[ previous ] [ next ] [ threads ]
 
 From:  "Austin Montford" <AMontfor at gwm dot sc dot edu>
 To:  "Andrew Armstrong" <andrew at chattanooga dot net>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: Radius Problem
 Date:  Tue, 17 Oct 2006 10:52:37 -0400
When you say radius works internally does it use 1812?  Like as in your
LAN side Captive Portal setup, does the radius server ip you put in use
1812 successfully to verify the radius server is answering?  Maybe I'm
missing something but as far as your m0n0wall setup goes, it looks like
mine. :-)  

>>> Andrew Armstrong <andrew at chattanooga dot net> 10/16/2006 4:37 PM >>>
I am having problems with a firewall rule that applies to a radius 
server on the LAN side of my m0n0wall. I have the following aliases
setup.

www    172.29.1.176
mail    172.29.1.177
auth    172.29.1.178

I have a static WAN IP setup as x.x.2.176 and proxy arp entries for 
x.x.2.177 and x.x.2.178. All three public IP's are available and 
working. The 3 aliases above relate to these 3 public IP's.

I have 1:1 NAT setup to map

x.x.2.177 -> 172.29.1.177
x.x.2.178 -> 172.29.1.178

as well as Inbound NAT rules for port forwards for the primary WAN IP 
x.x.2.176.

I have added the following firewall rules:

Proto    Src    Sport    Dst    Dport
-------------------------------------------
TCP    *    *    www    21(FTP)
TCP    *    *    www    80(HTTP)
TCP    *    *    www    443(HTTPS)
TCP    *    *    mail    25(SMTP)
TCP    *    *    mail    110(POP3)
TCP    *    *    mail    80(HTTP)
TCP    *    *    mail    443(HTTPS)
TCP    *    *    LAN net    5805(VNC)
TCP    *    *    auth    22(SSH)
TCP    *    *    auth    80(HTTP)
TCP    *    *    auth    443(HTTPS)
UDP    *    *    auth    1645-1646
UDP    *    *    auth    1812-1813

All of these rules work fine except the last one. The last 2 rules are

exactly the same configuration on everything other than the port range

but for some reason the radius on 1812-1813 does not work. The clients

on the WAN side will authenticate on port 1645-1646 but not the main 
ports of 1812-1813.

I have tested the radius server on the LAN side and everything checks 
out ok. It is configured to listen on both sets of ports on all 
available IP's and I have verified this with radtest from the CLI and 
ntradping from another server on the LAN. Both are fine.

I have sniffed the traffic on the WAN side and the radius client is 
sending the info. As I stated before If I use the 1645 ports it works.

If I use the 1812 ports it does not work.

I have broken this down to something the m0n0wall is doing but for the

life of me I cannot find anything that could be doing this. It seems 
that if one set of radius ports works the other set should also work.

Here is my full m0nowall config:

############################################################
##### BEGIN STATUS.PHP DUMP
############################################################
System uptime

  8:23PM  up  3:05, 0 users, load averages: 0.00, 0.00, 0.00

Interfaces

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     options=40<POLLING>
     inet 172.29.1.1 netmask 0xffffff00 broadcast 172.29.1.255
     ether 00:00:e8:5b:5e:17
     media: Ethernet autoselect (100baseTX)
     status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
     options=1<RXCSUM>
     inet x.x.2.176 netmask 0xffffff00 broadcast x.x.2.255
     ether 00:01:02:30:22:b2
     media: Ethernet autoselect (100baseTX <full-duplex>)
     status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
     inet 127.0.0.1 netmask 0xff000000

Routing tables

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif
Expire
default            x.x.2.1         UGSc        4    13310    xl0
x.x.2/24        link#2             UC          1        0    xl0
x.x.2.1         00:04:23:08:43:be  UHLW        4        3    xl0  
1200
127.0.0.1          127.0.0.1          UH          0        0    lo0
172.29.1/24        link#1             UC          3        0    rl0
172.29.1.176       00:01:03:2f:6b:e4  UHLW        1    13525    rl0  
1130
172.29.1.177       00:0a:e6:2a:1e:6b  UHLW        0     6040    rl0  
1003
172.29.1.178       00:0e:0c:84:7c:c8  UHLW        1     8730    rl0   
366

ipfw show

ipfw: getsockopt(IP_FW_GET): Protocol not available

ipnat -lv

List of active MAP/Redirect filters:
bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24 -> 0.0.0.0/32
rdr xl0 0.0.0.0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0.0.0.0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0.0.0.0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0.0.0.0/0 port 9000- 9100 -> 172.29.1.176 port 9000 tcp

