Welcome, Guest. Please login or register.

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - tuaris

Pages: [1]
Feature Requests / Multiple Phase 2 Entries for IPSec Tunnels
« on: March 22, 2021, 06:51:54 PM »
In case the title isn't self explanatory, this allows you to use IPsec with multiple subnets.  The diagram below explains this.

Without another phase 2 entry, hosts and are unable to communicate with each other.  Unless there was a way to tell t1n1wall to route traffic from to over the existing IPSec tunnel (which there isn't and static routes don't work). 

Additionally, some have suggested to create a 3rd IPSec tunnel using the same keys and endpoints, but with different subnets.  That doesn't work either.  It results in only one of the two tunnels working.

The correct solution is the create a second phase 2 entry for the existing IPSec tunnel.

Feature Requests / Support creating generic tunnel interface (GIF)
« on: January 17, 2021, 02:26:45 PM »
This is a feature request to support creating a generic tunnel interface:

A use case example is with https://tunnelbroker.net.  The tunnel would be created as follows on a FreeBSD system

Code: [Select]
ifconfig gif0 create
ifconfig gif0 tunnel $IPv4_address_of_Firewall WAN interface $IPv4_address_of_remote_tunnel_server
ifconfig gif0 inet6 $assigned_IPV6_client_address $assigned_IPV6_endpoint_address prefixlen $given_prefixlen
route -n add -inet6 default $assigned_IPV6_endpoint_address
ifconfig gif0 up

The GUI/form to create this interface would probably be a new tab under Interfaces with a page name like interfaces_gif.php.  The form would prompt for the variables above:

Code: [Select]
$IPv4_address_of_Firewall = get_ip_of_wan_inet();
$IPv4_address_of_remote_tunnel_server= "x.x.x.x";
$assigned_IPV6_client_address = "x:x:x:x::x";
$assigned_IPV6_endpoint_address = "x:x:x:x::x";
$given_prefixlen = 128;

Afterwards a new interface should be present on the firewall, and the firewall has IPv6 connectivity.  The part I'm unsure of how to do (since I haven't experimented with dual stack yet, is how to configure the firewall to use dual stack to 1) provide cleints with IPv6 addresses, and 2) route IPv6 client packets over the GRE tunnel.

VPN / Firewall Rules for PPTP VPN clients
« on: October 19, 2019, 10:06:19 AM »
I already have the default rule in place to allow PPTP clients to access hosts on the remote network (LAN).  No issue when a PPTP VPN client makes an outbound connection to a host on the LAN.

The hosts on the LAN are unable to make outbound connections to (or ping) any of the VPN clients.  Additionally, VPN clients are unable to communicate with each other.
What additional firewall rules do I need to add?

This is what my LAN rules currently are:

Firewall/NAT / NAT Port Fowarding Ranges Not Workig Correctly
« on: August 01, 2019, 08:05:02 AM »
Looks like (at least on build 156) when setting up a Firewall: NAT forwarding rule using a range of ports, only the first port is used as the destination. 

For example I want to create a new rule to forward ports 5269 to 5271 to the internal client

- In the "External port range" field I put in 5269 in the first box and 5271 in the second.
- In the "NAT IP" field I put
- In the "Local port" field I enter 5269.
- I click save and the corresponding Firewall rules to allow the traffic on this port range are created correctly.

The expected result is that the end port will be calculated automatically so an traffic going to port 5270 will be redirected to
The actual result is traffic destined for port 5270 is being redirected to

This can be demonstrated with netcat

On: start up two netcat processes
Code: [Select]
# nc -l 5270
# nc -l 5269

On an external client make the connection (X.X.X.X is the public IP of the t1n1wall):
Code: [Select]
nc X.X.X.X 5270

In the t1n1wall log, note the destination port
Code: [Select]
Aug  1 02:57:32 <local0.info> stargate pfmon[86]: 02:57:31.881624 em0 @50 pass X.X.X.X,13376 ->,5269 PR tcp len 20 40 -S in match

