[ previous ] [ next ] [ threads ]
 
 From:  Andrew Armstrong <andrew at chattanooga dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Radius Problem
 Date:  Mon, 16 Oct 2006 16:37:31 -0400
I am having problems with a firewall rule that applies to a radius 
server on the LAN side of my m0n0wall. I have the following aliases setup.

www    172.29.1.176
mail    172.29.1.177
auth    172.29.1.178

I have a static WAN IP setup as x.x.2.176 and proxy arp entries for 
x.x.2.177 and x.x.2.178. All three public IP's are available and 
working. The 3 aliases above relate to these 3 public IP's.

I have 1:1 NAT setup to map

x.x.2.177 -> 172.29.1.177
x.x.2.178 -> 172.29.1.178

as well as Inbound NAT rules for port forwards for the primary WAN IP 
x.x.2.176.

I have added the following firewall rules:

Proto    Src    Sport    Dst    Dport
-------------------------------------------
TCP    *    *    www    21(FTP)
TCP    *    *    www    80(HTTP)
TCP    *    *    www    443(HTTPS)
TCP    *    *    mail    25(SMTP)
TCP    *    *    mail    110(POP3)
TCP    *    *    mail    80(HTTP)
TCP    *    *    mail    443(HTTPS)
TCP    *    *    LAN net    5805(VNC)
TCP    *    *    auth    22(SSH)
TCP    *    *    auth    80(HTTP)
TCP    *    *    auth    443(HTTPS)
UDP    *    *    auth    1645-1646
UDP    *    *    auth    1812-1813

All of these rules work fine except the last one. The last 2 rules are 
exactly the same configuration on everything other than the port range 
but for some reason the radius on 1812-1813 does not work. The clients 
on the WAN side will authenticate on port 1645-1646 but not the main 
ports of 1812-1813.

I have tested the radius server on the LAN side and everything checks 
out ok. It is configured to listen on both sets of ports on all 
available IP's and I have verified this with radtest from the CLI and 
ntradping from another server on the LAN. Both are fine.

I have sniffed the traffic on the WAN side and the radius client is 
sending the info. As I stated before If I use the 1645 ports it works. 
If I use the 1812 ports it does not work.

I have broken this down to something the m0n0wall is doing but for the 
life of me I cannot find anything that could be doing this. It seems 
that if one set of radius ports works the other set should also work.

Here is my full m0nowall config:

############################################################
##### BEGIN STATUS.PHP DUMP
############################################################
System uptime

  8:23PM  up  3:05, 0 users, load averages: 0.00, 0.00, 0.00

Interfaces

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     options=40<POLLING>
     inet 172.29.1.1 netmask 0xffffff00 broadcast 172.29.1.255
     ether 00:00:e8:5b:5e:17
     media: Ethernet autoselect (100baseTX)
     status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     options=1<RXCSUM>
     inet x.x.2.176 netmask 0xffffff00 broadcast x.x.2.255
     ether 00:01:02:30:22:b2
     media: Ethernet autoselect (100baseTX <full-duplex>)
     status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
     inet 127.0.0.1 netmask 0xff000000

Routing tables

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            x.x.2.1         UGSc        4    13310    xl0
x.x.2/24        link#2             UC          1        0    xl0
x.x.2.1         00:04:23:08:43:be  UHLW        4        3    xl0   1200
127.0.0.1          127.0.0.1          UH          0        0    lo0
172.29.1/24        link#1             UC          3        0    rl0
172.29.1.176       00:01:03:2f:6b:e4  UHLW        1    13525    rl0   1130
172.29.1.177       00:0a:e6:2a:1e:6b  UHLW        0     6040    rl0   1003
172.29.1.178       00:0e:0c:84:7c:c8  UHLW        1     8730    rl0    366

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

ipnat -lv

List of active MAP/Redirect filters:
bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24 -> 0.0.0.0/32
rdr xl0 0.0.0.0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0.0.0.0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0.0.0.0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0.0.0.0/0 port 9000- 9100 -> 172.29.1.176 port 9000 tcp