List of active sessions:
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [204.16.208.75
45434]
     age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 104/1089 flags 2 drop
0/0
     ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [204.16.208.75
45434]
     age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 98/1083 flags 2 drop
0/0
     ifp xl0 bytes 444 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [65.164.168.27
15380]
     age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 1231/169 flags 2 drop
0/0
     ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [65.99.21.136
5689]
     age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 930/1915 flags 2 drop
0/0
     ifp xl0 bytes 1066 pkts 1
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3122]
     age 330 use 0 sumd 0x689c/0x689c pr 6 bkt 1229/167 flags 1 drop
0/0
     ifp xl0 bytes 23756 pkts 67
BIMAP 172.29.1.178    15164 <- -> x.x.2.178    15164 [74.241.113.131
50847]
     age 270 use 0 sumd 0x689c/0x689c pr 6 bkt 997/1982 flags 1 drop
0/0
     ifp xl0 bytes 144 pkts 3
BIMAP 172.29.1.177    25    <- -> x.x.2.177    25    [66.226.44.60
5268]
     age 290 use 0 sumd 0x689c/0x689c pr 6 bkt 838/1823 flags 1 drop
0/0
     ifp xl0 bytes 22214 pkts 52
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3115]
     age 208 use 0 sumd 0x689c/0x689c pr 6 bkt 1484/422 flags 1 drop
0/0
     ifp xl0 bytes 1978 pkts 24
BIMAP 172.29.1.178    10000 <- -> x.x.2.178    10000 [69.56.214.58
38077]
     age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 434/1419 flags 1 drop
0/0
     ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177    10000 <- -> x.x.2.177    10000 [69.56.214.58
38076]
     age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 172/1157 flags 1 drop
0/0
     ifp xl0 bytes 60 pkts 1
BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3114]
     age 86 use 0 sumd 0x689c/0x689c pr 6 bkt 1228/166 flags 1 drop
0/0
     ifp xl0 bytes 1978 pkts 24
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1052]
     age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1950/888 flags 1 drop
0/0
     ifp xl0 bytes 45963 pkts 68
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1051]
     age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1694/632 flags 1 drop
0/0
     ifp xl0 bytes 46767 pkts 72
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1050]
     age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1438/376 flags 1 drop
0/0
     ifp xl0 bytes 101535 pkts 136
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1049]
     age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1182/120 flags 1 drop
0/0
     ifp xl0 bytes 99249 pkts 125
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.157.202.217
19940]
     age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 1194/132 flags 2 drop
0/0
     ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.50.9.43
31817]
     age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 612/1597 flags 2 drop
0/0
     ifp xl0 bytes 1081 pkts 1
BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.240.35.68
10452]
     age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 188/1173 flags 2 drop
0/0
     ifp xl0 bytes 1058 pkts 1
BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.147.130.236
2230]
     age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 1870/808 flags 2 drop
0/0
     ifp xl0 bytes 1058 pkts 1
MAP 172.29.1.176    1128  <- -> x.x.2.176    45496 [192.175.48.1 53]
     age 476 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 0/1168 flags 2 drop
0/0
     ifp xl0 bytes 185 pkts 2
MAP 172.29.1.176    1122  <- -> x.x.2.176    45490 [65.182.99.55 53]
     age 475 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 855/2023 flags 2 drop
0/0
     ifp xl0 bytes 173 pkts 2
MAP 172.29.1.176    1119  <- -> x.x.2.176    45487 [65.182.99.55 53]
     age 474 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 87/1255 flags 2 drop
0/0
     ifp xl0 bytes 161 pkts 2
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 4385]
     age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 1262/200 flags 1 drop
0/0
     ifp xl0 bytes 2460 pkts 11
RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 3532]
     age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 0/985 flags 1 drop 0/0
     ifp xl0 bytes 4079 pkts 15
BIMAP 172.29.1.178    22    <- -> x.x.2.178    22    [x.x.1.252 2833]
     age 16171 use 0 sumd 0x689c/0x689c pr 6 bkt 1167/105 flags 1 drop
0/0
     ifp xl0 bytes 584779 pkts 5271