On the external client, send some data
Code: [Select]
nc X.X.X.X 5270

The data is received on the netcat process listening on port 5269:
Code: [Select]
# nc -l 5270
# nc -l 5269

This is with the 2.11.1b165 image for AMD64.  I've tried it with different SD cards, both were new.  It looks like this problem: https://sourceforge.net/p/t1n1wall/bugs/13/

Code: [Select]
cpu_reset: Stopping other CPUs
PCEngines apu2
coreboot build 20160307
-2064 MB DRAM

SeaBIOS (version ?-20160307_153453-michael-desktop64)
Found mainboard PC Engines PCEngines apu2
multiboot: eax=0, ebx=0
boot order:
1: /[email protected]/[email protected]/usb-*@1
2: /[email protected]/[email protected]/usb-*@2
3: /[email protected]/[email protected]/usb-*@3
4: /[email protected]/[email protected]/usb-*@4
5: /[email protected]/*@14,7
6: /[email protected]/*@11/[email protected]/[email protected]
7: /[email protected]/*@11/[email protected]/[email protected]
8: /[email protected]/pxe.rom
9: pxen0
10: scon1
Found 19 PCI devices (max PCI bus is 02)
Copying SMBIOS entry point from 0x77fb7000 to 0x000f3110
Copying ACPI RSDP from 0x77fb8000 to 0x000f30e0
Copying MPTABLE from 0x77fdc000/77fdc010 to 0x000f2f30
Copying PIR from 0x77fdd000 to 0x000f2f00
Using pmtimer, ioport 0x818
Scan for VGA option rom
Running option rom at c000:0003

Google, Inc.
Serial Graphics Adapter 08/22/15
SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ ([email protected]) Sat Aug 22 09:25:30 UTC 2015
Term: 80x24
IO4 0
Turning on vga text mode console
SeaBIOS (version ?-20160307_153453-michael-desktop64)
XHCI init on dev 00:10.0: regs @ 0xfeb22000, 4 ports, 32 slots, 32 byte contexts
XHCI    extcap 0x1 @ feb22500
XHCI    protocol USB  3.00, 2 ports (offset 1), def 0
XHCI    protocol USB  2.00, 2 ports (offset 3), def 10
XHCI    extcap 0xa @ feb22540
Found 2 serial ports
ATA controller 1 at 3010/3020/0 (irq 0 dev 88)
EHCI init on dev 00:13.0 (regs=0xfeb25420)
ATA controller 2 at 3018/3024/0 (irq 0 dev 88)
Searching bootorder for: /[email protected]/*@14,7
Searching bootorder for: /[email protected]/memtest
Searching bootorder for: /[email protected]/setup
Found sdcard at 0xfeb25500: SD card SL08G 7580MiB
XHCI no devices found
Initialized USB HUB (0 ports used)
All threads complete.
Scan for option roms
PCengines Press F10 key now for boot menu:
Select boot device:

1. SD card SL08G 7580MiB
2. Payload [memtest]
3. Payload [setup]

Searching bootorder for: HALT
drive 0x000f2e90: PCHS=0/0/0 translation=lba LCHS=966/255/63 s=15523840
Space available for UMB: c1000-ef000, f0000-f2e90
Returned 262144 bytes of ZoneHigh
e820 map has 6 items:
  0: 0000000000000000 - 000000000009f800 = 1 RAM
  1: 000000000009f800 - 00000000000a0000 = 2 RESERVED
  2: 00000000000f0000 - 0000000000100000 = 2 RESERVED
  3: 0000000000100000 - 0000000077fae000 = 1 RAM
  4: 0000000077fae000 - 0000000078000000 = 2 RESERVED
  5: 00000000f8000000 - 00000000fc000000 = 2 RESERVED
enter handle_19:
Booting from Hard Disk...
Booting from 0000:7c00
/kernel text=0xb779a8 data=0xe6090+0x310568 -
/mfsroot size=0x1c12000
Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-RELEASE-p11 #349641: Tue Jul 16 22:56:32 IST 2019


