Welcome, Guest. Please login or register.

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - tuaris

Pages: [1]
1
VPN / Firewall Rules for PPTP VPN clients
« on: October 19, 2019, 10:06:19 AM »
I already have the default rule in place to allow PPTP clients to access hosts on the remote network (LAN).  No issue when a PPTP VPN client makes an outbound connection to a host on the LAN.



The hosts on the LAN are unable to make outbound connections to (or ping) any of the VPN clients.  Additionally, VPN clients are unable to communicate with each other.
What additional firewall rules do I need to add?

This is what my LAN rules currently are:


2
Firewall/NAT / NAT Port Fowarding Ranges Not Workig Correctly
« on: August 01, 2019, 08:05:02 AM »
Looks like (at least on build 156) when setting up a Firewall: NAT forwarding rule using a range of ports, only the first port is used as the destination. 

For example I want to create a new rule to forward ports 5269 to 5271 to the internal client 192.168.0.2

- In the "External port range" field I put in 5269 in the first box and 5271 in the second.
- In the "NAT IP" field I put 192.168.0.2
- In the "Local port" field I enter 5269.
- I click save and the corresponding Firewall rules to allow the traffic on this port range are created correctly.

The expected result is that the end port will be calculated automatically so an traffic going to port 5270 will be redirected to 192.168.0.2:5270
The actual result is traffic destined for port 5270 is being redirected to 192.168.0.2:5269

