ADSL/router(VOIP) pf in private ip range

mailme mailme at roelsieg.nl
Tue Apr 11 18:59:39 UTC 2006 

Old Situation
      to internet
  ^
  |
  |
 ADSL Router/Modem(Bridged)
     | 
  V
    ip ext from isp
 BSD router with pf+NAT
    ip 192.168.0.1
  ^
  |
  |
  V
    ip 192.168.0.4
      client PC

New Situation:
      to internet
  ^
  |
  |
    ip ext from isp
 Davolink DV-201AMR (NAT)----->to VOIP telephone
    ip 192.168.1.1
  ^
  |
  | (DMZ 192.168.1.7)
  V
    ip 192.168.1.7
 BSD router with pf
    ip 192.168.0.1
  ^
  |
  |
  V
    ip 192.168.0.4
      client PC

The prefered settings for NAT on the would be like mentioned with a DeMilitartized Zone to just let BSD take care
of the secrurity issues. 

It is not possible to set the router to a bridged-setting because:
-first the web-interface doesnot allow this and I found no way to telnet into the router for different settings
-second I don't think this will work in combination with the VOIP (the Davolink should have the extern ip from the isp)

Further more I have a packet filter installed on the BSD machine, the following rule set used to work in the old situation:

 # /etc/pf.conf

 # Macros
 EXT_IF="rl0"
 INT_IF="rl1"
 LOCAL_IF="lo0"
 LAN="192.168.0.0/24"
 NO_ROUTE=" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } "

 # Options
 set optimization normal
 set block-policy drop
 set require-order yes

 # Traffic Normalization
 scrub in all

 # Translation

 # General rdr to a port
 #rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> $DEST_IP port $DEST_PORT

 # Network Adress Translation
 nat on $EXT_IF inet from $LAN to any -> $EXT_IF

 # Packet Filtering
 block in log all
 block out log all

 antispoof log quick for $LOCAL_IF inet
 pass in on $LOCAL_IF inet all keep state
 pass out on $LOCAL_IF inet all keep state

 antispoof log quick for $INT_IF inet
 pass in on $INT_IF inet all keep state
 pass out on $INT_IF inet all keep state

 antispoof log quick for $EXT_IF inet
 block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
 block return-rst in log quick on $EXT_IF inet proto tcp from any to $EXT_IF port 113
 pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code 0 keep state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags S/SA modulate state
 pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags S/SA modulate state

 block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
 pass out on $EXT_IF inet from $EXT_IF to any keep state

Now I think there is probably a problem in the NO_ROUTE statements because the NO_ROUTE 192.168.0.0/16 section
includes the address range 192.168.1.0/24 but since the DMZ forwards all the incoming trafic to 192.168.1.7
and if I make a statment allowing incoming trafic from 192.168.1.1 because i don't know if this in combination with
the DMZ just by-passes my packetfilter. From the dump beneat I get the impression that the DMZ just forwards all trafic
to 192.168.1.7 without NAT (192.168.1.1) but I am not sure.

The strangest things happen at the moment:
-I can connect to the internet from my client PC with a browser but MSN cannot make a connection
-I can recieve and send mail from the mail-server on the BSD machine but with a subject only no text

To get an impression of what happens here is a dump from the incomming traffic on the BSD machine 

  pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000                                        09:47:17

  PR   DIR SRC                  DEST                         STATE                AGE       EXP     PKTS    BYTES
  tcp  In  192.168.0.4:1374     192.168.0.1:22      ESTABLISHED:ESTABLISHED  00:09:33  23:59:55     1141   102486
  tcp  In  192.168.0.4:1375     65.54.239.80:1863    FIN_WAIT_2:FIN_WAIT_2   00:00:25  00:01:06       13      934
  tcp  In  192.168.0.4:1376     207.46.2.124:1863   ESTABLISHED:ESTABLISHED  00:00:24  23:59:37       10      932
  tcp  In  192.168.0.4:1377     65.54.183.192:443   ESTABLISHED:ESTABLISHED  00:00:23  23:59:52       16     8903
  tcp  Out 192.168.0.4:1375     65.54.239.80:1863    FIN_WAIT_2:FIN_WAIT_2   00:00:25  00:01:06       13      934
  tcp  Out 192.168.0.4:1376     207.46.2.124:1863   ESTABLISHED:ESTABLISHED  00:00:24  23:59:37       10      932
  tcp  Out 192.168.0.4:1377     65.54.183.192:443    STABLISHED:ESTABLISHED  00:00:23  23:59:52       16     8903
  udp  In  192.168.0.4:1063     192.168.0.1:53         MULTIPLE:MULTIPLE     00:00:25  00:00:37        4      711
  udp  Out 192.168.1.7:11789    62.4.69.96:53          MULTIPLE:SINGLE       00:00:25  00:00:05        2      160
  udp  Out 192.168.1.7:11789    65.55.238.126:53       MULTIPLE:SINGLE       00:00:23  00:00:07        2      201
  udp  Out 192.168.1.7:11789    65.54.240.126:53       MULTIPLE:SINGLE       00:00:25  00:00:05        2      196
  udp  Out 192.168.1.7:11789    212.187.162.134:53     MULTIPLE:SINGLE       00:00:23  00:00:07        2      392
  udp  Out 192.168.1.7:11789    213.199.144.151:53     MULTIPLE:SINGLE       00:00:23  00:00:07       12      972

(ps don't know how the mailinglist works so reply to mailme at roelsieg.nl please)

More information about the freebsd-pf mailing list