I am having problems with a firewall rule that applies to a radius
server on the LAN side of my m0n0wall. I have the following aliases setup.
www 172.29.1.176
mail 172.29.1.177
auth 172.29.1.178
I have a static WAN IP setup as x.x.2.176 and proxy arp entries for
x.x.2.177 and x.x.2.178. All three public IP's are available and
working. The 3 aliases above relate to these 3 public IP's.
I have 1:1 NAT setup to map
x.x.2.177 -> 172.29.1.177
x.x.2.178 -> 172.29.1.178
as well as Inbound NAT rules for port forwards for the primary WAN IP
x.x.2.176.
I have added the following firewall rules:
Proto Src Sport Dst Dport
-------------------------------------------
TCP * * www 21(FTP)
TCP * * www 80(HTTP)
TCP * * www 443(HTTPS)
TCP * * mail 25(SMTP)
TCP * * mail 110(POP3)
TCP * * mail 80(HTTP)
TCP * * mail 443(HTTPS)
TCP * * LAN net 5805(VNC)
TCP * * auth 22(SSH)
TCP * * auth 80(HTTP)
TCP * * auth 443(HTTPS)
UDP * * auth 1645-1646
UDP * * auth 1812-1813
All of these rules work fine except the last one. The last 2 rules are
exactly the same configuration on everything other than the port range
but for some reason the radius on 1812-1813 does not work. The clients
on the WAN side will authenticate on port 1645-1646 but not the main
ports of 1812-1813.
I have tested the radius server on the LAN side and everything checks
out ok. It is configured to listen on both sets of ports on all
available IP's and I have verified this with radtest from the CLI and
ntradping from another server on the LAN. Both are fine.
I have sniffed the traffic on the WAN side and the radius client is
sending the info. As I stated before If I use the 1645 ports it works.
If I use the 1812 ports it does not work.
I have broken this down to something the m0n0wall is doing but for the
life of me I cannot find anything that could be doing this. It seems
that if one set of radius ports works the other set should also work.
Here is my full m0nowall config:
############################################################
##### BEGIN STATUS.PHP DUMP
############################################################
System uptime
8:23PM up 3:05, 0 users, load averages: 0.00, 0.00, 0.00
Interfaces
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=40<POLLING>
inet 172.29.1.1 netmask 0xffffff00 broadcast 172.29.1.255
ether 00:00:e8:5b:5e:17
media: Ethernet autoselect (100baseTX)
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1<RXCSUM>
inet x.x.2.176 netmask 0xffffff00 broadcast x.x.2.255
ether 00:01:02:30:22:b2
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
Routing tables
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default x.x.2.1 UGSc 4 13310 xl0
x.x.2/24 link#2 UC 1 0 xl0
x.x.2.1 00:04:23:08:43:be UHLW 4 3 xl0 1200
127.0.0.1 127.0.0.1 UH 0 0 lo0
172.29.1/24 link#1 UC 3 0 rl0
172.29.1.176 00:01:03:2f:6b:e4 UHLW 1 13525 rl0 1130
172.29.1.177 00:0a:e6:2a:1e:6b UHLW 0 6040 rl0 1003
172.29.1.178 00:0e:0c:84:7c:c8 UHLW 1 8730 rl0 366
ipfw show
ipfw: getsockopt(IP_FW_GET): Protocol not available
ipnat -lv
List of active MAP/Redirect filters:
bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24 -> 0.0.0.0/32
rdr xl0 0.0.0.0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0.0.0.0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0.0.0.0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0.0.0.0/0 port 9000- 9100 -> 172.29.1.176 port 9000 tcp
List of active sessions:
BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [204.16.208.75 45434]
age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 104/1089 flags 2 drop 0/0
ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [204.16.208.75 45434]
age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 98/1083 flags 2 drop 0/0
ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [65.164.168.27 15380]
age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 1231/169 flags 2 drop 0/0
ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [65.99.21.136 5689]
age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 930/1915 flags 2 drop 0/0
ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3122]
age 330 use 0 sumd 0x689c/0x689c pr 6 bkt 1229/167 flags 1 drop 0/0
ifp xl0 bytes 23756 pkts 67
BIMAP 172.29.1.178 15164 <- -> x.x.2.178 15164 [74.241.113.131 50847]
age 270 use 0 sumd 0x689c/0x689c pr 6 bkt 997/1982 flags 1 drop 0/0
ifp xl0 bytes 144 pkts 3
BIMAP 172.29.1.177 25 <- -> x.x.2.177 25 [66.226.44.60 5268]
age 290 use 0 sumd 0x689c/0x689c pr 6 bkt 838/1823 flags 1 drop 0/0
ifp xl0 bytes 22214 pkts 52
BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3115]
age 208 use 0 sumd 0x689c/0x689c pr 6 bkt 1484/422 flags 1 drop 0/0
ifp xl0 bytes 1978 pkts 24
BIMAP 172.29.1.178 10000 <- -> x.x.2.178 10000 [69.56.214.58 38077]
age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 434/1419 flags 1 drop 0/0
ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177 10000 <- -> x.x.2.177 10000 [69.56.214.58 38076]
age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 172/1157 flags 1 drop 0/0
ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3114]
