ppp + natd + forwarding udp

freebsd-isp at chef-ingenieur.de freebsd-isp at chef-ingenieur.de
Wed Sep 1 07:49:32 PDT 2004 

Hello,
I've a freebsd box on a DSL line, running ppp, ipfw and natd. This
works fine since about 1 year.
Now there shuld be a vpn build, but with cisco equipent. The cisco
is located behind the firewall, so I've to forward the udp packets.
But this doesn't work. My ipfw rules:

00100       1174    5341362 allow ip from any to any via lo0
00200          0          0 deny ip from any to 127.0.0.0/8
00300          0          0 deny ip from 127.0.0.0/8 to any
00400          0          0 deny log ip from 172.16.1.0/24 to any in via tun0
00500      15184    9946779 divert 8668 ip from any to any via tun0
00600          0          0 check-state
00700      12125    8358860 allow tcp from me to any keep-state
00701          0          0 allow log ip from 172.16.1.3 to any
00702          0          0 allow log ip from any to 172.16.1.3
00800      13988   11016613 allow ip from 172.16.1.0/24 to any keep-state
01100          0          0 allow log udp from any to 172.16.1.3 dst-port 500
01200          0          0 allow log udp from 172.16.1.3 to any dst-port 500
01300          0          0 allow log udp from any to 172.16.1.3 dst-port
4500
01400          0          0 allow log udp from 172.16.1.3 to any dst-port
4500
01500          2        120 reset log tcp from any to me dst-port 113 in
via tun0
01600        576      48970 allow udp from me to any dst-port 53 keep-state
01700          0          0 allow udp from 172.16.1.0/24 to any dst-port
53 keep-state
01800         12        912 allow udp from me to any dst-port 123 keep-state
01900          4        148 allow icmp from me to any
02000          0          0 allow icmp from 172.16.1.0/24 to any
02100          3         92 allow icmp from any to any in icmptypes
0,3,4,8,11,12
02200       1315     298371 deny log ip from any to any
65535          0          0 deny ip from any to any

in /etc/natd.conf I've

redirect_port udp 172.16.1.3:500 500
redirect_port udp 172.16.1.3:4500 4500

(the cisco is on 172.16.1.3 an has internet access)

natd runs with the flags "-dynamic -u -l -s -f /etc/natd.conf -n tun0"

rules 701+702 are for debugging

I see the packets on the internal interface, but not on the
tun0 interface (testet with tcpdump).

Any hints would be great - I'm really helpless at the moment.

Regards,
Thomas.

More information about the freebsd-isp mailing list