PPTP GRE NAT & PF!

Fri, 19 Aug 2005 05:34:28 -0700

Ok, first off sorry if this is old ground or posted to the wrong list. I've come across something a bit odd and I'd like someone who actually knows what he's doing, not me to shed some light on what's going on.
I'm trying to connect a Windows XP Sp2 (yes I know) box to a Win2k Server using PPTP across two firewalls. i.e. 

Logical layout

[Win XP] ---- IP/1723 GRE(47) ----> [Firewall 1] ----- Internet ---- 
[Firewall 2]------> [Win2k PPTP endpoint]


Subnets:

|---IP 10.190/16 ----|   [FW]   |--- IP 11.11/16 ---|   [FW]    |--- IP 
12.12/16---|


IP

XP-10.190.70.70
FW1 - 10.190.70.66 & 11.11.0.1
FW2 - 11.11.0.2 & 12.12.0.1
Win2k - 12.12.0.2

Win2k Static NAT'd as 11.11.0.10 on FW2 for GRE and IP/1723


Now for my first test Firewall 1 was a Linux 2.6.10 (ubuntu 5.04) box, 
and Firewall 2 was 3.7-current from last month.


Rules on the Linux box are (generealised)

Local LAN -> ANY using IP 1723 / GRE - accept

NAT Local LAN using any ---> WAN Interface

Rules on the OpenBSD box

Any -> Win2k Server using IP 1723 / GRE - accept


NAT Any -> Win2k NAT Address [11.11.0.10] using GRE ------ as ------ Any 
-> Win2k Internal Address [12.12.0.2] using GRE
NAT Any -> Win2k NAT address [11.11.0.10] using PPTP ------ as ------ 
Any -> Win2k Internal Address [12.12.0.2] using PPTP
NAT Win2k -> Any using Ant ---- as ----- Win2k NAT'd address 
[11.11.0.10] -> any using any


ok hope that make sense.

In this configuration everything works!

PFLOG on the OBSD box shows PPTP and GRE passing in through NAT and out etc.

PFLOG on FW2:


Aug 19 13:04:47.751613 rule 12/(match) pass in on ste0: 11.11.0.1.57976 
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 <mss 
1460,nop,nop,sackOK>
Aug 19 13:04:47.751671 rule 14/(match) pass out on ste1: 11.11.0.1.57976 
> 12.12.0.2.1723: S 3537467063:3537467063(0) win 64512 <mss 
1460,nop,nop,sackOK>
Aug 19 13:04:47.764918 rule 13/(match) pass in on ste0: call 33767 seq 0 
gre-ppp-payload (gre encap)
Aug 19 13:04:47.764952 rule 15/(match) pass out on ste1: call 33767 seq 
0 gre-ppp-payload (gre encap)


no further log entries are generated and the VPN is up and running.


Now if I change FW1 to OBSD 3.7 current, i.e. same as FW2 and create the 
equivalent rule base I get the following on FW2 yes 2 not 1



Aug 19 13:10:03.780470 rule 12/(match) pass in on ste0: 11.11.0.1.56938 
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 <mss 
1460,nop,nop,sackOK>
Aug 19 13:10:03.780529 rule 14/(match) pass out on ste1: 11.11.0.1.56938 
> 12.12.0.2.1723: S 2521589832:2521589832(0) win 64512 <mss 
1460,nop,nop,sackOK>
Aug 19 13:10:03.793545 rule 13/(match) pass in on ste0: call 33767 seq 0 
gre-ppp-payload (gre encap)
Aug 19 13:10:03.793579 rule 15/(match) pass out on ste1: call 33767 seq 
0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795089 rule 16/(match) block in on ste1: call 16384 seq 
0 ack 0 gre-ppp-payload (gre encap)
Aug 19 13:10:03.795142 rule 16/(match) block in on ste1: call 16384 seq 
1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.794048 rule 16/(match) block in on ste1: call 16384 seq 
2 ack 1 gre-ppp-payload (gre encap)
Aug 19 13:10:05.797300 rule 16/(match) block in on ste1: call 16384 seq 
3 gre-ppp-payload (gre encap)
Aug 19 13:10:06.575114 rule 16/(match) block in on ste1: call 16384 seq 
4 ack 2 gre-ppp-payload (gre encap)



As you can see the newly OBSD FW1 is allowing the same traffic out as 
the Linux box however for some reason FW2 no longer correctly tracks the 
state of the GRE service instead seeing it as a new connection and 
dropping the packets.



Just to confirm the PF rules on FW2 where not changed, simply changing 
FW1 breaks FW2.


Has anyone any clue why this is happening?

Many thanks in advance.

