MPD5 PPPoE cli + PPTP serv

[Ivan_83]

MPD5.2: PPPoE cli + PPTP serv

FreeBSD 7.1-STABLE

PF - как фаер+нат

 

ПППоЕ до провайдера.

Снаружи подключается пптп клиент - сервер перестаёт отвечать совсем: и локальная консоль и ссш, и даже аспи кнопка только вызывает сообщения что невозможно перейти в др состояние.

В лог пмд никакой информации не записывается о клиенте с наружи.

Однако всё что идёт из локалки через нат в инет и что проброшено внутрь продолжает работать.

Если подключение к впн из локалки - всё нормально.

Пинги до сервера ходят, и через сервер тоже ходят.

Когда пппое поднят через ппп (tun интерфейс) то всё работает нормально.

 

 

Как лечить???

 

 

 

mpd.conf

### MPD configuration file
###

startup:
    set console close
    set web close

default:
    load pppoe_client
    load pptp_srv

pptp_srv:
    create bundle template BndPPTPSrv
    set bundle fsm-timeout 2
    set bundle no bw-manage
    set bundle disable round-robin
    set bundle enable ipcp
    set bundle disable ipv6cp
    set bundle enable compression
    set bundle enable encryption
    set ecp disable dese-bis dese-old
    set ccp yes deflate mppc
    set mppc yes compress
    set mppc no e40 e56
    set mppc yes e128
    set mppc yes stateless
    set mppc disable policy
    set ippool add PlPPTPSrv 172.16.0.128 172.16.0.200
    set ipcp ranges 172.16.0.254/32 ippool PlPPTPSrv
    set ipcp dns 172.16.0.254
    set ipcp nbns 0.0.0.0
    set iface mtu 1460
    set iface idle 0
    set iface session 0
    set iface disable on-demand
    set iface enable proxy-arp
    set iface enable tcpmssfix
    set iface disable tee
    set iface disable nat
    set iface disable netflow-in netflow-out
    set iface disable ipacct

    create link template LnkPPTPSrv pptp
    set link action bundle BndPPTPSrv
    set link latency 0
    set link mtu 1460
    set link mru 1460
    set link mrru 1500
    set link keep-alive 10 60
    set link max-redial -1
    set link max-children 256
    set link no pap eap
    set link disable chap chap-md5 chap-msv1 
    set link enable chap-msv2
    set link enable incoming
    set link disable multilink
    set link yes shortseq
    set link yes acfcomp protocomp
    set link yes magicnum check-magic
    set link disable passive
    set link disable callback
    set link disable no-orig-auth
    set link disable keep-ms-domain
    set link disable time-remain
    set link disable peer-as-calling
    set link disable report-mac
    set eap no md5 radius-proxy
    set auth enable internal
    set pptp self 0.0.0.0
    set pptp disable outcall
    set pptp enable delayed-ack
    set pptp disable always-ack
    set pptp disable windowing

pppoe_client:
    create bundle static BndPPPoECli
    set iface route default
    set iface up-script "/usr/local/etc/mpd5/mpd.script"
    set iface down-script "/usr/local/etc/mpd5/mpd.script"
    set ipcp ranges 0.0.0.0/0 0.0.0.0/0
    
    create link static LnkPPPoECli pppoe
    set link action bundle BndPPPoECli
    set link mtu 1492
    set link keep-alive 10 60
    set link max-redial 0
    set auth authname 123
    set auth password 123
    set pppoe iface xl1
    set pppoe service ""
    open

 

 

 

firewall# ifconfig
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:04:79:67:77:33
        inet 172.16.0.254 netmask 0xffffff00 broadcast 172.16.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:03:99:8a:46:a6
        inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        inet 92.124.46.253 --> 213.228.116.147 netmask 0xffffffff

 

sysctl.conf

kern.sync_on_panic=1

net.inet.ip.intr_queue_maxlen=200
net.inet.icmp.drop_redirect=1
net.inet.icmp.log_redirect=1

net.isr.direct=1
net.graph.maxdgram=128000
net.graph.recvspace=128000

 

loader.conf

kern.ipc.nmbclusters=16384
kern.ipc.maxsockets=16384
net.graph.maxalloc=2048
kern.maxusers=512
kern.ipc.maxpipekva=32000000

 

 

