Quantcast

PF-NAT

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

PF-NAT

Artyom Viklenko
Hi, All!

PF-NAT in FreeBSD does not support multiple
instances of pptp connections from internal network.

If it will be improved in some time in the future?
What about using libalias in pf or if it possible
to use ng_nat in pf?

May be I'm klueless... please, point me in right
direction. :)

--
           Sincerely yours,
                            Artyom Viklenko.
-------------------------------------------------------
[hidden email] | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve   -  http://www.freebsd.org


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Gilberto Villani Brito
Look this options: http://www.openbsd.org/faq/pf/options.html in your pf.conf.

Gilberto

2006/11/30, Artyom Viklenko <[hidden email]>:

> Hi, All!
>
> PF-NAT in FreeBSD does not support multiple
> instances of pptp connections from internal network.
>
> If it will be improved in some time in the future?
> What about using libalias in pf or if it possible
> to use ng_nat in pf?
>
> May be I'm klueless... please, point me in right
> direction. :)
>
> --
>            Sincerely yours,
>                             Artyom Viklenko.
> -------------------------------------------------------
> [hidden email] | http://www.aws-net.org.ua/~artem
> FreeBSD: The Power to Serve   -  http://www.freebsd.org
>
>
> _______________________________________________
> [hidden email] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[hidden email]"
>
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Artyom Viklenko

<quote who="Gilberto Villani Brito">
> Look this options: http://www.openbsd.org/faq/pf/options.html in your
> pf.conf.

Sorry, which option exactly you mention?

>
> Gilberto
>
> 2006/11/30, Artyom Viklenko <[hidden email]>:
>> Hi, All!
>>
>> PF-NAT in FreeBSD does not support multiple
>> instances of pptp connections from internal network.
>>
>> If it will be improved in some time in the future?
>> What about using libalias in pf or if it possible
>> to use ng_nat in pf?
>>
>> May be I'm klueless... please, point me in right
>> direction. :)
>>
>> --
>>            Sincerely yours,
>>                             Artyom Viklenko.
>> -------------------------------------------------------
>> [hidden email] | http://www.aws-net.org.ua/~artem
>> FreeBSD: The Power to Serve   -  http://www.freebsd.org
>>
>>
>> _______________________________________________
>> [hidden email] mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>> To unsubscribe, send any mail to "[hidden email]"
>>
> _______________________________________________
> [hidden email] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "[hidden email]"
>


--
           Sincerely yours,
                            Artyom Viklenko.
-------------------------------------------------------
[hidden email] | http://www.aws-net.org.ua/~artem
FreeBSD: The Power to Serve   -  http://www.freebsd.org


_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Gilberto Villani Brito
Maybe this:
set limit option value
    Set various limits on pf's operation.
        * frags - maximum number of entries in the memory pool used
for packet reassembly (scrub rules). Default is 5000.
        * src-nodes - maximum number of entries in the memory pool
used for tracking source IP addresses (generated by the sticky-address
and source-track options). Default is 10000.
        * states - maximum number of entries in the memory pool used
for state table entries (filter rules that specify keep state).
Default is 10000.

or this:
set timeout option value
    Set various timeouts (in seconds).
        * interval - seconds between purges of expired states and
packet fragments. The default is 10.
        * frag - seconds before an unassembled fragment is expired.
The default is 30.
        * src.track - seconds to keep a source tracking entry in
memory after the last state expires. The default is 0 (zero).

Try change this options.

Gilberto

2006/11/30, Artyom Viklenko <[hidden email]>:

>
> <quote who="Gilberto Villani Brito">
> > Look this options: http://www.openbsd.org/faq/pf/options.html in your
> > pf.conf.
>
> Sorry, which option exactly you mention?
>
> >
> > Gilberto
> >
> > 2006/11/30, Artyom Viklenko <[hidden email]>:
> >> Hi, All!
> >>
> >> PF-NAT in FreeBSD does not support multiple
> >> instances of pptp connections from internal network.
> >>
> >> If it will be improved in some time in the future?
> >> What about using libalias in pf or if it possible
> >> to use ng_nat in pf?
> >>
> >> May be I'm klueless... please, point me in right
> >> direction. :)
> >>
> >> --
> >>            Sincerely yours,
> >>                             Artyom Viklenko.
> >> -------------------------------------------------------
> >> [hidden email] | http://www.aws-net.org.ua/~artem
> >> FreeBSD: The Power to Serve   -  http://www.freebsd.org
> >>
> >>
> >> _______________________________________________
> >> [hidden email] mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> >> To unsubscribe, send any mail to "[hidden email]"
> >>
> > _______________________________________________
> > [hidden email] mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to "[hidden email]"
> >
>
>
> --
>            Sincerely yours,
>                             Artyom Viklenko.
> -------------------------------------------------------
> [hidden email] | http://www.aws-net.org.ua/~artem
> FreeBSD: The Power to Serve   -  http://www.freebsd.org
>
>
>
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Daniel Hartmeier
On Thu, Nov 30, 2006 at 02:03:57PM -0200, Gilberto Villani Brito wrote:

> Try change this options.

