[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3.0 current, pf and browsing
Daniel,
I'll try to answer your questions:-
The firewall sends the packets back out of the internal interface using
routing table entries. A traceroute from a private side client shows
packets for the corporate networks arriving at the internal interface of
the II400. They do not reach the II400 via the external interface as they
would not reach the VPN interface and would be dropped. I'll verify this
for you with tcpdump when I get back into work Tuesday.
I don't see foreign machine shares in network neighbourhood. i.e. browsing
another domain. Sometimes I can't see the machines in the other domain!
If I turn off pf all is normal.
ping, dig work normally. I believe that telnet also works, I'll try. I
would notice if the packets went un-encrypted as they would not get
through the corporate firewall. I will try to get some more info when i
get back in Tuesday. Your last statement is correct, the firewall never
sees any IPsec packets all encryption/decryption is handled by the II400.
I've had this test machine up for about a week, it's to replace a
2.9-stable box running ipf which (sorry) works without a hitch!
Thanks for your help it's really appreciated, I'll get all the other info
you asked for when I return to work Tuesday.
Best regards John.
John Gould - Systems Engineer
Power Innovations Limited
Tel: +44 1234 223002 email: johng@powinv.co.uk
On Fri, 22 Feb 2002, Daniel Hartmeier wrote:
> On Fri, Feb 22, 2002 at 04:01:24PM +0000, John Gould wrote:
>
> > I'll try to make this a little clearer. The firewall box is
> > not doing NAT on the packets that are going to the corporate network, they
> > arrive at the OpenBSD box on the internal NIC and are sent back out on the
> > internal network to the Nortel II400 box. The firewall in this case is
> > just used to re-direct the packets to the II400 and across the VPN to the
> > Contivity in the USA. Something is happening to the packets that are going
> > into and being sent back out of this interface. I'll try and draw the
> > configuration for you. I'm using 3.0-release.
>
> I have never done anything similar, it's quite interesting that it works
> at all :)
>
> How do you achieve that the firewall sends packets back out through the
> internal interface when they arrive through the same interface? With a
> routing table entry, or pf rdr? Are you sure they actually go back out
> through the internal interface, and don't reach the II400 through the
> external interface? Can you verify that with tcpdump?
>
> Can you define 'browsing directories'? I assume you mean SMB shares. You
> can 'mount' them, but not ls? Can you try smbclient from a local
> workstation, try to connect and ls? Or do you mean you don't see foreign
> machine's shares in 'Network neighbourhood' or similar?
>
> Can you try to reach machines of your VPN peer network with ICMP (ping),
> TCP (telnet) and UDP (dig or nc -u)? Do those packets pass correctly, as
> you described, from the firewall to the II400, encrypted over the
> internet to the peer? Would you notice if they'd go unencrypted of the
> internet (like the peer blocks non-encrypted packets)?
>
> I doubt your setup will forward broadcasts to the VPN peer network, does
> 'browsing directories' require broadcasts to work?
>
> What nat.conf and pf.conf do you have on the firewall? If you add 'log'
> to all blocking rules, do you see any relevant packets blocked in
> /var/pflog?
>
> The firewall never sees an IPsec packet, right? Everything is plain
> packets before it goes through the II400 and after it comes in from
> there? Or do the workstation encrypt some packets, too?
>
> More questions than answers, but this is a rather unusual and complex
> setup for me :)
>
> Daniel