Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Frickin Question

    Scheduled Pinned Locked Moved pfSense Packages
    17 Posts 6 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DWAyotte
      last edited by

      I was hoping to get a little more detail about the Frickin package.  I don't think I understand what it's function is.
      Thanks  :D

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        A protocol like GRE doesn't use ports like TCP or UDP and therefore is not easily nattable. If 2 clients for example behind the same pfSense try to tunnel in to the same public IP PPTP-Server there is no way to devide their sessions so usually only one of them can beconnected to the same endpoint at the same time. Frickin does some inspections on the traffic and is able to divide the sessions again so multiple PPTP clients behind the same NAT can connect to the same PPTP-Server simultaneously.

        1 Reply Last reply Reply Quote 0
        • T
          techatdd
          last edited by

          @hoba:

          A protocol like GRE doesn't use ports like TCP or UDP and therefore is not easily nattable. If 2 clients for example behind the same pfSense try to tunnel in to the same public IP PPTP-Server there is no way to devide their sessions so usually only one of them can beconnected to the same endpoint at the same time. Frickin does some inspections on the traffic and is able to divide the sessions again so multiple PPTP clients behind the same NAT can connect to the same PPTP-Server simultaneously.

          Does this mean frickin is working again?
          The frickin bug tracker says that it has a problem with freebsd 6.2.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            No, it currently does NOT work.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              You didn't ask about the state, only about what it is intended to do initially  ;D

              1 Reply Last reply Reply Quote 0
              • D
                DWAyotte
                last edited by

                Doh!  I was starting to get excited  :P

                1 Reply Last reply Reply Quote 0
                • A
                  atrox
                  last edited by

                  Does anybody know whether it's being developed? How's the progress? :)

                  It'd still be nice if I could say my customers that they can do multiple PPTP again ;)

                  1 Reply Last reply Reply Quote 0
                  • S
                    sullrich
                    last edited by

                    Situation has not changed.

                    1 Reply Last reply Reply Quote 0
                    • A
                      atrox
                      last edited by

                      Which situation? It's not being developed? No progress?

                      1 Reply Last reply Reply Quote 0
                      • H
                        hoba
                        last edited by

                        Actually it might start working when you disable SCRUB at system>advanced. We'll have to test this. The package will autodisable SCRUB now when it's installed and show a note about that. Everybody feel free to test and report back. Please make sure you are on the latest available snapshot and reinstall the package before testing.

                        1 Reply Last reply Reply Quote 0
                        • A
                          atrox
                          last edited by

                          Well, I'm not actually using pfSense, I'm using just PF on FreeBSD-6.2. Rules for Frickin in my pf.conf:

                          rdr on $int_if proto tcp from $int_if:network to any port 1723 -> 127.0.0.1
                          rdr on $int_if proto gre from $int_if:network to any -> 127.0.0.1
                          pass out on $ext_if proto gre all keep state
                          

                          I disabled scrub, but still no luck with outgoing PPTP connection. Still stuck on "Verifying username and password…".

                          What about the argument (http://forum.pfsense.org/index.php/topic,2507.msg14707.html#msg14707) that there should be 2 IPs in use on LAN? Was this for previous versions of Frickin?

                          1 Reply Last reply Reply Quote 0
                          • N
                            newmember
                            last edited by

                            I was reading up about this proxy and it looks like you might need:
                            pass in on $ext_if proto gre all keep state
                            This was interesting rule, because typically you can 'pass things out' from an interface its the 'pass things in' to an interface that get blocked.

                            I'll see if I can get some time for this, this week.
                            I know in openBSD you have to had some changes to the stack, because by default the stack does not pass gre traffic.

                            @atrox:

                            Well, I'm not actually using pfSense, I'm using just PF on FreeBSD-6.2. Rules for Frickin in my pf.conf:

                            rdr on $int_if proto tcp from $int_if:network to any port 1723 -> 127.0.0.1
                            rdr on $int_if proto gre from $int_if:network to any -> 127.0.0.1
                            pass out on $ext_if proto gre all keep state
                            

                            I disabled scrub, but still no luck with outgoing PPTP connection. Still stuck on "Verifying username and password…".

                            What about the argument (http://forum.pfsense.org/index.php/topic,2507.msg14707.html#msg14707) that there should be 2 IPs in use on LAN? Was this for previous versions of Frickin?

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              Just commited a change to this.  Please try 10+ minutes from when this message is posted (reinstall package).

                              1 Reply Last reply Reply Quote 0
                              • N
                                newmember
                                last edited by

                                @sullrich:

                                Just commited a change to this.  Please try 10+ minutes from when this message is posted (reinstall package).

                                I was looking at this for a while:

                                I see this:

                                pfctl -s all | grep gre

                                rdr on xl0 inet proto gre all -> 127.0.0.1

                                pfctl -s all | grep 1723

                                pfctl -s all | grep pptp

                                rdr on xl0 inet proto tcp from any to any port = pptp -> 127.0.0.1

                                pfctl -s all | grep scrub

                                scrub all random-id fragment reassemble

                                I didn't expect to see scrub.
                                I did expect to see these rules and nats or a reference to them:
                                $rules .= "rdr on $iface proto tcp from any to any port = 1723 -> 127.0.0.1\n";
                                $rules .= "rdr on $iface inet proto gre all -> 127.0.0.1\n";
                                }
                                break;
                                case 'filter':
                                $ext_if = get_real_wan_interface();
                                $rules .= "pass out on $ext_if proto gre from any to any keep state\n";
                                $rules .= "pass in on $ext_if proto gre from any to any keep state\n";

                                Frickin looks to be running:

                                ps -aux | grep frickin

                                nobody  89069  0.0  1.3  2448  1600  ??  S    12:13AM  0:00.03 /usr/local/bin/frickin -c /usr/local/etc/frickin.conf
                                root    89721  0.0  0.2  372  192  p0  R+  12:18AM  0:00.00 grep frickin

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by

                                  Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    newmember
                                    last edited by

                                    I was looking at this again, I found that "scrub" stays on after installing frickin.
                                    As well, I was reading a note from the project source:

                                    http://sourceforge.net/tracker/?group_id=120375&atid=686811

                                    Not working FreeBSD 6.2 - Raw sockets issue.
                                    When trying to send data using the raw socket the operation fails with
                                    "Operation not permitted".
                                    Data sent back to the client must be sent using raw sockets in order to
                                    spoof the source (server) ip-address, without this the client will reject
                                    the packet(s).

                                    @sullrich:

                                    Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      atrox
                                      last edited by

                                      Once again this has come up :)

                                      What have I tried meantime is that I installed Frickin 2.0 beta2 onto my FreeBSD-6.2. I also enabled scrub only for udp and tcp, but well.. still stuck on "Verifying username and password..".

                                      Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.

                                      I didn't quite get what snapshot should one try - Frickin or pfSense or …?

                                      And I'm quite confused about PF and PPTP issue. Some people seem to claim that it's possible to use PPTP through PF, but all the guidlines end up somewhere.. Is there any hope to get it working with PF or should I just go back to IPFW (which to my mind had no such problems)?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.