[ previous ] [ next ] [ threads ]
 
 From:  Andrew Armstrong <andrew at chattanooga dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Radius Problem
 Date:  Wed, 18 Oct 2006 09:26:30 -0400
Yes on the internal LAN using the NTRadping utility I am able to 
successfully test Radius on ports 1812 and 1645. From the WAN side I am 
only able to get a successful test on the 1645 port.

Andrew Armstrong
Chattanooga Online
andrew at chattanooga dot net
423-267-8867 Ext. 303
fax: 423-648-2808

Austin Montford wrote:
> When you say radius works internally does it use 1812?  Like as in your
> LAN side Captive Portal setup, does the radius server ip you put in use
> 1812 successfully to verify the radius server is answering?  Maybe I'm
> missing something but as far as your m0n0wall setup goes, it looks like
> mine. :-)  
> 
>>>> Andrew Armstrong <andrew at chattanooga dot net> 10/16/2006 4:37 PM >>>
> I am having problems with a firewall rule that applies to a radius 
> server on the LAN side of my m0n0wall. I have the following aliases
> setup.
> 
> www    172.29.1.176
> mail    172.29.1.177
> auth    172.29.1.178
> 
> I have a static WAN IP setup as x.x.2.176 and proxy arp entries for 
> x.x.2.177 and x.x.2.178. All three public IP's are available and 
> working. The 3 aliases above relate to these 3 public IP's.
> 
> I have 1:1 NAT setup to map
> 
> x.x.2.177 -> 172.29.1.177
> x.x.2.178 -> 172.29.1.178
> 
> as well as Inbound NAT rules for port forwards for the primary WAN IP 
> x.x.2.176.
> 
> I have added the following firewall rules:
> 
> Proto    Src    Sport    Dst    Dport
> -------------------------------------------
> TCP    *    *    www    21(FTP)
> TCP    *    *    www    80(HTTP)
> TCP    *    *    www    443(HTTPS)
> TCP    *    *    mail    25(SMTP)
> TCP    *    *    mail    110(POP3)
> TCP    *    *    mail    80(HTTP)
> TCP    *    *    mail    443(HTTPS)
> TCP    *    *    LAN net    5805(VNC)
> TCP    *    *    auth    22(SSH)
> TCP    *    *    auth    80(HTTP)
> TCP    *    *    auth    443(HTTPS)
> UDP    *    *    auth    1645-1646
> UDP    *    *    auth    1812-1813
> 
> All of these rules work fine except the last one. The last 2 rules are
> 
> exactly the same configuration on everything other than the port range
> 
> but for some reason the radius on 1812-1813 does not work. The clients
> 
> on the WAN side will authenticate on port 1645-1646 but not the main 
> ports of 1812-1813.
> 
> I have tested the radius server on the LAN side and everything checks 
> out ok. It is configured to listen on both sets of ports on all 
> available IP's and I have verified this with radtest from the CLI and 
> ntradping from another server on the LAN. Both are fine.
> 
> I have sniffed the traffic on the WAN side and the radius client is 
> sending the info. As I stated before If I use the 1645 ports it works.
> 
> If I use the 1812 ports it does not work.
> 
> I have broken this down to something the m0n0wall is doing but for the
> 
> life of me I cannot find anything that could be doing this. It seems 
> that if one set of radius ports works the other set should also work.
