# PF + MPD5 + IPSEC - something is broken



## ilemur (Oct 31, 2013)

FreeBSD 9.2-RELEASE + ipsec-tools-0.8.0_3 + mpd-5.7.

Somehow have configured them to work. With some patches applied for the kernel posted somewhere around here in how-to section for the broken nat_t. I can connect from the outside with Windows 7 and Android client. All the local resources are accessible without a hitch. But *I* can't access the internet from those devices and *I* want the server to act as an anonymizing host for me securing communications.
So currently *I* have three versions:

 The patches applied to the kernel have screwed something up and *I* should redownload the sources
 MPD5 and PF don't work together (somewhere *I*'ve seen information on this but..) and *I* should switch to IPFW
 It's just the configurations which are screwed up.
*I* would really appreciate help from your side, guys.

pf.conf

```
#################################     NETWORKS
ext_if="dc0"
int_if="msk0"
vpn_if="{ ng0, ng1 }"
nora="172.16.5.0/24"
icmp_types="{echoreq, unreach}"
table <vpn> {  172.16.5.200, 172.16.5.201, 172.16.5.202 }
#################################     BASE
set block-policy drop
set loginterface $ext_if
#################################     NORMALIZATION
scrub in all
#################################     QUEUE
altq on $ext_if hfsc bandwidth 50Mb queue { ack, std, tor, srv, lan }
queue ack          bandwidth 25% priority 8 qlimit 500 hfsc (realtime 20%)
queue lan          bandwidth 25% priority 7 qlimit 500 hfsc (realtime 20%)
queue std          bandwidth 25% priority 6 qlimit 500 hfsc (realtime 20% default)
queue srv          bandwidth 14% priority 5 qlimit 500 hfsc (upperlimit 98%)
queue tor          bandwidth 11% priority 1 qlimit 500 hfsc (upperlimit 90%)
#################################     NAT
nat on $ext_if from !self to any -> ($ext_if)
#################################     DEFAULT BLOCK
block log all
################################     FILTERING
set skip on lo0
# Traffic from gateway
pass out on $ext_if from ($ext_if) to any flags S/SA modulate state queue (std,ack)
# Traffic from LAN to INET
pass out quick on $ext_if from $nora to any queue (lan,ack)
pass from <vpn> to any
#################################     PPTP
pass in on $ext_if inet proto { tcp udp } from any to (self) port {500 1701 1723 4500}
pass in on $ext_if inet proto esp
pass in on $ext_if inet proto gre
##################################     Transmission
pass out quick on $ext_if proto { tcp udp } all user transmission queue tor
#################################     Server ports { Web 80 SSL 443 ProxyTUN 563 icecast 8000}
pass in on $ext_if proto tcp from any to ($ext_if) port { 80 443 563 8000 8001 } synproxy state queue (web,ack)
#################################     ICMP
pass log inet proto icmp all icmp-type $icmp_types
#################################     ALLOW LOCAL TRAFFIC
pass quick on $int_if all
pass quick on $vpn_if all
```

rc.conf just in case has the following

```
gateway_enable="YES"
ip6addrctl_enable="NO"
ipv6_activate_all_interfaces="NO"
ipv6_gateway_enable="NO"
ifconfig_dc0="SYNCDHCP"
ifconfig_msk0="inet 172.16.5.3 netmask 255.255.255.0"

#       FIREWALL
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pfsync_enable="NO"
pfsync_syncdev=""
pfsync_ifconfig=""

#       IPSEC
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
```

and

`sysctl -a | grep forward`

```
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0
net.wlan.hwmp.replyforward: 1
```

Routing table on Windows 7 client

```
0.0.0.0          0.0.0.0      10.4.25.254      10.4.25.200   4250
          0.0.0.0          0.0.0.0         On-link      172.16.5.200     26
     1.118.95.70  255.255.255.255      10.4.25.254      10.4.25.200   4251
        10.4.25.0    255.255.255.0         On-link       10.4.25.200   4506
      10.4.25.200  255.255.255.255         On-link       10.4.25.200   4506
      10.4.25.255  255.255.255.255         On-link       10.4.25.200   4506
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
     172.16.5.200  255.255.255.255         On-link      172.16.5.200    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link       10.4.25.200   4507
        224.0.0.0        240.0.0.0         On-link      172.16.5.200     26
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link       10.4.25.200   4506
  255.255.255.255  255.255.255.255         On-link      172.16.5.200    281
```

`tcpdump -i ng0` shows lots of packets coming into server but none replied
`pfctl -ss` shows a lot of connection. But the ones from the VPN client are all in the state TIME_WAIT:TIME_WAIT


```
all tcp $ext_if:52659 (172.16.5.200:53958) -> 137.55.50.130:33033       TIME_WAIT:TIME_WAIT
all tcp $ext_if:53096 (172.16.5.200:53959) -> WIN7IP     TIME_WAIT:TIME_WAIT
```


----------



## ilemur (Nov 1, 2013)

As a quick update. Configured a pptp server in mpd5. Everything is working as it should.

I have applied patches from this site to ipsec and kernel nat_t
Without setting the `sysctl net.inet.esp.esp_ignore_natt_cksum: 0 -> 1`
i am not being able to connect via l2tp at all.
So there is something broken in nat_t completly


----------



## Anonymous (Nov 1, 2013)

ilemur said:
			
		

> ...
> So there is something broken in nat_t completly



"completely" sounds exaggerated to me. Sure, the NATT in FreeBSD got some problems, but without patching anything other OS than Windows can connect without any hitches over NATT.

It is known that the built-in L2TP/IPsec client of Windows has problems with all sorts of L2TP/IPsec servers, even with Windows 2008 servers behind NAT. For this reason, some people suggest to use 3rd party clients when it comes to Windows.

That said, the patches and the canonical procedure of applying them to the FreeBSD Kernel that I showed in the last message of my HOWTO, definitely resolve the problems also for Windows. And, yes, I can connect in my setup several Windows clients into the internet by the way of my L2TP/IPsec-VPN-dial-in server.

The main difference that I can see between your setup and mine is the firewall, I use ipfw. I do not know anything about pf, and I cannot be of any help with that.


----------



## spag (Jan 24, 2014)

Quite similar problem I have after upgrading from FreeBSD 9.1 to 10.0. ng0 is showing that packets goes in one direction only. ICMP works fine. PF is not reporting any blockage.  It looks like ng0 / nat_t is broken, but could be some additional config that we are missing.


----------