Ядро

 

cpu        I686_CPU
ident        RIM

options     SCHED_ULE        # ULE scheduler
options     PREEMPTION        # Enable kernel thread preemption
options     INET            # InterNETworking
options     FFS            # Berkeley Fast Filesystem
options     SOFTUPDATES        # Enable FFS soft updates support
options     UFS_ACL            # Support for access control lists
options     UFS_DIRHASH        # Improve performance on big directories
options     UFS_GJOURNAL        # Enable gjournal-based UFS journaling
options     MD_ROOT            # MD is a potential root device
options     PROCFS            # Process filesystem (requires PSEUDOFS)
options     PSEUDOFS        # Pseudo-filesystem framework
options     GEOM_PART_GPT        # GUID Partition Tables.
options     GEOM_LABEL        # Provides labelization
options     COMPAT_43TTY        # BSD 4.3 TTY compat [KEEP THIS!]
#options     COMPAT_FREEBSD4        # Compatible with FreeBSD4
#options     COMPAT_FREEBSD5        # Compatible with FreeBSD5
#options     COMPAT_FREEBSD6        # Compatible with FreeBSD6
#options     SCSI_DELAY=5000        # Delay (in ms) before probing SCSI
options     SYSVSHM            # SYSV-style shared memory
options     SYSVMSG            # SYSV-style message queues
options     SYSVSEM            # SYSV-style semaphores
options     _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options     KBD_INSTALL_CDEV    # install a CDEV entry in /dev
options     ADAPTIVE_GIANT        # Giant mutex is adaptive.
options     STOP_NMI        # Stop CPUS using NMI instead of IPI
options     AUDIT            # Security event auditing


options     DEVICE_POLLING
options    HZ=1000

# CPU frequency control
#device        cpufreq

# Bus support.
device        eisa
device        pci
device        agp        # support several AGP chipsets

# ATA and ATAPI devices
device        ata
device        atadisk        # ATA disk drives
device        atapicd        # ATAPI CDROM drives
options     ATA_STATIC_ID    # Static device numbering


# SCSI peripherals
device        scbus        # SCSI bus (required for SCSI)
device        da        # Direct Access (disks)
device        cd        # CD

# atkbdc0 controls both the keyboard and the PS/2 mouse
device        atkbdc        # AT keyboard controller
device        atkbd        # AT keyboard

device        kbdmux        # keyboard multiplexer

device        vga        # VGA video card driver

# syscons is the default console driver, resembling an SCO console
device        sc

# PCI Ethernet NICs.
device        em        # Intel PRO/1000 Gigabit Ethernet Family

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device        miibus        # MII bus support
device        xl        # 3Com 3c90x (``Boomerang'', ``Cyclone'')

# Pseudo devices.
device        loop        # Network loopback
device        random        # Entropy device
device        ether        # Ethernet support
device        pty        # Pseudo-ttys (telnet etc)

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device        bpf        # Berkeley packet filter

device        pf
device        pflog

options    ALTQ
options    ALTQ_CBQ # Class Bases Queuing (CBQ)
options    ALTQ_RED # Random Early Detection (RED)
options    ALTQ_RIO # RED In/Out
options    ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options    ALTQ_PRIQ #Priority Queuing (PRIQ)
options    ALTQ_NOPCC # Required for SMP build

options    NETGRAPH
options    NETGRAPH_ETHER
options    NETGRAPH_SOCKET
options    NETGRAPH_TEE
options    NETGRAPH_BPF
options    NETGRAPH_IFACE
options    NETGRAPH_KSOCKET
options    NETGRAPH_PPP
options    NETGRAPH_PPPOE
options    NETGRAPH_PPTPGRE
options    NETGRAPH_MPPC_ENCRYPTION
options    NETGRAPH_MPPC_COMPRESSION
options    NETGRAPH_L2TP
options    NETGRAPH_TCPMSS
options    NETGRAPH_VJC
options    NETGRAPH_ONE2MANY
options    NETGRAPH_RFC1490
options    NETGRAPH_TTY
options    NETGRAPH_UI
options    NETGRAPH_CISCO
options    NETGRAPH_ECHO
options    NETGRAPH_FRAME_RELAY
options    NETGRAPH_HOLE
options    NETGRAPH_LMI
options    NETGRAPH_ASYNC

Edited March 18, 2009 by Ivan_83