> 
> Here is my full m0nowall config:
> 
> ############################################################
> ##### BEGIN STATUS.PHP DUMP
> ############################################################
> System uptime
> 
>   8:23PM  up  3:05, 0 users, load averages: 0.00, 0.00, 0.00
> 
> Interfaces
> 
> rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>      options=40<POLLING>
>      inet 172.29.1.1 netmask 0xffffff00 broadcast 172.29.1.255
>      ether 00:00:e8:5b:5e:17
>      media: Ethernet autoselect (100baseTX)
>      status: active
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>      options=1<RXCSUM>
>      inet x.x.2.176 netmask 0xffffff00 broadcast x.x.2.255
>      ether 00:01:02:30:22:b2
>      media: Ethernet autoselect (100baseTX <full-duplex>)
>      status: active
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>      inet 127.0.0.1 netmask 0xff000000
> 
> Routing tables
> 
> Routing tables
> 
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif
> Expire
> default            x.x.2.1         UGSc        4    13310    xl0
> x.x.2/24        link#2             UC          1        0    xl0
> x.x.2.1         00:04:23:08:43:be  UHLW        4        3    xl0  
> 1200
> 127.0.0.1          127.0.0.1          UH          0        0    lo0
> 172.29.1/24        link#1             UC          3        0    rl0
> 172.29.1.176       00:01:03:2f:6b:e4  UHLW        1    13525    rl0  
> 1130
> 172.29.1.177       00:0a:e6:2a:1e:6b  UHLW        0     6040    rl0  
> 1003
> 172.29.1.178       00:0e:0c:84:7c:c8  UHLW        1     8730    rl0   
> 366
> 
> ipfw show
> 
> ipfw: getsockopt(IP_FW_GET): Protocol not available
> 
> ipnat -lv
> 
> List of active MAP/Redirect filters:
> bimap xl0 172.29.1.177/32 -> x.x.2.177/32
> bimap xl0 172.29.1.178/32 -> x.x.2.178/32
> map xl0 172.29.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map xl0 172.29.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
> map xl0 172.29.1.0/24 -> 0.0.0.0/32
> rdr xl0 0.0.0.0/0 port 21 -> 172.29.1.176 port 21 tcp
> rdr xl0 0.0.0.0/0 port 80 -> 172.29.1.176 port 80 tcp
> rdr xl0 0.0.0.0/0 port 5805 -> 172.29.1.176 port 5805 tcp
> rdr xl0 0.0.0.0/0 port 9000- 9100 -> 172.29.1.176 port 9000 tcp
> 
> List of active sessions:
> BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [204.16.208.75
> 45434]
>      age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 104/1089 flags 2 drop
> 0/0
>      ifp xl0 bytes 444 pkts 1
> BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [204.16.208.75
> 45434]
>      age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 98/1083 flags 2 drop
> 0/0
>      ifp xl0 bytes 444 pkts 1
> BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [65.164.168.27
> 15380]
>      age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 1231/169 flags 2 drop
> 0/0
>      ifp xl0 bytes 1066 pkts 1
> BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [65.99.21.136
> 5689]
>      age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 930/1915 flags 2 drop
> 0/0
>      ifp xl0 bytes 1066 pkts 1
> BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3122]
>      age 330 use 0 sumd 0x689c/0x689c pr 6 bkt 1229/167 flags 1 drop
> 0/0
>      ifp xl0 bytes 23756 pkts 67
> BIMAP 172.29.1.178    15164 <- -> x.x.2.178    15164 [74.241.113.131
> 50847]
>      age 270 use 0 sumd 0x689c/0x689c pr 6 bkt 997/1982 flags 1 drop
> 0/0
>      ifp xl0 bytes 144 pkts 3
> BIMAP 172.29.1.177    25    <- -> x.x.2.177    25    [66.226.44.60
> 5268]
>      age 290 use 0 sumd 0x689c/0x689c pr 6 bkt 838/1823 flags 1 drop
> 0/0
>      ifp xl0 bytes 22214 pkts 52
> BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3115]
>      age 208 use 0 sumd 0x689c/0x689c pr 6 bkt 1484/422 flags 1 drop
> 0/0
>      ifp xl0 bytes 1978 pkts 24
