misc/69954: PF Nat with a PPP connection uses wrong addresses
Lawrence Farr
l.farr at epcdirect.co.uk
Tue Aug 3 08:40:20 PDT 2004
>Number: 69954
>Category: misc
>Synopsis: PF Nat with a PPP connection uses wrong addresses
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Aug 03 15:40:19 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Lawrence Farr
>Release: -CURRENT
>Organization:
EPC Direct
>Environment:
FreeBSD mollie.epcdirect.co.uk 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Fri Jul 23 01:48:06 BST 2004 root at buildhost.int.epcdirect.co.uk:/usr/obj/usr/src/sys/ROUTER i386
>Description:
When using PF's NAT with a PPP dialup, the wrong outgoing address is used by NAT in a round robin form.
PF rule
nat on $ext_if from $internal_net to any -> ($ext_if)
(Where $ext_if=tun0)
PPP config line:
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.255 0.0.0.0
Becomes
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff
And when connected:
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 213.122.204.66 --> 213.120.208.171 netmask 0xffffffff
A tcpdump of a succesful connection shows:
21:40:53.176154 IP 213.122.204.66.61726 > 195.10.242.32.110: . ack 82 win 17296
21:40:53.176325 IP 213.122.204.66.61726 > 195.10.242.32.110: F 7:7(0) ack 82 win 17296
But the next connection shows:
21:40:58.187545 IP 10.0.0.1.62059 > 195.10.242.32.110: S 2862758557:2862758557(0) win 16384 <mss 1460,nop,nop,sackOK>
21:41:01.174007 IP 10.0.0.1.62059 > 195.10.242.32.110: S 2862758557:2862758557(0) win 16384 <mss 1460,nop,nop,sackOK>
Note the source address has become the original address for the
PPP connection.
>How-To-Repeat:
Connect with the ppp config line as shown above and the pf rule and try sequential connections through the NAT router.
>Fix:
Set NAT to use a specific address rather than tun0
nat on $ext_if from $internal_net to any -> 213.122.204.66
and the problem stops. This is a problem if you get a dynamic IP address.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list