Frickin Question



  • I was hoping to get a little more detail about the Frickin package.  I don't think I understand what it's function is.
    Thanks  :D



  • A protocol like GRE doesn't use ports like TCP or UDP and therefore is not easily nattable. If 2 clients for example behind the same pfSense try to tunnel in to the same public IP PPTP-Server there is no way to devide their sessions so usually only one of them can beconnected to the same endpoint at the same time. Frickin does some inspections on the traffic and is able to divide the sessions again so multiple PPTP clients behind the same NAT can connect to the same PPTP-Server simultaneously.



  • @hoba:

    A protocol like GRE doesn't use ports like TCP or UDP and therefore is not easily nattable. If 2 clients for example behind the same pfSense try to tunnel in to the same public IP PPTP-Server there is no way to devide their sessions so usually only one of them can beconnected to the same endpoint at the same time. Frickin does some inspections on the traffic and is able to divide the sessions again so multiple PPTP clients behind the same NAT can connect to the same PPTP-Server simultaneously.

    Does this mean frickin is working again?
    The frickin bug tracker says that it has a problem with freebsd 6.2.



  • No, it currently does NOT work.



  • You didn't ask about the state, only about what it is intended to do initially  ;D



  • Doh!  I was starting to get excited  :P



  • Does anybody know whether it's being developed? How's the progress? :)

    It'd still be nice if I could say my customers that they can do multiple PPTP again ;)



  • Situation has not changed.



  • Which situation? It's not being developed? No progress?



  • Actually it might start working when you disable SCRUB at system>advanced. We'll have to test this. The package will autodisable SCRUB now when it's installed and show a note about that. Everybody feel free to test and report back. Please make sure you are on the latest available snapshot and reinstall the package before testing.



  • Well, I'm not actually using pfSense, I'm using just PF on FreeBSD-6.2. Rules for Frickin in my pf.conf:

    rdr on $int_if proto tcp from $int_if:network to any port 1723 -> 127.0.0.1
    rdr on $int_if proto gre from $int_if:network to any -> 127.0.0.1
    pass out on $ext_if proto gre all keep state
    

    I disabled scrub, but still no luck with outgoing PPTP connection. Still stuck on "Verifying username and password…".

    What about the argument (http://forum.pfsense.org/index.php/topic,2507.msg14707.html#msg14707) that there should be 2 IPs in use on LAN? Was this for previous versions of Frickin?



  • I was reading up about this proxy and it looks like you might need:
    pass in on $ext_if proto gre all keep state
    This was interesting rule, because typically you can 'pass things out' from an interface its the 'pass things in' to an interface that get blocked.

    I'll see if I can get some time for this, this week.
    I know in openBSD you have to had some changes to the stack, because by default the stack does not pass gre traffic.

    @atrox:

    Well, I'm not actually using pfSense, I'm using just PF on FreeBSD-6.2. Rules for Frickin in my pf.conf:

    rdr on $int_if proto tcp from $int_if:network to any port 1723 -> 127.0.0.1
    rdr on $int_if proto gre from $int_if:network to any -> 127.0.0.1
    pass out on $ext_if proto gre all keep state
    

    I disabled scrub, but still no luck with outgoing PPTP connection. Still stuck on "Verifying username and password…".

    What about the argument (http://forum.pfsense.org/index.php/topic,2507.msg14707.html#msg14707) that there should be 2 IPs in use on LAN? Was this for previous versions of Frickin?



  • Just commited a change to this.  Please try 10+ minutes from when this message is posted (reinstall package).



  • @sullrich:

    Just commited a change to this.  Please try 10+ minutes from when this message is posted (reinstall package).

    I was looking at this for a while:

    I see this:

    pfctl -s all | grep gre

    rdr on xl0 inet proto gre all -> 127.0.0.1

    pfctl -s all | grep 1723

    pfctl -s all | grep pptp

    rdr on xl0 inet proto tcp from any to any port = pptp -> 127.0.0.1

    pfctl -s all | grep scrub

    scrub all random-id fragment reassemble

    I didn't expect to see scrub.
    I did expect to see these rules and nats or a reference to them:
    $rules .= "rdr on $iface proto tcp from any to any port = 1723 -> 127.0.0.1\n";
    $rules .= "rdr on $iface inet proto gre all -> 127.0.0.1\n";
    }
    break;
    case 'filter':
    $ext_if = get_real_wan_interface();
    $rules .= "pass out on $ext_if proto gre from any to any keep state\n";
    $rules .= "pass in on $ext_if proto gre from any to any keep state\n";

    Frickin looks to be running:

    ps -aux | grep frickin

    nobody  89069  0.0  1.3  2448  1600  ??  S    12:13AM  0:00.03 /usr/local/bin/frickin -c /usr/local/etc/frickin.conf
    root    89721  0.0  0.2  372  192  p0  R+  12:18AM  0:00.00 grep frickin



  • Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.



  • I was looking at this again, I found that "scrub" stays on after installing frickin.
    As well, I was reading a note from the project source:

    http://sourceforge.net/tracker/?group_id=120375&atid=686811

    Not working FreeBSD 6.2 - Raw sockets issue.
    When trying to send data using the raw socket the operation fails with
    "Operation not permitted".
    Data sent back to the client must be sent using raw sockets in order to
    spoof the source (server) ip-address, without this the client will reject
    the packet(s).

    @sullrich:

    Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.



  • Once again this has come up :)

    What have I tried meantime is that I installed Frickin 2.0 beta2 onto my FreeBSD-6.2. I also enabled scrub only for udp and tcp, but well.. still stuck on "Verifying username and password..".

    Looks like I forgot to MFC a few items.  Please try a snapshot about 2 hours from now.

    I didn't quite get what snapshot should one try - Frickin or pfSense or …?

    And I'm quite confused about PF and PPTP issue. Some people seem to claim that it's possible to use PPTP through PF, but all the guidlines end up somewhere.. Is there any hope to get it working with PF or should I just go back to IPFW (which to my mind had no such problems)?


Log in to reply