Simon


PF Rules from FW1:


set optimization Normal

scrub in all fragment reassemble no-df
scrub out all random-id max-mss 1460

nat on xl1 proto {tcp udp icmp} from 10.190.0.0/16 to any -> 11.11.0.1

table <id43060240.1> { 10.190.70.66 , 11.11.0.1 }
table <id43060369.1> { 10.190.70.66 , 11.11.0.1 , 127.0.0.1 }
table <id430603B8.2> { 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }


pass out  quick on xl0 inet  from <id43060240.1>  to any keep state  
label "RULE 0 -- ACCEPT " 

block in   log  quick on xl1 inet  from <id43060240.1>  to any  label 
"RULE 0 -- DROP " 
block in   log  quick on xl1 inet  from 10.190.0.0/16  to any  label 
"RULE 0 -- DROP " 

pass out  log  quick on xl1 inet  from <id43060240.1>  to any keep 
state  label "RULE 1 -- ACCEPT " 

pass in   quick on lo inet  from <id43060369.1>  to any keep state  
label "RULE 0 -- ACCEPT " 
pass out  quick on lo inet  from <id43060369.1>  to any keep state  
label "RULE 0 -- ACCEPT " 

pass in   log  quick inet proto tcp  from 10.190.0.0/16  to 
<id43060240.1> port 22 flags S/SA keep state  label "RULE 0 -- ACCEPT " 
pass in   log  quick inet proto tcp  from 10.190.0.0/16  to 
<id430603B8.2> port 22 flags S/SA keep state  label "RULE 0 -- ACCEPT " 
pass out  log  quick inet proto tcp  from 10.190.0.0/16  to 
<id430603B8.2> port 22 flags S/SA keep state  label "RULE 0 -- ACCEPT " 

block in   quick inet  from any  to <id43060240.1>  label "RULE 1 -- 
DROP " 

pass in   log  quick inet proto 47  from 10.190.0.0/16  to 11.11.0.10 
keep state  label "RULE 3 -- ACCEPT " 
pass out  log  quick inet proto 47  from 10.190.0.0/16  to 11.11.0.10 
keep state  label "RULE 3 -- ACCEPT " 

pass in   log  quick inet proto tcp  from 10.190.0.0/16  to 11.11.0.10 
port 1723 flags S/SA keep state  label "RULE 4 -- ACCEPT " 
pass out  log  quick inet proto tcp  from 10.190.0.0/16  to 11.11.0.10 
port 1723 flags S/SA keep state  label "RULE 4 -- ACCEPT " 

block in   quick inet  from any  to any  label "RULE 5 -- DROP " 
block out  quick inet  from any  to any  label "RULE 5 -- DROP " 



PF Rules from FW2


set optimization Normal

scrub in all fragment reassemble no-df
scrub out all random-id max-mss 1460

rdr on ste0 proto 47 from any to 11.11.0.10 -> 12.12.0.2


rdr on ste0 proto tcp from any to 11.11.0.10 port 1723 -> 12.12.0.2 port 
1723


nat on ste0 proto {tcp udp icmp} from 12.12.0.2 to any -> 11.11.0.10
nat on ste0 proto {tcp udp icmp} from 12.12.0.0/16 to any -> 11.11.0.2

table <id43060275.1> { 127.0.0.1 , 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
table <id430602AB.1> { 11.11.0.2 , 11.11.0.10 , 12.12.0.1 }
table <id430601F9.1> { 10.190.70.66 , 11.11.0.1 }


pass in   quick on lo inet  from <id43060275.1>  to any keep state  
label "RULE 0 -- ACCEPT " 
pass out  quick on lo inet  from <id43060275.1>  to any keep state  
label "RULE 0 -- ACCEPT " 

block in   log  quick on ste0 inet  from <id430602AB.1>  to any  label 
"RULE 0 -- DROP " 
block in   log  quick on ste0 inet  from 12.12.0.0/16  to any  label 
"RULE 0 -- DROP " 

pass out  quick on ste0 inet  from <id430602AB.1>  to any keep state  
label "RULE 1 -- ACCEPT " 

pass out  quick on ste1 inet  from <id430602AB.1>  to any keep state  
label "RULE 0 -- ACCEPT " 

pass in   log  quick inet proto tcp  from <id430601F9.1>  to 
<id430602AB.1> port 22 flags S/SA keep state  label "RULE 0 -- ACCEPT " 

block in   log  quick inet  from any  to <id430602AB.1>  label "RULE 1 
-- DROP " 

pass in   log  quick inet proto tcp  from any  to 12.12.0.2 port 1723 
flags S/SA keep state  label "RULE 3 -- ACCEPT " 
pass in   log  quick inet proto 47  from any  to 12.12.0.2 keep state  
label "RULE 3 -- ACCEPT " 
pass out  log  quick inet proto tcp  from any  to 12.12.0.2 port 1723 
flags S/SA keep state  label "RULE 3 -- ACCEPT " 
pass out  log  quick inet proto 47  from any  to 12.12.0.2 keep state  
label "RULE 3 -- ACCEPT " 

block in   log  quick inet  from any  to any  label "RULE 4 -- DROP " 
block out  log  quick inet  from any  to any  label "RULE 4 -- DROP " 






















					Reply via email to