List of active sessions:
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [204.16.208.75 45434]
     age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 104/1089 flags 2 drop 0/0
     ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [204.16.208.75 45434]
     age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 98/1083 flags 2 drop 0/0
     ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [65.164.168.27 15380]
     age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 1231/169 flags 2 drop 0/0
     ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [65.99.21.136 5689]
     age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 930/1915 flags 2 drop 0/0
     ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3122]
     age 330 use 0 sumd 0x689c/0x689c pr 6 bkt 1229/167 flags 1 drop 0/0
     ifp xl0 bytes 23756 pkts 67
BIMAP 172.29.1.178    15164 <- -> x.x.2.178    15164 [74.241.113.131 50847]
     age 270 use 0 sumd 0x689c/0x689c pr 6 bkt 997/1982 flags 1 drop 0/0
     ifp xl0 bytes 144 pkts 3
BIMAP 172.29.1.177    25    <- -> x.x.2.177    25    [66.226.44.60 5268]
     age 290 use 0 sumd 0x689c/0x689c pr 6 bkt 838/1823 flags 1 drop 0/0
     ifp xl0 bytes 22214 pkts 52
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3115]
     age 208 use 0 sumd 0x689c/0x689c pr 6 bkt 1484/422 flags 1 drop 0/0
     ifp xl0 bytes 1978 pkts 24
BIMAP 172.29.1.178    10000 <- -> x.x.2.178    10000 [69.56.214.58 38077]
     age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 434/1419 flags 1 drop 0/0
     ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177    10000 <- -> x.x.2.177    10000 [69.56.214.58 38076]
     age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 172/1157 flags 1 drop 0/0
     ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3114]
     age 86 use 0 sumd 0x689c/0x689c pr 6 bkt 1228/166 flags 1 drop 0/0
     ifp xl0 bytes 1978 pkts 24
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1052]
     age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1950/888 flags 1 drop 0/0
     ifp xl0 bytes 45963 pkts 68
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1051]
     age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1694/632 flags 1 drop 0/0
     ifp xl0 bytes 46767 pkts 72
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1050]
     age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1438/376 flags 1 drop 0/0
     ifp xl0 bytes 101535 pkts 136
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1049]
     age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1182/120 flags 1 drop 0/0
     ifp xl0 bytes 99249 pkts 125
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.157.202.217 19940]
     age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 1194/132 flags 2 drop 0/0
     ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.50.9.43 31817]
     age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 612/1597 flags 2 drop 0/0
     ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.240.35.68 10452]
     age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 188/1173 flags 2 drop 0/0
     ifp xl0 bytes 1058 pkts 1
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.147.130.236 2230]
     age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 1870/808 flags 2 drop 0/0
     ifp xl0 bytes 1058 pkts 1
MAP 172.29.1.176    1128  <- -> x.x.2.176    45496 [192.175.48.1 53]
     age 476 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 0/1168 flags 2 drop 0/0
     ifp xl0 bytes 185 pkts 2
MAP 172.29.1.176    1122  <- -> x.x.2.176    45490 [65.182.99.55 53]
     age 475 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 855/2023 flags 2 drop 0/0
     ifp xl0 bytes 173 pkts 2
MAP 172.29.1.176    1119  <- -> x.x.2.176    45487 [65.182.99.55 53]
     age 474 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 87/1255 flags 2 drop 0/0
     ifp xl0 bytes 161 pkts 2
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 4385]
     age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 1262/200 flags 1 drop 0/0
     ifp xl0 bytes 2460 pkts 11
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 3532]
     age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 0/985 flags 1 drop 0/0
     ifp xl0 bytes 4079 pkts 15
BIMAP 172.29.1.178    22    <- -> x.x.2.178    22    [x.x.1.252 2833]
     age 16171 use 0 sumd 0x689c/0x689c pr 6 bkt 1167/105 flags 1 drop 0/0
     ifp xl0 bytes 584779 pkts 5271

List of active host mappings:
172.29.1.176 -> 0.0.0.0 (use = 3 hv = 144)

ipfstat -v

opts 0x40 name /dev/ipl
  IPv6 packets:        in 0 out 0
  input packets:        blocked 2430 passed 62213 nomatch 0 counted 0 
short 0
output packets:        blocked 220 passed 67737 nomatch 0 counted 0 short 0
  input packets logged:    blocked 2430 passed 0
output packets logged:    blocked 0 passed 0
  packets logged:    input 0 output 0
  log failures:        input 0 output 0
fragment state(in):    kept 0    lost 0    not fragmented 0
fragment state(out):    kept 0    lost 0    not fragmented 0
packet state(in):    kept 1102    lost 0
packet state(out):    kept 27    lost 220
ICMP replies:    0    TCP RSTs sent:    0
Invalid source(in):    0
Result cache hits(in):    318    (out):    0
IN Pullups succeeded:    0    failed:    0
OUT Pullups succeeded:    0    failed:    0
Fastroute successes:    0    failures:    0
TCP cksum fails(in):    0    (out):    0
Packet log flags set: (0)
     none

