pppoe, can't ping tun0 from dmz machine

Tue Jul 29 18:03:10 PDT 2003

I've acquired DSL.  I didn't like the modem's NAT and PPPoE, so I
switched it to bridged Ethernet and am using ppp(8) for that.  I'm using
ipfw2 for QOS things (pipes and queues).  I'm using ipf for firewalling
and ftp proxying.

Almost everything works well, except (so far) active FTP and pinging the
tun0 interface.

tcpdump shows ICMP echo requests and responses, but ping does not see
them.  Opening ipf (pass in all, pass out all) "fixes" ping.

ipfnat's active ftp proxy sees the PORT request and punches a hole
through the firewall, but incoming packets don't arrive.  Opening ipf
"fixes" this, too.

Other incoming connections seem to work fine.  DNS works fine.  TCP
works fine.

I've read the handbook, the howtos, searched the list archives, usenet,
and the web.  Nothing solved it.

So.  What have I overlooked?  Where have I gone wrong?  Would you like
to see my cling-film collection?  How about an extensive (but perhaps
not exhaustive) excerpt from my system configuration?  Ok, it is
included.

-- 
Rocco Caputo - rcaputo at pobox.com - http://poe.perl.org/

=== ppp.conf

default:
  ident user-ppp VERSION (built COMPILATIONDATE)
  set log      CBCP CCP Chat Connect Command IPCP tun Phase Warning

papchap:
  add default     HISADDR
  disable         ipv6cp
  disable         vjcomp
  enable          iface-alias
  enable          lqr
  enable          tcpmssfixup
  nat enable      yes
  nat log         yes
  nat same_ports  yes
  set authkey     *****
  set authname    *****
  set cd          5
  set crtscts     off
  set device      PPPoE:dc0
  set dia
  set ifaddr      68.213.211.142/0 192.168.36.176/0
  set login
  set mru         1492
  set mtu         1492
  set redial      1 0
  set server      /var/run/tun0 "" 0177
  set speed       sync
  set timeout     0

=== netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.36.176     UGSc       80  1377475   tun0
10                 link#2             UC          4        0    rl0
10.0.0.7           link#2             UHLW        0        8    rl0
10.0.0.18          00:e0:18:0b:ac:22  UHLW        1   115334    rl0    303
10.0.0.25          00:e0:18:30:68:32  UHLW        0   292874    lo0
10.0.0.100         00:e0:18:30:65:f6  UHLW        1   111019    rl0    163
127.0.0.1          127.0.0.1          UH          6   196295    lo0
192.168.1          link#1             UC          2        0    dc0
192.168.1.25       00:04:5a:59:8e:92  UHLW        0   142112    lo0
192.168.1.254      00:60:0f:31:c7:86  UHLW        0    75153    dc0    865
192.168.36.176     68.213.211.142     UH         76    71059   tun0

=== ipfstat -i

block in quick on tun0 from 0.0.0.0/8 to any
block in quick on tun0 from 127.0.0.0/8 to any
block in quick on tun0 from 169.254.0.0/16 to any
block in quick on tun0 from 172.16.0.0/12 to any
block in quick on tun0 from 192.0.2.0/24 to any
block in quick on tun0 from 192.168.0.0/16 to any
block in quick on tun0 from 224.0.0.0/4 to any
block in quick on tun0 from 240.0.0.0/4 to any
pass in quick on lo0 from any to any
pass in quick on rl0 from any to any
pass in quick on dc0 from any to any
pass in quick on tun0 proto tcp from any to any port = 80 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 113 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 433 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 6881 >< 6999 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port = 11512 flags S/FSRPAU keep state keep frags
pass in quick on tun0 proto tcp from any to any port 32000 >< 32100 flags S/FSRPAU keep state keep frags
block in quick from any to any