> BIMAP 172.29.1.178    10000 <- -> x.x.2.178    10000 [69.56.214.58
> 38077]
>      age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 434/1419 flags 1 drop
> 0/0
>      ifp xl0 bytes 60 pkts 1
> BIMAP 172.29.1.177    10000 <- -> x.x.2.177    10000 [69.56.214.58
> 38076]
>      age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 172/1157 flags 1 drop
> 0/0
>      ifp xl0 bytes 60 pkts 1
> BIMAP 172.29.1.177    110   <- -> x.x.2.177    110   [x.x.6.178 3114]
>      age 86 use 0 sumd 0x689c/0x689c pr 6 bkt 1228/166 flags 1 drop
> 0/0
>      ifp xl0 bytes 1978 pkts 24
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1052]
>      age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1950/888 flags 1 drop
> 0/0
>      ifp xl0 bytes 45963 pkts 68
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1051]
>      age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1694/632 flags 1 drop
> 0/0
>      ifp xl0 bytes 46767 pkts 72
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1050]
>      age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1438/376 flags 1 drop
> 0/0
>      ifp xl0 bytes 101535 pkts 136
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [x.x.4.147 1049]
>      age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1182/120 flags 1 drop
> 0/0
>      ifp xl0 bytes 99249 pkts 125
> BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.157.202.217
> 19940]
>      age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 1194/132 flags 2 drop
> 0/0
>      ifp xl0 bytes 1081 pkts 1
> BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.50.9.43
> 31817]
>      age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 612/1597 flags 2 drop
> 0/0
>      ifp xl0 bytes 1081 pkts 1
> BIMAP 172.29.1.177    1026  <- -> x.x.2.177    1026  [24.240.35.68
> 10452]
>      age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 188/1173 flags 2 drop
> 0/0
>      ifp xl0 bytes 1058 pkts 1
> BIMAP 172.29.1.178    1026  <- -> x.x.2.178    1026  [24.147.130.236
> 2230]
>      age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 1870/808 flags 2 drop
> 0/0
>      ifp xl0 bytes 1058 pkts 1
> MAP 172.29.1.176    1128  <- -> x.x.2.176    45496 [192.175.48.1 53]
>      age 476 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 0/1168 flags 2 drop
> 0/0
>      ifp xl0 bytes 185 pkts 2
> MAP 172.29.1.176    1122  <- -> x.x.2.176    45490 [65.182.99.55 53]
>      age 475 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 855/2023 flags 2 drop
> 0/0
>      ifp xl0 bytes 173 pkts 2
> MAP 172.29.1.176    1119  <- -> x.x.2.176    45487 [65.182.99.55 53]
>      age 474 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 87/1255 flags 2 drop
> 0/0
>      ifp xl0 bytes 161 pkts 2
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 4385]
>      age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 1262/200 flags 1 drop
> 0/0
>      ifp xl0 bytes 2460 pkts 11
> RDR 172.29.1.176    80    <- -> x.x.2.176    80    [208.35.159.6 3532]
>      age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 0/985 flags 1 drop 0/0
>      ifp xl0 bytes 4079 pkts 15
> BIMAP 172.29.1.178    22    <- -> x.x.2.178    22    [x.x.1.252 2833]
>      age 16171 use 0 sumd 0x689c/0x689c pr 6 bkt 1167/105 flags 1 drop
> 0/0
>      ifp xl0 bytes 584779 pkts 5271
> 
> List of active host mappings:
> 172.29.1.176 -> 0.0.0.0 (use = 3 hv = 144)
> 
> ipfstat -v
> 
> opts 0x40 name /dev/ipl
>   IPv6 packets:        in 0 out 0
>   input packets:        blocked 2430 passed 62213 nomatch 0 counted 0 
> short 0
> output packets:        blocked 220 passed 67737 nomatch 0 counted 0
> short 0
>   input packets logged:    blocked 2430 passed 0
> output packets logged:    blocked 0 passed 0
>   packets logged:    input 0 output 0
>   log failures:        input 0 output 0
