Правила IPFW для pptpd в UTM

[sysman]

Никто не поможет переделать существвующие парвила локальной сети для работы интернет по VPN?

allow ip from 192.168.1.0/24 to any via rl1

allow ip from any to 192.168.1.0/24 via rl1

allow ip from 192.168.2.0/29 to any via ed0

allow ip from any to 192.168.2.0/29 via ed0

fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any dst-port 80 via rl0

divert 8668 ip from 192.168.1.0/24 to not 192.168.1.0/24 via rl0

divert 8668 ip from any to me via rl0

allow tcp from me 1025-65535 to any dst-port 20 via rl0

allow tcp from any 20 to me dst-port 1025-65535 via rl0

allow tcp from me 1025-65535 to any dst-port 21 via rl0

allow tcp from any 21 to me dst-port 1025-65535 via rl0

allow tcp from 192.168.1.0/24 1025-65535 to any dst-port 20 via rl0

allow tcp from any 20 to 192.168.1.0/24 dst-port 1025-65535 via rl0

allow tcp from 192.168.1.0/24 1025-65535 to any dst-port 21 via rl0

allow tcp from any 21 to 192.168.1.0/24 dst-port 1025-65535 via rl0

allow tcp from me 25 to any via rl0

allow tcp from 192.168.1.0/24 25 to any via rl0

allow tcp from any to 192.168.1.0/24 dst-port 25 via rl0 established

allow udp from me 1025-65535 to any dst-port 53 via rl0

allow udp from any 53 to me dst-port 1025-65535 via rl0

allow udp from any 53 to 192.168.1.0/24 dst-port 1025-65535 via rl0

allow tcp from me 1025-65535 to any dst-port 80 via rl0

allow tcp from any 80 to me dst-port 1025-65535 via rl0 established

allow tcp from me 110 to any via rl0

allow tcp from 192.168.1.0/24 110 to any via rl0

allow tcp from any to 192.168.1.0/24 dst-port 110 via rl0

allow tcp from me 443 to any via rl0

allow tcp from 192.168.1.0/24 443 to any via rl0

allow tcp from any to 192.168.1.0/24 dst-port 443 via rl0 established

allow tcp from me 5190 to any out via rl0

allow tcp from any to 192.168.1.0/24 dst-port 5190 via rl0 established

allow tcp from 172.16.0.50 to any

allow tcp from me 1025-65535 to any via rl0

allow tcp from any to 192.168.1.0/24 dst-port 1025-65535 via rl0

VPN используется совместно с биллингом utm, т.ч. правила вида add RULE_ID allow tcp from UIP/UBITS to any создаются автоматически.

 

rl0- внешний тот что в тырнет смотрит скажем 212.122.109.53

rl1- внутренний тот что в локалку 192.168.1.1 тут нужен ВПН

ed0- другая локалка не трубующая ВПН 192.168.2.1

сеть впн 172.16.0.2-254

сервер 172.16.0.1

интерфейсы tun*

____

Заранее благодарен!

[sysman]

Вот такая вот картина....

router# ipfw show

00005 28064 2534404 allow ip from any to any via lo0

00006     0       0 deny ip from any to 127.0.0.0/8

00007   121   10533 allow gre from any to me

00020     3     252 allow icmp from any to me icmptypes 0,3,4,11,12 in

00025     0       0 allow icmp from any to 192.168.119.0/24 icmptypes 0,3,4,11,12 in recv lnc0

00030    16    1260 allow icmp from me to any icmptypes 3,8,12 out

00200  9644 2152224 allow ip from 192.168.119.0/24 to any via lnc1

00201     0       0 allow ip from any to 192.168.119.0/24 via lnc1

00300     0       0 fwd 127.0.0.1,3128 tcp from 192.168.119.0/24 to any dst-port 80 via lnc0

00301     0       0 divert 8668 ip from 192.168.119.0/24 to not 192.168.119.0/24 via lnc0

00302   113    7622 divert 8668 ip from any to 0.0.0.0 via lnc0

05005     0       0 allow tcp from 172.16.0.16 to any

65535   354   29119 deny ip from any to any

router# ifconfig

lnc0: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

       inet 0.0.0.0 netmask 0xfffffff0 broadcast 0.0.0.0

       ether 00:0c:29:e9:28:bf

lnc1: flags=108843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500

       inet 192.168.119.120 netmask 0xffffff00 broadcast 192.168.119.255

       ether 00:0c:29:e9:28:c9

plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

       inet 127.0.0.1 netmask 0xff000000

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1496

       inet 172.16.0.1 --> 172.16.0.16 netmask 0xffffffff

       Opened by PID 2865

router# tcpdump -i tun0

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on tun0, link-type NULL (BSD loopback), capture size 96 bytes

22:27:55.939448 IP 172.16.0.16.1135 > 192.168.119.120.domain:  18734+ A? www.yandex.ru. (31)

22:27:56.930252 IP 172.16.0.16.1135 > 192.168.119.120.domain:  18734+ A? www.yandex.ru. (31)

[sysman]

Так тоже нерабоатет :(

router# ipfw show

00001     0       0 allow gre from any to me in recv lnc0

00002     0       0 allow gre from me to any out xmit lnc0

00003     0       0 allow tcp from any to me dst-port 1723 setup in recv lnc0

00005 69410 5877426 allow ip from any to any via lo0

00020     4     308 allow icmp from any to me icmptypes 0,3,4,11,12 in

00025     0       0 allow icmp from any to 192.168.1.0/24,172.16.0.0/24 icmptypes 0,3,4,11,12 in recv lnc0

00030    16    1260 allow icmp from me to any icmptypes 3,8,12 out

00050  1956  201689 allow ip from 192.168.119.0/24 to any via lnc1

00051     0       0 allow ip from any to 192.168.119.0/24 via lnc1

00100     0       0 divert 8668 ip from 192.168.1.0/24,172.16.0.0/24 to any via lnc0

00101     4     192 divert 8668 ip from any to me via lnc0

00200     0       0 allow tcp from any to any established

00250     0       0 allow tcp from 192.168.1.0/24 to any dst-port 80 setup in recv lnc1

00300     0       0 allow tcp from any to 172.16.0.0/24 via lnc0

00350     0       0 allow tcp from me to any dst-port 80 setup out xmit lnc0

05005     0       0 allow tcp from 172.16.0.16 to any

65535  1034   84240 deny ip from any to any

router#

Никто неподскажет где не так?