age 86 use 0 sumd 0x689c/0x689c pr 6 bkt 1228/166 flags 1 drop 0/0
ifp xl0 bytes 1978 pkts 24
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1052]
age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1950/888 flags 1 drop 0/0
ifp xl0 bytes 45963 pkts 68
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1051]
age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1694/632 flags 1 drop 0/0
ifp xl0 bytes 46767 pkts 72
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1050]
age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1438/376 flags 1 drop 0/0
ifp xl0 bytes 101535 pkts 136
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1049]
age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1182/120 flags 1 drop 0/0
ifp xl0 bytes 99249 pkts 125
BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [24.157.202.217 19940]
age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 1194/132 flags 2 drop 0/0
ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [24.50.9.43 31817]
age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 612/1597 flags 2 drop 0/0
ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [24.240.35.68 10452]
age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 188/1173 flags 2 drop 0/0
ifp xl0 bytes 1058 pkts 1
BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [24.147.130.236 2230]
age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 1870/808 flags 2 drop 0/0
ifp xl0 bytes 1058 pkts 1
MAP 172.29.1.176 1128 <- -> x.x.2.176 45496 [192.175.48.1 53]
age 476 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 0/1168 flags 2 drop 0/0
ifp xl0 bytes 185 pkts 2
MAP 172.29.1.176 1122 <- -> x.x.2.176 45490 [65.182.99.55 53]
age 475 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 855/2023 flags 2 drop 0/0
ifp xl0 bytes 173 pkts 2
MAP 172.29.1.176 1119 <- -> x.x.2.176 45487 [65.182.99.55 53]
age 474 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 87/1255 flags 2 drop 0/0
ifp xl0 bytes 161 pkts 2
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [208.35.159.6 4385]
age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 1262/200 flags 1 drop 0/0
ifp xl0 bytes 2460 pkts 11
RDR 172.29.1.176 80 <- -> x.x.2.176 80 [208.35.159.6 3532]
age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 0/985 flags 1 drop 0/0
ifp xl0 bytes 4079 pkts 15
BIMAP 172.29.1.178 22 <- -> x.x.2.178 22 [x.x.1.252 2833]
age 16171 use 0 sumd 0x689c/0x689c pr 6 bkt 1167/105 flags 1 drop 0/0
ifp xl0 bytes 584779 pkts 5271
List of active host mappings:
172.29.1.176 -> 0.0.0.0 (use = 3 hv = 144)
ipfstat -v
opts 0x40 name /dev/ipl
IPv6 packets: in 0 out 0
input packets: blocked 2430 passed 62213 nomatch 0 counted 0
short 0
output packets: blocked 220 passed 67737 nomatch 0 counted 0 short 0
input packets logged: blocked 2430 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 0 output 0
fragment state(in): kept 0 lost 0 not fragmented 0
fragment state(out): kept 0 lost 0 not fragmented 0
packet state(in): kept 1102 lost 0
packet state(out): kept 27 lost 220
ICMP replies: 0 TCP RSTs sent: 0
Invalid source(in): 0
Result cache hits(in): 318 (out): 0
IN Pullups succeeded: 0 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
none
ipfstat -nio
@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 172.29.1.1/32 port = 67 to any
port = 68
@3 pass out quick on xl0 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on xl0 from any to any keep state
@6 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to
255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1/32
port = 67
@6 block in log quick on xl0 from 172.29.1.0/24 to any
@7 block in log quick on xl0 proto udp from any port = 67 to
172.29.1.0/24 port = 68
@8 pass in quick on xl0 proto udp from any port = 67 to any port = 68
@9 block in log quick on rl0 from !172.29.1.0/24 to any
@10 block in log quick on xl0 from 10.0.0.0/8 to any
@11 block in log quick on xl0 from 127.0.0.0/8 to any
@12 block in log quick on xl0 from 172.16.0.0/12 to any
@13 block in log quick on xl0 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in log quick proto tcp from any to any
@16 block in log quick on rl0 from any to any head 100
@1 pass in quick from 172.29.1.0/24 to 172.29.1.1/32 keep state group 100
@2 pass in quick from 172.29.1.0/24 to any keep state group 100
@17 block in log quick on xl0 from any to any head 200
@1 pass in quick proto icmp from x.x.2.1/32 to x.x.2.176/32 keep state
group 200
@2 pass in quick proto tcp from x.x.1.0/24 to x.x.2.176/32 port = 8080
keep state group 200
@3 pass in quick proto tcp from x.x.25.56/29 to x.x.2.176/32 port = 8080
keep state group 200
@4 pass in quick proto tcp from any to 172.29.1.176/32 port = 80 keep
state group 200
@5 pass in quick proto tcp from any to 172.29.1.177/32 port = 25 keep
state group 200
@6 pass in quick proto tcp from any to 172.29.1.177/32 port = 110 keep
state group 200
@7 pass in quick proto tcp from any to 172.29.1.177/32 port = 80 keep
state group 200
@8 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805