List of active host mappings:
172.29.1.176 -> 0.0.0.0 (use = 3 hv = 144)

ipfstat -v

opts 0x40 name /dev/ipl
  IPv6 packets:        in 0 out 0
  input packets:        blocked 2430 passed 62213 nomatch 0 counted 0 
short 0
output packets:        blocked 220 passed 67737 nomatch 0 counted 0
short 0
  input packets logged:    blocked 2430 passed 0
output packets logged:    blocked 0 passed 0
  packets logged:    input 0 output 0
  log failures:        input 0 output 0
fragment state(in):    kept 0    lost 0    not fragmented 0
fragment state(out):    kept 0    lost 0    not fragmented 0
packet state(in):    kept 1102    lost 0
packet state(out):    kept 27    lost 220
ICMP replies:    0    TCP RSTs sent:    0
Invalid source(in):    0
Result cache hits(in):    318    (out):    0
IN Pullups succeeded:    0    failed:    0
OUT Pullups succeeded:    0    failed:    0
Fastroute successes:    0    failures:    0
TCP cksum fails(in):    0    (out):    0
Packet log flags set: (0)
     none

ipfstat -nio

@1 pass out quick on lo0 from any to any
@2 pass out quick on rl0 proto udp from 172.29.1.1/32 port = 67 to any

port = 68
@3 pass out quick on xl0 proto udp from any port = 68 to any port = 67
@4 pass out quick on rl0 from any to any keep state
@5 pass out quick on xl0 from any to any keep state
@6 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on rl0 proto udp from any port = 68 to 
255.255.255.255/32 port = 67
@5 pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1/32 
port = 67
@6 block in log quick on xl0 from 172.29.1.0/24 to any
@7 block in log quick on xl0 proto udp from any port = 67 to 
172.29.1.0/24 port = 68
@8 pass in quick on xl0 proto udp from any port = 67 to any port = 68
@9 block in log quick on rl0 from !172.29.1.0/24 to any
@10 block in log quick on xl0 from 10.0.0.0/8 to any
@11 block in log quick on xl0 from 127.0.0.0/8 to any
@12 block in log quick on xl0 from 172.16.0.0/12 to any
@13 block in log quick on xl0 from 192.168.0.0/16 to any
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in log quick proto tcp from any to any
@16 block in log quick on rl0 from any to any head 100
@1 pass in quick from 172.29.1.0/24 to 172.29.1.1/32 keep state group
100
@2 pass in quick from 172.29.1.0/24 to any keep state group 100
@17 block in log quick on xl0 from any to any head 200
@1 pass in quick proto icmp from x.x.2.1/32 to x.x.2.176/32 keep state

group 200
@2 pass in quick proto tcp from x.x.1.0/24 to x.x.2.176/32 port = 8080

keep state group 200
@3 pass in quick proto tcp from x.x.25.56/29 to x.x.2.176/32 port =
8080 
keep state group 200
@4 pass in quick proto tcp from any to 172.29.1.176/32 port = 80 keep 
state group 200
@5 pass in quick proto tcp from any to 172.29.1.177/32 port = 25 keep 
state group 200
@6 pass in quick proto tcp from any to 172.29.1.177/32 port = 110 keep

state group 200
@7 pass in quick proto tcp from any to 172.29.1.177/32 port = 80 keep 
state group 200
@8 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805

keep state group 200
@9 pass in quick proto tcp from x.x.6.178/32 to 172.29.1.0/24 port = 
5805 keep state group 200
@10 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
5805 keep state group 200
@11 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 
14147 keep state group 200
@12 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
14147 keep state group 200
@13 pass in quick proto tcp from any to 172.29.1.176/32 port = 21 keep

state group 200
@14 pass in quick proto tcp from any to 172.29.1.176/32 port 8999 >< 
9101 keep state group 200
@15 pass in quick proto tcp from any to 172.29.1.178/32 port = 22 keep

state group 200
@16 pass in quick proto tcp from any to 172.29.1.178/32 port = 80 keep

