Openvpn, problem with Inbound Nat on Opt interface

From:	"a.gatta" <a dot gatta at tiscali dot it>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Openvpn, problem with Inbound Nat on Opt interface
Date:	Thu, 23 Mar 2006 19:11:20 +0100

Hi there,
I'am in trouble with inbound nat on opt interface ( point-to-point link 
used by openvpn ).

Following the network diag :



Wan
   |
M0n0 with ovpnclnt ---- Opt 1----- ovpn server ----- Local Network 
(192.168.x.x/24) 
   |
Lan

I was able to "outbound nat" connection coming from my Lan to the Local 
Network behind the ovpn server.

Now I am tryng to access to my Lan from this Local Network with doing 
"inbound nat" on m0n0.

It seems that m0n0 is not doing nat on Opt 1 for inbound connections 
and, worste thing, seems like that any connection in the outbound 
direction is dropped by the clinup rule ( any any drop ).

Attach you will find the xml config file and the output from 
"status.php" (file: monoinfo.txt)

Thank in advance...I am going insane ! :-)

Andrea

config-m0n0wall[1].local-20060323093502.xml (8.2 KB, text/xml)

Interfaces

sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=40<POLLING>
	inet 23.250.58.114 netmask 0xfffff800 broadcast 23.250.63.255
	ether 00:0d:b9:01:12:0c
	media: Ethernet autoselect (10baseT/UTP)
	status: active
sis1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=40<POLLING>
	inet 192.168.30.2 netmask 0xffffff00 broadcast 192.168.30.255
	ether 00:0d:b9:01:12:0d
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
sis2: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=40<POLLING>
	ether 00:0d:b9:01:12:0e
	media: Ethernet autoselect (none)
	status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	inet 127.0.0.1 netmask 0xff000000
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	inet 10.20.0.6 --> 10.20.0.5 netmask 0xffffffff
	Opened by PID 80

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            23.250.56.1        UGSc        4   149501   sis0
10.20.0.1/32       10.20.0.5          UGSc        0        3   tun1
10.20.0.5          10.20.0.6          UH          9     3192   tun1
23.250.56/21       link#1             UC          4        0   sis0
23.250.56.1        00:0c:86:8f:60:70  UHLW        4        0   sis0   1187
23.250.56.154      00:0c:86:8f:60:70  UHLW        0        1   sis0    680
23.250.57.245      00:0c:86:8f:60:70  UHLW        0        1   sis0   1055
23.250.58.112      00:03:6f:03:f0:78  UHLW        1        2   sis0   1181
23.250.58.114      127.0.0.1          UGHS        0        0    lo0
127.0.0.1          127.0.0.1          UH          2       36    lo0
172.16.1/24        10.20.0.5          UGSc        0        0   tun1
192.168.0          10.20.0.5          UGSc        0        0   tun1
192.168.10         10.20.0.5          UGSc        0        0   tun1
192.168.30         link#2             UC          1        0   sis1
192.168.30.3       00:50:ba:6b:40:fc  UHLW        4   107894   sis1    899
192.168.44         10.20.0.5          UGSc        0     1363   tun1
192.168.45         10.20.0.5          UGSc        0        0   tun1
192.168.116        10.20.0.5          UGSc        0        0   tun1
192.168.250        10.20.0.5          UGSc        0        0   tun1
 

ipnat -lv
List of active MAP/Redirect filters:
map sis0 192.168.30.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sis0 192.168.30.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map sis0 192.168.30.0/24 -> 0.0.0.0/32
map tun1 192.168.30.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map tun1 192.168.30.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map tun1 192.168.30.0/24 -> 0.0.0.0/32
rdr tun1 0.0.0.0/0 port 3389 -> 192.168.30.3 port 3389 tcp
rdr sis0 0.0.0.0/0 port 4662- 4672 -> 192.168.30.3 port 4662 tcp/udp


unparsed ipnat rules 
map sis0 192.168.30.0/24  -> 0/32 proxy port ftp ftp/tcp
map sis0 192.168.30.0/24  -> 0/32 portmap tcp/udp auto
map sis0 192.168.30.0/24  -> 0/32
map tun1 192.168.30.0/24  -> 0/32 proxy port ftp ftp/tcp
map tun1 192.168.30.0/24  -> 0/32 portmap tcp/udp auto
map tun1 192.168.30.0/24  -> 0/32
rdr tun1 0/0 port 3389 -> 192.168.30.3 port 3389 tcp
rdr sis0 0/0 port 4662-4672 -> 192.168.30.3 port 4662 tcp/udp
 
unparsed ipfilter rules 
# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on sis1 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on sis1 proto udp from any port = 68 to 192.168.30.2 port = 67
pass out quick on sis1 proto udp from 192.168.30.2 port = 67 to any port = 68

# WAN spoof check
block in log quick on sis0 from 192.168.30.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on sis0 proto udp from any port = 68 to any port = 67
block in log quick on sis0 proto udp from any port = 67 to 192.168.30.0/24 port = 68
pass in quick on sis0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on sis1 from ! 192.168.30.0/24 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on sis1 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis1 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on sis0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on sis0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.30.0/24 to 192.168.30.2 keep state group 100

# User-defined rules follow
pass in quick proto tcp/udp from any to 192.168.30.3 port 4661 >< 4673 keep state group 200 
pass in quick from 192.168.30.0/24 to any keep state group 100 
	
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all