keep state group 200
@9 pass in quick proto tcp from x.x.6.178/32 to 172.29.1.0/24 port =
5805 keep state group 200
@10 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port =
5805 keep state group 200
@11 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port =
14147 keep state group 200
@12 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port =
14147 keep state group 200
@13 pass in quick proto tcp from any to 172.29.1.176/32 port = 21 keep
state group 200
@14 pass in quick proto tcp from any to 172.29.1.176/32 port 8999 ><
9101 keep state group 200
@15 pass in quick proto tcp from any to 172.29.1.178/32 port = 22 keep
state group 200
@16 pass in quick proto tcp from any to 172.29.1.178/32 port = 80 keep
state group 200
@17 pass in quick proto tcp from any to 172.29.1.178/32 port = 443 keep
state group 200
@18 pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178/32 keep
state group 200
@19 pass in quick proto icmp from x.x.2.1/32 to 172.29.1.178/32 keep
state group 200
@20 pass in quick proto udp from any to 172.29.1.178/32 port 1644 ><
1647 keep state group 200
@21 pass in quick proto udp from any to 172.29.1.178/32 port 1811 ><
1814 keep state group 200
@18 block in log quick from any to any
unparsed ipnat rules
bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24 -> 0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24 -> 0/32
rdr xl0 0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0/0 port 9000-9100 -> 172.29.1.176 port 9000 tcp
unparsed ipfilter rules
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short
# block IP options
block in log quick all with ipopts
# allow access to DHCP server on LAN
pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255
port = 67
pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1 port = 67
pass out quick on rl0 proto udp from 172.29.1.1 port = 67 to any port = 68
# WAN spoof check
block in log quick on xl0 from 172.29.1.0/24 to any
# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on xl0 proto udp from any port = 68 to any port = 67
block in log quick on xl0 proto udp from any port = 67 to 172.29.1.0/24
port = 68
pass in quick on xl0 proto udp from any port = 67 to any port = 68
# LAN/OPT spoof check (needs to be after DHCP because of broadcast
addresses)
block in log quick on rl0 from ! 172.29.1.0/24 to any
# block anything from private networks on WAN interface
block in log quick on xl0 from 10.0.0.0/8 to any
block in log quick on xl0 from 127.0.0.0/8 to any
block in log quick on xl0 from 172.16.0.0/12 to any
block in log quick on xl0 from 192.168.0.0/16 to any
# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all
#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 100
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on rl0 all keep state
#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 200
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on xl0 all keep state
# make sure the user cannot lock himself out of the webGUI
pass in quick from 172.29.1.0/24 to 172.29.1.1 keep state group 100
# User-defined rules follow
pass in quick proto icmp from x.x.2.1 to x.x.2.176 keep state group 200
pass in quick proto tcp from x.x.1.0/24 to x.x.2.176 port = 8080 keep
state group 200
pass in quick proto tcp from x.x.25.56/29 to x.x.2.176 port = 8080 keep
state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 80 keep state
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 25 keep state
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 110 keep state
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 80 keep state
group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805
keep state group 200
pass in quick proto tcp from x.x.6.178 to 172.29.1.0/24 port = 5805 keep
state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 5805
keep state group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 14147
keep state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 14147
keep state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 21 keep state
group 200
pass in quick proto tcp from any to 172.29.1.176 port 8999 >< 9101 keep
state group 200
pass in quick proto tcp from any to 172.29.1.178 port = 22 keep state
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 80 keep state
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 443 keep state
group 200
pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178 keep state
group 200
pass in quick proto icmp from x.x.2.1 to 172.29.1.178 keep state group 200
pass in quick proto udp from any to 172.29.1.178 port 1644 >< 1647 keep
state group 200
pass in quick proto udp from any to 172.29.1.178 port 1811 >< 1814 keep
state group 200
pass in quick from 172.29.1.0/24 to any keep state group 100
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
unparsed ipfw rules
add 50000 set 4 pass all from 172.29.1.1 to any
add 50001 set 4 pass all from any to 172.29.1.1
--
Andrew Armstrong
Chattanooga Online
andrew at chattanooga dot net
423-267-8867 Ext. 303
fax: 423-648-2808 | 