This can be demonstrated with netcat

On: 192.168.0.2 start up two netcat processes
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
```

On an external client make the connection (X.X.X.X is the public IP of the t1n1wall):
Code: [Select]
```
nc X.X.X.X 5270
```

In the t1n1wall log, note the destination port
Code: [Select]
```
Aug  1 02:57:32 <local0.info> stargate pfmon[86]: 02:57:31.881624 em0 @50 pass X.X.X.X,13376 -> 192.168.0.2,5269 PR tcp len 20 40 -S in match
```

On the external client, send some data
Code: [Select]
```
nc X.X.X.X 5270
Test
```

The data is received on the netcat process listening on port 5269:
Code: [Select]
```
# nc -l 5270
```
```
# nc -l 5269
Test
```

3
This is with the 2.11.1b165 image for AMD64.  I've tried it with different SD cards, both were new.  It looks like this problem: https://sourceforge.net/p/t1n1wall/bugs/13/

Code: [Select]
cpu_reset: Stopping other CPUs
PCEngines apu2
coreboot build 20160307
-2064 MB DRAM

SeaBIOS (version ?-20160307_153453-michael-desktop64)
Found mainboard PC Engines PCEngines apu2
multiboot: eax=0, ebx=0
boot order:
1: /[email protected]/[email protected]/usb-*@1
2: /[email protected]/[email protected]/usb-*@2
3: /[email protected]/[email protected]/usb-*@3
4: /[email protected]/[email protected]/usb-*@4
5: /[email protected]/*@14,7
6: /[email protected]/*@11/[email protected]/[email protected]
7: /[email protected]/*@11/[email protected]/[email protected]
8: /[email protected]/pxe.rom
9: pxen0
10: scon1
11:
Found 19 PCI devices (max PCI bus is 02)
Copying SMBIOS entry point from 0x77fb7000 to 0x000f3110
Copying ACPI RSDP from 0x77fb8000 to 0x000f30e0
Copying MPTABLE from 0x77fdc000/77fdc010 to 0x000f2f30
Copying PIR from 0x77fdd000 to 0x000f2f00
Using pmtimer, ioport 0x818
Scan for VGA option rom
Running option rom at c000:0003

Google, Inc.
Serial Graphics Adapter 08/22/15
SGABIOS $Id: sgabios.S 8 2010-04-22 00:03:40Z nlaredo $ ([email protected]) Sat Aug 22 09:25:30 UTC 2015
Term: 80x24
IO4 0
Turning on vga text mode console
SeaBIOS (version ?-20160307_153453-michael-desktop64)
XHCI init on dev 00:10.0: regs @ 0xfeb22000, 4 ports, 32 slots, 32 byte contexts
XHCI    extcap 0x1 @ feb22500
XHCI    protocol USB  3.00, 2 ports (offset 1), def 0
XHCI    protocol USB  2.00, 2 ports (offset 3), def 10
XHCI    extcap 0xa @ feb22540
Found 2 serial ports
ATA controller 1 at 3010/3020/0 (irq 0 dev 88)
EHCI init on dev 00:13.0 (regs=0xfeb25420)
ATA controller 2 at 3018/3024/0 (irq 0 dev 88)
Searching bootorder for: /[email protected]/*@14,7
Searching bootorder for: /[email protected]/memtest
Searching bootorder for: /[email protected]/setup
Found sdcard at 0xfeb25500: SD card SL08G 7580MiB
XHCI no devices found
Initialized USB HUB (0 ports used)
All threads complete.
Scan for option roms
PCengines Press F10 key now for boot menu:
Select boot device:

1. SD card SL08G 7580MiB
2. Payload [memtest]
3. Payload [setup]

Searching bootorder for: HALT
drive 0x000f2e90: PCHS=0/0/0 translation=lba LCHS=966/255/63 s=15523840
Space available for UMB: c1000-ef000, f0000-f2e90
Returned 262144 bytes of ZoneHigh
e820 map has 6 items:
  0: 0000000000000000 - 000000000009f800 = 1 RAM
  1: 000000000009f800 - 00000000000a0000 = 2 RESERVED
  2: 00000000000f0000 - 0000000000100000 = 2 RESERVED
  3: 0000000000100000 - 0000000077fae000 = 1 RAM
  4: 0000000077fae000 - 0000000078000000 = 2 RESERVED
  5: 00000000f8000000 - 00000000fc000000 = 2 RESERVED
enter handle_19:
  NULL
Booting from Hard Disk...
Booting from 0000:7c00
/kernel text=0xb779a8 data=0xe6090+0x310568 -
/mfsroot size=0x1c12000
Copyright (c) 1992-2018 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
FreeBSD is a registered trademark of The FreeBSD Foundation.
FreeBSD 11.2-RELEASE-p11 #349641: Tue Jul 16 22:56:32 IST 2019

-snip-

Code: [Select]
md0: Preloaded image </mfsroot> 29433856 bytes at 0xffffffff8136dfa0
usbus0: 480Mbps High Speed USB v2.0
ugen0.1: <AMD EHCI root HUB> at usbus0
uhub0: <AMD EHCI root HUB, class 9/0, rev 2.00/1.00, addr 1> on usbus0
g_access(944): provider md0a has error 6 set
g_access(944): provider md0a has error 6 set
g_access(944): provider md0a has error 6 set
uhub0: 2 ports with 2 removable, self powered
ugen0.2: <vendor 0x0438 product 0x7900> at usbus0
uhub1 on uhub0
uhub1: <vendor 0x0438 product 0x7900, class 9/0, rev 2.00/0.18, addr 2> on usbus0
uhub1: 4 ports with 4 removable, self powered
SMP: AP CPU #1 Launched!
SMP: AP CPU #3 Launched!
SMP: AP CPU #2 Launched!
Timecounter "TSC" frequency 998149877 Hz quality 1000
Trying to mount root from ufs:/dev/md0 []...
random: unblocking device.
kern.coredump: 1 -> 0
net.enc.in.ipsec_filter_mask: 1 -> 2
Configuration device not found; trying again in 5 seconds (2 attempt(s) left)...
Configuration device not found; trying again in 5 seconds (1 attempt(s) left)...


****************************Waiting (max 60 seconds) for system process `vnlru' to stop... done
Waiting (max 60 seconds) for system process `bufdaemon' to stop... done
Wai
Syncing disksting (max 60 se, vnodes remainconds) for system process `syncer' toing... 0  stop... 0 done
All buffers synced.
Uptime: 34s
uhub1: detached

The operating system has halted.
Please press any key to reboot.

4
General Questions / Setting up for Local Development
« on: June 08, 2019, 07:45:50 PM »
Is there documentation on how to setup your local environment for development?  I've recently become more interested t1n1wall after having tried OPNSense for a year after migrating from m0n0wall.   

I'd like to try to see if I can upgrade the PHP version to 7.3 and maybe integrate two missing pieces that would make this an ideal firewall appliance.  Those two piecing being the DHCP service patch I submitted and https://www.freshports.org/net/miniupnpd/.

5
VPN / PPTP VPN Not Accepting conections and L2TP Breaks Site-to-Site
« on: June 06, 2019, 07:45:13 PM »
I'm migrating from M0n0wall, I manually rebuilt my config page by page to sort of start "fresh".  PPTP was working fine in m0n0wall.

For t1n1wall, enabling the PPTP VPN appears to work according to the logs:

Code: [Select]
Jun  6 14:38:17 <daemon.info> stargate mpd: Multi-link PPP daemon for FreeBSD
Jun  6 14:38:17 <daemon.info> stargate mpd:
Jun  6 14:38:17 <daemon.info> stargate mpd: process 1605 started, version 5.8 ([email protected] 00:31 10-Sep-2018)
Jun  6 14:38:17 <daemon.info> stargate mpd: PPTP: waiting for connection on 0.0.0.0 1723

But attempting to connect from a client just times out.  Nothing is logged on the t1n1wall side.

So then I attempt L2TP/IPsec (since you have that option).  It works, very nicely except that when it's enabled, my site-to-site IPSec tunnels break with:

Code: [Select]
ERROR: phase2 negotiation failed due to time up waiting for phase1
INFO: request for establishing IPsec-SA was queued due to no phase1 found

Turning off L2TP re-enabled my site-site tunnels.

6
I've been a long time m0n0wall user and have tried the 'modern' alternative 'sense's.  They have their use and place, (one more than the other  ;D ). 

I do miss the leanness and simplicity offered by m0n0wall and think both t1n1wall and smallwall are good continuations.  However you would do better to combine your efforts and have a single project.  I would be glad to sponsor some development of features I'd like to see (while keeping it light weight).

Really the only addition's I'm looking for is to bring over some additional configuration fields/options for the DHCP server for reservations, and have the phase 2 components of IPsec separated out from the phase 1 so that a phase 1 can have multiple phase 2's.

Pages: [1]