=== ipfstat -o

block out quick on tun0 from 0.0.0.0/8 to any
block out quick on tun0 from 127.0.0.0/8 to any
block out quick on tun0 from 169.254.0.0/16 to any
block out quick on tun0 from 172.16.0.0/12 to any
block out quick on tun0 from 192.0.2.0/24 to any
block out quick on tun0 from 192.168.0.0/16 to any
block out quick on tun0 from 224.0.0.0/4 to any
block out quick on tun0 from 240.0.0.0/4 to any
pass out quick on lo0 from any to any
pass out quick on rl0 from any to any
pass out quick on dc0 from any to any
pass out quick on tun0 proto icmp from any to any keep state
pass out quick on tun0 proto tcp from any to any flags S/FSRPAU keep state keep frags
pass out quick on tun0 proto udp from any to any keep state keep frags
block out quick from any to any

=== ipnat -l

List of active MAP/Redirect filters:
map tun0 68.213.211.142/32 -> 68.213.211.142/32 proxy port ftp ftp/tcp

List of active sessions:
(none)

=== various rc.conf bits

ifconfig_dc0="inet 192.168.1.25 netmask 255.255.255.0"
network_interfaces="lo0 rl0 dc0 tun0"

firewall_enable="YES"
firewall_logging="YES"
firewall_type="/etc/rc.firewall.custom"
firewall_flags="-p /usr/bin/cpp"

ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"

ipnat_enable="YES"

ppp_enable="yes"
ppp_mode="ddial"
ppp_nat="yes"
ppp_profile="papchap"

=== ipfw show

01110 queue 18 icmp from any to any in via tun0
01110 queue 18 ip from any to any in via tun0 iptos lowdelay,throughput
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01120 queue 18 tcp from any to any in via tun0 tcpflags ack
01300 queue 14 ip from any to any in via tun0 iptos lowdelay
01310 queue 14 tcp from any 6666-6669 to any in via tun0
01320 queue 14 tcp from any 80 to any in via tun0
01400 queue 11 tcp from any 119 to any in via tun0
01410 queue 11 tcp from any 5999 to any in via tun0
01420 queue 11 tcp from any to any in via tun0 iplen 1500
01430 queue 11 tcp from any 6881-6889 to any in via tun0
01440 queue 11 tcp from any to any dst-port 6881-6889 in via tun0
01900 queue 12 ip from any to any in via tun0
02100 queue 28 icmp from any to any out via tun0
02110 queue 28 ip from any to any out via tun0 iptos lowdelay,throughput
02120 queue 28 tcp from any to any out via tun0 tcpflags ack
02130 queue 28 tcp from any to any out via tun0 setup
02300 queue 24 ip from any to any out via tun0 iptos lowdelay
02310 queue 24 tcp from any to any dst-port 6666-6669 out via tun0
02400 queue 21 tcp from any 80 to any out via tun0
02410 queue 21 tcp from any 443 to any out via tun0
02420 queue 21 tcp from any 11512 to any out via tun0
02430 queue 21 tcp from any to any dst-port 119 out via tun0
02440 queue 21 tcp from any to any dst-port 5999 out via tun0
02450 queue 21 tcp from any to any out via tun0 iplen 1500
02460 queue 21 tcp from any 6881-6889 to any out via tun0
02470 queue 21 tcp from any to any dst-port 6881-6889 out via tun0
02900 queue 22 ip from any to any out via tun0
60000 allow ip from any to any via lo0
60010 allow ip from any to any via rl0
60020 allow ip from any to any via dc0
60030 allow ip from any to any via tun0
60040 allow ip from any to any
65535 deny ip from any to any

=== ipfw queue show

00010: 368.000 Kbit/s    0 ms  36 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00011: 736.000 Kbit/s    0 ms  73 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00012:   1.472 Mbit/s    0 ms  147 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00020:  64.000 Kbit/s    0 ms  6144 B 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00021: 128.000 Kbit/s    0 ms  12 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
00022: 256.000 Kbit/s    0 ms  25 KB 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

=== end