proto tcp from any to 127.0.0.1 port = ftp flags S/SA keep state label "FTP PROXY: Allow traffic to localhost"</mss></mss></mss></mss> -
Íå, íåïðàâèëüíî ñäåëàë tcpdump. Ãäå-òî ìåæäó âîò ýòèìè ïàêåòàìè äîëæíå èäòè GRE.
12:30:09.487955 IP (tos 0x0, ttl 64, id 61384, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x797e (correct), 189:189(0) ack 349 win 65535 12:30:25.924914 IP (tos 0x0, ttl 64, id 24554, offset 0, flags [DF], proto TCP (6), length 56) 81.195.169.34.pptp > 193.201.231.34.50835: P, cksum 0x1fda (correct), 189:205(16) ack 349 win 65535: pptp Length=16 CTRL-MSG Magic-Cookie=1a2b3c4d CTRL_MSGTYPE=StopCCRQ REASON(3:Stop-Local-Shutdown) :30:31.542342 IP (tos 0x0, ttl 64, id 56252, offset 0, flags [DF], proto TCP (6), length 40) 81.195.169.34.pptp > 193.201.231.34.50835: ., cksum 0x78c9 (correct), 354:354(0) ack 366 win 65534
Íàäî äåëàòü òàê: tcpdump -i rl1 -n proto gre or port 1723
Ïî ïðàâèëàì:
# pfctl -sr | grep rl1 pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto tcp from any to 81.195.169.34 port = pptp flags S/SA keep state label "USER_RULE: NAT " pass in quick on rl1 reply-to (rl1 81.195.169.33) inet proto gre from any to 81.195.169.34 keep state label "USER_RULE: NAT "
Ïî÷åìó NAT? ó òåáÿ ïîðò-ôîðâàðäèíã ÷òî ëè ñòîèò íà ýòî äåëî?
äàé ïîæàëóéñòà pfctl -sn -
Íåå, ôîðâàðäèíãà íåò, ïðîñòî ïðàâèëî ñêîïèðîâàë, ãäå åñòü ôîðâàðäèíã.
äàþ ïðàâèëüíûé äàìïtcpdump -i rl1 -n proto gre or port 1723
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on rl1, link-type EN10MB (Ethernet), capture size 96 bytes
18:23:59.369922 IP 193.201.231.34.31254 > 81.195.169.34.1723: S 3266589987:3266589987(0) win 16384 <mss 1300,nop,nop,sackok="">18:23:59.370229 IP 81.195.169.34.1723 > 193.201.231.34.31254: S 3847147718:3847147718(0) ack 3266589988 win 65228 <mss 1300,sackok,eol="">18:24:00.555148 IP 193.201.231.34.31254 > 81.195.169.34.1723: P 1:157(156) ack 1 win 16900: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(A) BEARER_CAP(A) MA X_CHAN(0) FIRM_REV(2600) [|pptp]
18:24:00.555356 IP 81.195.169.34.1723 > 193.201.231.34.31254: . ack 157 win 65535
18:24:00.556401 IP 81.195.169.34.1723 > 193.201.231.34.31254: P 1:157(156) ack 157 win 65535: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP(S) BEARER_CAP(DA) MAX_CHAN(0) FIRM_REV(257) [|pptp]
18:24:01.344081 IP 193.201.231.34.31254 > 81.195.169.34.1723: P 157:325(168) ack 157 win 16744: pptp CTRL_MSGTYPE=OCRQ CALL_ID(32065) CALL_SER_NUM(2975) MIN_BPS (300) MAX_BPS(100000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(64) PROC_DELAY( 0) PHONE_NO_LEN(0) [|pptp]
18:24:01.344227 IP 81.195.169.34.1723 > 193.201.231.34.31254: . ack 325 win 65535
18:24:01.346125 IP 81.195.169.34.1723 > 193.201.231.34.31254: P 157:189(32) ack 325 win 65535: pptp CTRL_MSGTYPE=OCRP CALL_ID(12386) PEER_CALL_ID(32065) RESULT_ CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(64000) RECV_WIN(16) PROC_DELAY(1) P HY_CHAN_ID(0)
18:24:02.120176 IP 193.201.231.34.31254 > 81.195.169.34.1723: P 325:349(24) ack 189 win 16712: pptp CTRL_MSGTYPE=SLI PEER_CALL_ID(12386) SEND_ACCM(0xffffffff) R ECV_ACCM(0xffffffff)
18:24:02.120317 IP 81.195.169.34.1723 > 193.201.231.34.31254: . ack 349 win 65535
18:24:02.148245 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 0, length 37: LCP, Conf-Request (0x01), id 0, length 23