Code: [Select]
md0: Preloaded image </mfsroot> 29433856 bytes at 0xffffffff8136dfa0
usbus0: 480Mbps High Speed USB v2.0
ugen0.1: <AMD EHCI root HUB> at usbus0
uhub0: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus0
g_access(944): provider md0a has error 6 set
g_access(944): provider md0a has error 6 set
g_access(944): provider md0a has error 6 set
uhub0: 2 ports with 2 removable, self powered
ugen0.2: <vendor 0x0438 product 0x7900> at usbus0
uhub1 on uhub0
uhub1: <vendor 0x0438 product 0x7900, class 9/0, rev 2.00/0.18, addr 2> on usbus0
uhub1: 4 ports with 4 removable, self powered
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #2 Launched!
Timecounter "TSC" frequency 998149877 Hz quality 1000
Trying to mount root from ufs:/dev/md0 []...
random: unblocking device.
kern.coredump: 1 -> 0
net.enc.in.ipsec_filter_mask: 1 -> 2
Configuration device not found; trying again in 5 seconds (2 attempt(s) left)...
Configuration device not found; trying again in 5 seconds (1 attempt(s) left)...

****************************Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `bufdaemon' to stop... done
Syncing disksting (max 60 se, vnodes remainconds) for system process `syncer' toing... 0  stop... 0 done
All buffers synced.
Uptime: 34s
uhub1: detached

The operating system has halted.
Please press any key to reboot.

General Questions / Setting up for Local Development
« on: June 08, 2019, 07:45:50 PM »
Is there documentation on how to setup your local environment for development?  I've recently become more interested t1n1wall after having tried OPNSense for a year after migrating from m0n0wall.   

I'd like to try to see if I can upgrade the PHP version to 7.3 and maybe integrate two missing pieces that would make this an ideal firewall appliance.  Those two piecing being the DHCP service patch I submitted and https://www.freshports.org/net/miniupnpd/.

VPN / PPTP VPN Not Accepting conections and L2TP Breaks Site-to-Site
« on: June 06, 2019, 07:45:13 PM »
I'm migrating from M0n0wall, I manually rebuilt my config page by page to sort of start "fresh".  PPTP was working fine in m0n0wall.

For t1n1wall, enabling the PPTP VPN appears to work according to the logs:

Code: [Select]
Jun  6 14:38:17 <daemon.info> stargate mpd: Multi-link PPP daemon for FreeBSD
Jun  6 14:38:17 <daemon.info> stargate mpd:
Jun  6 14:38:17 <daemon.info> stargate mpd: process 1605 started, version 5.8 ([email protected] 00:31 10-Sep-2018)
Jun  6 14:38:17 <daemon.info> stargate mpd: PPTP: waiting for connection on 1723

But attempting to connect from a client just times out.  Nothing is logged on the t1n1wall side.

So then I attempt L2TP/IPsec (since you have that option).  It works, very nicely except that when it's enabled, my site-to-site IPSec tunnels break with:

Code: [Select]
ERROR: phase2 negotiation failed due to time up waiting for phase1
INFO: request for establishing IPsec-SA was queued due to no phase1 found

Turning off L2TP re-enabled my site-site tunnels.

I've been a long time m0n0wall user and have tried the 'modern' alternative 'sense's.  They have their use and place, (one more than the other  ;D ). 

I do miss the leanness and simplicity offered by m0n0wall and think both t1n1wall and smallwall are good continuations.  However you would do better to combine your efforts and have a single project.  I would be glad to sponsor some development of features I'd like to see (while keeping it light weight).

Really the only addition's I'm looking for is to bring over some additional configuration fields/options for the DHCP server for reservations, and have the phase 2 components of IPsec separated out from the phase 1 so that a phase 1 can have multiple phase 2's.

Pages: [1]