# Getting in from outside my network



## Dave Quinn (Jan 18, 2016)

Quite new to this whole thing but :

I have two FreeBSD machines running.  The current production machine is reachable from anywhere, the new one isn't reachable from anywhere, but within and can reach out to the internet (but needs to be reachable from outside the network).

I'm sure I'm not providing enough information but by all means please let me know what else I need to provide.

The production (ip xx.yy.zz.220) is running:
named
sendmail

The new (IP xx.yy.zz.221) is running:
named
sendmail
routed
ppp

Thanks,

Dave

`ifconfig` on old:

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500  options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
  ether 00:22:64:16:39:aa
  inet xx.yy.zz.220 netmask 0xfffffff8 broadcast xx.yy.zz.223
  inet6 fe80::222:64ff:fe16:39aa%em0 prefixlen 64 scopeid 0x1
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
  media: Ethernet autoselect (1000baseT <full-duplex>)
  status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

`ifconfig` on new:

```
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=31b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,TSO6>
  ether 00:15:5d:c7:d1:00
  inet xx.yy.zz.221 netmask 0xfffffff8 broadcast xx.yy.zz.223
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1448
  options=80000<LINKSTATE>
  inet 192.168.1.129 --> 192.168.1.1 netmask 0xffffff00
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 673
```


----------



## SirDice (Jan 18, 2016)

Both machines appear to be connected directly to the internet (that's assuming xx.yy.zz.220 and xx.yy.zz.221 are the same subnet and your external internet addresses). So if you can access one but not the other I'd take a closer look at any firewalls that might be between these hosts and the internet.


----------



## Dave Quinn (Jan 19, 2016)

Thanks for responding so quick.  I am not aware of any firewalls on either machine.

I am seeing incoming traffic attempts on port 25 on the new machine just no answers.  Please also note that this one is configured to be connected to a VPN where the other is not.


```
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
  options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
  inet6 ::1 prefixlen 128
  inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
  inet 127.0.0.1 netmask 0xff000000
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
hn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
  options=31b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,TSO6>
  ether 00:15:5d:c7:d1:00
  inet xx.yy.zz.221 netmask 0xfffffff8 broadcast xx.yy.zz.223
  nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1448
  options=80000<LINKSTATE>
  inet 192.168.1.129 --> 192.168.1.1 netmask 0xffffff00
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 673


# tcpdump -q -i tun0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
10:07:14.719868 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:15.726369 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:17.727191 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:20.730528 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:21.734250 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:24.743285 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:27.754465 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:29.758132 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:32.794821 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:35.803220 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
10:07:38.808698 IP newmachine.mydomain.com.smtp > www4.checktls.com.38364: tcp  0
```


----------



## SirDice (Jan 19, 2016)

Those look like outgoing connections, not incoming. But perhaps the connections are _incoming_ on hn0 and due to your routing table the response is sent out via tun0. 

In any case, are the Internet connections supposed to come in on the tunnel or on the physical interface?


----------



## Dave Quinn (Jan 19, 2016)

I thought it looked like outbound traffic after I posted it.  My guess is that the problem is it is coming in on the physical interface but is going back out on the tunnel.  Looks like that suspicion is true; is it something in my ppp settings (most are just copied from googled sources).


```
# tcpdump -q -i hn0 port 25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on hn0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:56:54.006842 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:56:55.007763 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:56:57.011945 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
11:57:01.019700 IP www4.checktls.com.44879 > newmachine.mydomain.com.smtp: tcp 0
```

Here are my relevant ppp.conf settings


```
ROUTER:
set authname DaveQ
set authkey *******
set timeout 0
set ifaddr 192.168.1.1/0 192.168.1.2/0 255.255.255.0
add 0 0 HISADDR
alias enable yes
disable ipv6cp
```


----------



## SirDice (Jan 19, 2016)

It really depends on what the VPN is supposed to do. At the moment it's routing all outgoing traffic through it. Maybe it's only for specific traffic?


----------



## Dave Quinn (Jan 19, 2016)

We were hoping to handle only SAMBA traffic through the VPN.


----------



## SirDice (Jan 20, 2016)

Do you have control over the server the VPN connects to? If you have the easiest is to configure that to not send a default gateway but a specific route for that particular network. At the moment your VPN client receives a route that tells the client to route all traffic through the VPN.


----------

