[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: God, do I hate to ask another FTP question. *** SOLUTION ***

All,

	Once again thanks for the help, As I indicated last night I have solved 
the problem. I will explain the problem again and its solution below


THE ORIGINAL PROBLEM:

	here is the network diagram

	192.168.35.2<----->192.168.35.3/24.27.15.12<--- Interrnet 
--->24.242.137.194/192.168.30.2<--->192.168.30.17
	Linux			BSD Gate				BSD Gate			HP/UX

Node 1
Linux 192.168.35.2
Nick-gw 192.168.35.100/24.27.15.12

Node 2
HPUX 192.168.30.17
Lenny-gw 192.168.30.2/24.242.137.194

After upgrading to 3.0 and creating new pf.conf and nat.conf files. We 
verified that we could telnet, cvs, and such. So the VPN works

However neither of the backend nodes (192.168.X.0/24) could FTP to Internet 
boxes. They could ftp to other node's backends (i.e. FTP from 192.168.35.2 
to 192.168.30.17)

I fixed this by adding the proper ftp-proxy entries as per the man page. 
Voila, now we could FTP to the Internet again.

Problem was that this broke the backend node connection for FTP. 
(Again,  FTP from 192.168.35.2 to 192.168.30.17)

The reason was that now FTP traffic, instead of being directed through 
ipsec was always proxied out to the outside interface and sent out on the wire.
since it wasn't sent through the VPN pipe, 192.168.0.0/16 traffic had 
nowhere to go. Of course this is what we wanted for Internet traffic in 
general.

THE SOLUTION:

It almost seems trivial now (doesn't it always)

by changing the entry in nat.conf from

	rdr on de1 from any to any port 21 -> 127.0.0.1 port 8081

to

	rdr on de1 from any to !192.168.0.0/16 port 21 -> 127.0.0.1 port 8081

This allows 192.168.0.0/16 to travel along through the VPN and all other to 
be proxyed


The interesting thing about the solution is that if I do a "pfctl -sn" I get

	@rdr on de1 from any to 192.168.0.0/16 port 21 -> 127.0.0.1 port 8081


instead of

	@rdr on de1 from any to !4
192.168.0.0/16 port 21 -> 127.0.0.1 port 8081

Notice the "!" in the second one.

SYNOPSIS:

	#1 A comment should be added to the ipsec man (or somewhere appropriate 
that someone setting a VPN would notice it)

	#2 A minor change to the pfctl code should be made so that "pfctl -sn" 
indicates the "!" correctly.

	#3 I better get this solution implemented system wide before someone 
notices it doesn't currently work
--
Vides Credendo!
Nick Gray
Senior Network Engineer
Bruzenak inc.
nagray@bruzenak.com