ipfstat -nio

@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 172.29.1.1/32 port = 67 to any 
port = 68
@3 pass out quick on xl0 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on xl0 from any to any keep state
@6 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to 
255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1/32 
port = 67
@6 block in log quick on xl0 from 172.29.1.0/24 to any
@7 block in log quick on xl0 proto udp from any port = 67 to 
172.29.1.0/24 port = 68
@8 pass in quick on xl0 proto udp from any port = 67 to any port = 68
@9 block in log quick on rl0 from !172.29.1.0/24 to any
@10 block in log quick on xl0 from 10.0.0.0/8 to any
@11 block in log quick on xl0 from 127.0.0.0/8 to any
@12 block in log quick on xl0 from 172.16.0.0/12 to any
@13 block in log quick on xl0 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in log quick proto tcp from any to any
@16 block in log quick on rl0 from any to any head 100
@1 pass in quick from 172.29.1.0/24 to 172.29.1.1/32 keep state group 100
@2 pass in quick from 172.29.1.0/24 to any keep state group 100
@17 block in log quick on xl0 from any to any head 200
@1 pass in quick proto icmp from x.x.2.1/32 to x.x.2.176/32 keep state 
group 200
@2 pass in quick proto tcp from x.x.1.0/24 to x.x.2.176/32 port = 8080 
keep state group 200
@3 pass in quick proto tcp from x.x.25.56/29 to x.x.2.176/32 port = 8080 
keep state group 200
@4 pass in quick proto tcp from any to 172.29.1.176/32 port = 80 keep 
state group 200
@5 pass in quick proto tcp from any to 172.29.1.177/32 port = 25 keep 
state group 200
@6 pass in quick proto tcp from any to 172.29.1.177/32 port = 110 keep 
state group 200
@7 pass in quick proto tcp from any to 172.29.1.177/32 port = 80 keep 
state group 200
@8 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 
keep state group 200
@9 pass in quick proto tcp from x.x.6.178/32 to 172.29.1.0/24 port = 
5805 keep state group 200
@10 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
5805 keep state group 200
@11 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 
14147 keep state group 200
@12 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
14147 keep state group 200
@13 pass in quick proto tcp from any to 172.29.1.176/32 port = 21 keep 
state group 200
@14 pass in quick proto tcp from any to 172.29.1.176/32 port 8999 >< 
9101 keep state group 200
@15 pass in quick proto tcp from any to 172.29.1.178/32 port = 22 keep 
state group 200
@16 pass in quick proto tcp from any to 172.29.1.178/32 port = 80 keep 
state group 200
@17 pass in quick proto tcp from any to 172.29.1.178/32 port = 443 keep 
state group 200
@18 pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178/32 keep 
state group 200
@19 pass in quick proto icmp from x.x.2.1/32 to 172.29.1.178/32 keep 
state group 200
@20 pass in quick proto udp from any to 172.29.1.178/32 port 1644 >< 
1647 keep state group 200
@21 pass in quick proto udp from any to 172.29.1.178/32 port 1811 >< 
1814 keep state group 200
@18 block in log quick from any to any

unparsed ipnat rules

bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24  -> 0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24  -> 0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24  -> 0/32
rdr xl0 0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0/0 port 9000-9100 -> 172.29.1.176 port 9000 tcp

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255 
port = 67
pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1 port = 67
pass out quick on rl0 proto udp from 172.29.1.1 port = 67 to any port = 68

# WAN spoof check
block in log quick on xl0 from 172.29.1.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on xl0 proto udp from any port = 68 to any port = 67
block in log quick on xl0 proto udp from any port = 67 to 172.29.1.0/24 
port = 68
pass in quick on xl0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)
block in log quick on rl0 from ! 172.29.1.0/24 to any

# block anything from private networks on WAN interface
block in log quick on xl0 from 10.0.0.0/8 to any
block in log quick on xl0 from 127.0.0.0/8 to any
block in log quick on xl0 from 172.16.0.0/12 to any
block in log quick on xl0 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on xl0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 172.29.1.0/24 to 172.29.1.1 keep state group 100

# User-defined rules follow
pass in quick proto icmp from x.x.2.1 to x.x.2.176 keep state group 200
pass in quick proto tcp from x.x.1.0/24 to x.x.2.176 port = 8080 keep 
state group 200
pass in quick proto tcp from x.x.25.56/29 to x.x.2.176 port = 8080 keep 
state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 80 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 25 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 110 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 80 keep state 
group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 
keep state group 200
pass in quick proto tcp from x.x.6.178 to 172.29.1.0/24 port = 5805 keep 
state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 5805 
keep state group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 14147 
keep state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 14147 
keep state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 21 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.176 port 8999 >< 9101 keep 
state group 200
pass in quick proto tcp from any to 172.29.1.178 port = 22 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 80 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 443 keep state 
group 200
pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178 keep state 
group 200
pass in quick proto icmp from x.x.2.1 to 172.29.1.178 keep state group 200
pass in quick proto udp from any to 172.29.1.178 port 1644 >< 1647 keep 
state group 200
pass in quick proto udp from any to 172.29.1.178 port 1811 >< 1814 keep 
state group 200
pass in quick from 172.29.1.0/24 to any keep state group 100

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules

add 50000 set 4 pass all from 172.29.1.1 to any
add 50001 set 4 pass all from any to 172.29.1.1


-- 
Andrew Armstrong
Chattanooga Online
andrew at chattanooga dot net
423-267-8867 Ext. 303
fax: 423-648-2808