None of those will help if you really want two concurrent PPTP
connections to the same external peer.

pf doesn't look into the payload of PPTP packets and hence can't decide
which internal peer to dispatch incoming replies from the one external
peer to (there are no port numbers helping there, like in TCP).

You can try a userland PPTP proxy, like

  http://freshmeat.net/projects/frickin/

There are no plans to integrate PPTP proxy support into pf. While
libalias_pptp and ng_nat look potentially helpful, you'd have to write
that patch yourself, or find a developer that is using PPTP (not me ;)

Daniel
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Aristeu Gil Alves Jr-2
In reply to this post by Gilberto Villani Brito
There's no way to share various PPTP client conections to the same
PPTP server. pf nat only can handle one at the time, since there's no
dst and src port to make more than one nat state.

Thats what I heard.
--
Aristeu Gil Alves Jr
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Scott Ullrich
In reply to this post by Daniel Hartmeier
On 11/30/06, Daniel Hartmeier <[hidden email]> wrote:

> On Thu, Nov 30, 2006 at 02:03:57PM -0200, Gilberto Villani Brito wrote:
>
> > Try change this options.
>
> None of those will help if you really want two concurrent PPTP
> connections to the same external peer.
>
> pf doesn't look into the payload of PPTP packets and hence can't decide
> which internal peer to dispatch incoming replies from the one external
> peer to (there are no port numbers helping there, like in TCP).
>
> You can try a userland PPTP proxy, like
>
>   http://freshmeat.net/projects/frickin/
>
> There are no plans to integrate PPTP proxy support into pf. While
> libalias_pptp and ng_nat look potentially helpful, you'd have to write
> that patch yourself, or find a developer that is using PPTP (not me ;)

The author of Frickin just repoted on the pfSense forums that a
majority of the issues with the proxy have been resolved in the
SVN/CVS version of Frickin.  If you go this route you may want to use
the latest codebase.

Scott
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: PF-NAT

Aristeu Gil Alves Jr-2
In reply to this post by Aristeu Gil Alves Jr-2
The solution I know is to make a vpn tunnel between the firewall and
the PPTP server and allow the clients use the vpn tunnel.
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Sten Daniel Sørsdal
In reply to this post by Aristeu Gil Alves Jr-2
Aristeu Gil Alves Jr wrote:
> There's no way to share various PPTP client conections to the same
> PPTP server. pf nat only can handle one at the time, since there's no
> dst and src port to make more than one nat state.
>
> Thats what I heard.

There is no src/dst port but there is Call ID in the modified GRE
header. Each session gets a unique value from which sessions can be
identified. Just about any cheap home firewall can do it these days, i
wonder why the open source community is reluctant to take advantage.

--
Sten Daniel Sørsdal

_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: PF-NAT

Daniel Hartmeier
On Fri, Dec 01, 2006 at 12:25:13AM +0100, Sten Daniel Sørsdal wrote:

> Just about any cheap home firewall can do it these days, i
> wonder why the open source community is reluctant to take advantage.

The "if a $50 commercial box can do it, why can't pf?" argument pops up
every now and then, maybe the answer is not obvious and deserves an
explanation.

The vendor of the $50 commercial box is working on economical
principles. There is a certain cost of implementing the feature, they
have to dispatch one of their developers for a certain amount of hours
to implement it. Since they are selling a large number of boxes, the
cost increases the price of each individual box only slightly. Whether
the particular developer is interested in implementing the feature is
not relevant. He/she gets paid to do it.

In exchange, the vendor gains some advantage over the competition in the
market. Or, put the other way, if they wouldn't implement the feature,
they'd be at a disadvantage against the competition. So the cost of
implementation is compensated by increased sales and profit. The vendor
will do this calculation. You can be sure that if the expected increase
in profit isn't higher than the cost, the vendor will not implement the
feature, no matter how much the consumers demand it.

That's how a commercial vendor works. That has nothing to do with how
"the open source community" works. Open source is not a producer/consumer
model, where the open source developers are the producers and the users
the consumers, and the producers fight over market share to increase
financial profit.

The community works like this: if a feature is highly desired by a
significant portion of the population, eventually one of those people
will have the skills and time to implement it. He/she will then share
the result with everyone else. Conversely, if a feature isn't ever
implemented like that, you can conclude that it wasn't desired highly
enough by a significant enough portion of the population.

If you don't agree, prove me wrong, by implementing the feature ;)

Daniel
_______________________________________________
[hidden email] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"
Loading...