18:24:03.875148 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23
18:24:06.673100 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 2, length 37: LCP, Conf-Request (0x01), id 2, length 23
18:24:10.725883 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 3, length 37: LCP, Conf-Request (0x01), id 3, length 23
18:24:14.639127 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 4, length 37: LCP, Conf-Request (0x01), id 4, length 23
18:24:18.655816 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 5, length 37: LCP, Conf-Request (0x01), id 5, length 23
18:24:18.657439 IP 81.195.169.34.1723 > 193.201.231.34.31254: P 189:205(16) ack 349 win 65535: pptp CTRL_MSGTYPE=StopCCRQ REASON(3)
18:24:18.657583 IP 81.195.169.34.1723 > 193.201.231.34.31254: P 205:353(148) ack 349 win 65535: pptp CTRL_MSGTYPE=CDN CALL_ID(12386) RESULT_CODE(3) ERR_CODE(0) CAUSE_CODE(0) [|pptp]
18:24:19.850548 IP 193.201.231.34.31254 > 81.195.169.34.1723: P 349:365(16) ack 205 win 16696: pptp CTRL_MSGTYPE=StopCCRP RESULT_CODE(1) ERR_CODE(0)
18:24:19.850720 IP 81.195.169.34.1723 > 193.201.231.34.31254: . ack 365 win 65535
18:24:19.851299 IP 81.195.169.34.1723 > 193.201.231.34.31254: F 353:353(0) ack 365 win 65535
18:24:19.891394 IP 193.201.231.34.31254 > 81.195.169.34.1723: . ack 353 win 16548
18:24:20.627879 IP 193.201.231.34.31254 > 81.195.169.34.1723: F 365:365(0) ack 353 win 16548
18:24:20.647582 IP 193.201.231.34.31254 > 81.195.169.34.1723: . ack 354 win 16548
18:24:23.836003 IP 193.201.231.34.31254 > 81.195.169.34.1723: F 365:365(0) ack 354 win 16548
18:24:23.836160 IP 81.195.169.34.1723 > 193.201.231.34.31254: . ack 366 win 65534</mss></mss> -
18:24:02.148245 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 0, length 37: LCP, Conf-Request (0x01), id 0, length 23
18:24:03.875148 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23
18:24:06.673100 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 2, length 37: LCP, Conf-Request (0x01), id 2, length 23
18:24:10.725883 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 3, length 37: LCP, Conf-Request (0x01), id 3, length 23
18:24:14.639127 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 4, length 37: LCP, Conf-Request (0x01), id 4, length 23
18:24:18.655816 IP 193.201.231.34 > 81.195.169.34: GREv1, call 12386, seq 5, length 37: LCP, Conf-Request (0x01), id 5, length 23Это говорит нам о том, что сервер не отвечает на GRE пакеты, что есть печально. Одно интересно, возможно сервер пытается отвечать на другом интерфейсе, т.к. у нас два публик интерфейса и loadbalancer ведёт себя иногда ооочень странно.
Я бы глянул на два tcpdump'а снятых одновременно - на OPT1 и на WAN. -
ftp извне не работает если маршрут к клиенту не по умолчанию. проверено личной головной болью на 1.2 .
офф: чтото данный маршрутизатор слишком часто требует отдельной специальной настройки :( неспешно ищу менее нежный дистрибутив для маршрутизатора -
ftp извне не работает если маршрут к клиенту не по умолчанию. проверено личной головной болью на 1.2 .
офф: чтото данный маршрутизатор слишком часто требует отдельной специальной настройки :( неспешно ищу менее нежный дистрибутив для маршрутизатора- Если про pfSense, то это не маршрутизатор.
- Найдёшь - поделись пожалуйста. Хочется нежности в наши суровые времена -)