state group 200
@17 pass in quick proto tcp from any to 172.29.1.178/32 port = 443 keep

state group 200
@18 pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178/32 keep 
state group 200
@19 pass in quick proto icmp from x.x.2.1/32 to 172.29.1.178/32 keep 
state group 200
@20 pass in quick proto udp from any to 172.29.1.178/32 port 1644 >< 
1647 keep state group 200
@21 pass in quick proto udp from any to 172.29.1.178/32 port 1811 >< 
1814 keep state group 200
@18 block in log quick from any to any

unparsed ipnat rules

bimap xl0 172.29.1.177/32 -> x.x.2.177/32
bimap xl0 172.29.1.178/32 -> x.x.2.178/32
map xl0 172.29.1.0/24  -> 0/32 proxy port ftp ftp/tcp
map xl0 172.29.1.0/24  -> 0/32 portmap tcp/udp auto
map xl0 172.29.1.0/24  -> 0/32
rdr xl0 0/0 port 21 -> 172.29.1.176 port 21 tcp
rdr xl0 0/0 port 80 -> 172.29.1.176 port 80 tcp
rdr xl0 0/0 port 5805 -> 172.29.1.176 port 5805 tcp
rdr xl0 0/0 port 9000-9100 -> 172.29.1.176 port 9000 tcp

unparsed ipfilter rules

# loopback
pass in quick on lo0 all
pass out quick on lo0 all

# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255 
port = 67
pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1 port =
67
pass out quick on rl0 proto udp from 172.29.1.1 port = 67 to any port =
68

# WAN spoof check
block in log quick on xl0 from 172.29.1.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on xl0 proto udp from any port = 68 to any port = 67
block in log quick on xl0 proto udp from any port = 67 to 172.29.1.0/24

port = 68
pass in quick on xl0 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast 
addresses)
block in log quick on rl0 from ! 172.29.1.0/24 to any

# block anything from private networks on WAN interface
block in log quick on xl0 from 10.0.0.0/8 to any
block in log quick on xl0 from 127.0.0.0/8 to any
block in log quick on xl0 from 172.16.0.0/12 to any
block in log quick on xl0 from 192.168.0.0/16 to any

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on rl0 all head 100

# let out anything from the firewall host itself and decrypted IPsec
traffic
pass out quick on rl0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on xl0 all head 200

# let out anything from the firewall host itself and decrypted IPsec
traffic
pass out quick on xl0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 172.29.1.0/24 to 172.29.1.1 keep state group 100

# User-defined rules follow
pass in quick proto icmp from x.x.2.1 to x.x.2.176 keep state group
200
pass in quick proto tcp from x.x.1.0/24 to x.x.2.176 port = 8080 keep 
state group 200
pass in quick proto tcp from x.x.25.56/29 to x.x.2.176 port = 8080 keep

state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 80 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 25 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.177 port = 110 keep state

group 200
pass in quick proto tcp from any to 172.29.1.177 port = 80 keep state 
group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 
keep state group 200
pass in quick proto tcp from x.x.6.178 to 172.29.1.0/24 port = 5805
keep 
state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 5805

keep state group 200
pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 14147 
keep state group 200
pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 14147

keep state group 200
pass in quick proto tcp from any to 172.29.1.176 port = 21 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.176 port 8999 >< 9101 keep

state group 200
pass in quick proto tcp from any to 172.29.1.178 port = 22 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 80 keep state 
group 200
pass in quick proto tcp from any to 172.29.1.178 port = 443 keep state

group 200
pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178 keep state 
group 200
pass in quick proto icmp from x.x.2.1 to 172.29.1.178 keep state group
200
pass in quick proto udp from any to 172.29.1.178 port 1644 >< 1647 keep

state group 200
pass in quick proto udp from any to 172.29.1.178 port 1811 >< 1814 keep

state group 200
pass in quick from 172.29.1.0/24 to any keep state group 100

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules

add 50000 set 4 pass all from 172.29.1.1 to any
add 50001 set 4 pass all from any to 172.29.1.1


-- 
Andrew Armstrong
Chattanooga Online
andrew at chattanooga dot net 
423-267-8867 Ext. 303
fax: 423-648-2808