> fragment state(in):    kept 0    lost 0    not fragmented 0
> fragment state(out):    kept 0    lost 0    not fragmented 0
> packet state(in):    kept 1102    lost 0
> packet state(out):    kept 27    lost 220
> ICMP replies:    0    TCP RSTs sent:    0
> Invalid source(in):    0
> Result cache hits(in):    318    (out):    0
> IN Pullups succeeded:    0    failed:    0
> OUT Pullups succeeded:    0    failed:    0
> Fastroute successes:    0    failures:    0
> TCP cksum fails(in):    0    (out):    0
> Packet log flags set: (0)
>      none
> 
> ipfstat -nio
> 
> @1 pass out quick on lo0 from any to any
> @2 pass out quick on rl0 proto udp from 172.29.1.1/32 port = 67 to any
> 
> port = 68
> @3 pass out quick on xl0 proto udp from any port = 68 to any port = 67
> @4 pass out quick on rl0 from any to any keep state
> @5 pass out quick on xl0 from any to any keep state
> @6 block out log quick from any to any
> @1 pass in quick on lo0 from any to any
> @2 block in log quick from any to any with short
> @3 block in log quick from any to any with ipopt
> @4 pass in quick on rl0 proto udp from any port = 68 to 
> 255.255.255.255/32 port = 67
> @5 pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1/32 
> port = 67
> @6 block in log quick on xl0 from 172.29.1.0/24 to any
> @7 block in log quick on xl0 proto udp from any port = 67 to 
> 172.29.1.0/24 port = 68
> @8 pass in quick on xl0 proto udp from any port = 67 to any port = 68
> @9 block in log quick on rl0 from !172.29.1.0/24 to any
> @10 block in log quick on xl0 from 10.0.0.0/8 to any
> @11 block in log quick on xl0 from 127.0.0.0/8 to any
> @12 block in log quick on xl0 from 172.16.0.0/12 to any
> @13 block in log quick on xl0 from 192.168.0.0/16 to any
> @14 skip 1 in proto tcp from any to any flags S/FSRA
> @15 block in log quick proto tcp from any to any
> @16 block in log quick on rl0 from any to any head 100
> @1 pass in quick from 172.29.1.0/24 to 172.29.1.1/32 keep state group
> 100
> @2 pass in quick from 172.29.1.0/24 to any keep state group 100
> @17 block in log quick on xl0 from any to any head 200
> @1 pass in quick proto icmp from x.x.2.1/32 to x.x.2.176/32 keep state
> 
> group 200
> @2 pass in quick proto tcp from x.x.1.0/24 to x.x.2.176/32 port = 8080
> 
> keep state group 200
> @3 pass in quick proto tcp from x.x.25.56/29 to x.x.2.176/32 port =
> 8080 
> keep state group 200
> @4 pass in quick proto tcp from any to 172.29.1.176/32 port = 80 keep 
> state group 200
> @5 pass in quick proto tcp from any to 172.29.1.177/32 port = 25 keep 
> state group 200
> @6 pass in quick proto tcp from any to 172.29.1.177/32 port = 110 keep
> 
> state group 200
> @7 pass in quick proto tcp from any to 172.29.1.177/32 port = 80 keep 
> state group 200
> @8 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805
> 
> keep state group 200
> @9 pass in quick proto tcp from x.x.6.178/32 to 172.29.1.0/24 port = 
> 5805 keep state group 200
> @10 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
> 5805 keep state group 200
> @11 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 
> 14147 keep state group 200
> @12 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 
> 14147 keep state group 200
> @13 pass in quick proto tcp from any to 172.29.1.176/32 port = 21 keep
> 
> state group 200
> @14 pass in quick proto tcp from any to 172.29.1.176/32 port 8999 >< 
> 9101 keep state group 200
> @15 pass in quick proto tcp from any to 172.29.1.178/32 port = 22 keep
> 
> state group 200
> @16 pass in quick proto tcp from any to 172.29.1.178/32 port = 80 keep
> 
> state group 200
> @17 pass in quick proto tcp from any to 172.29.1.178/32 port = 443 keep
> 
> state group 200
> @18 pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178/32 keep 
> state group 200
> @19 pass in quick proto icmp from x.x.2.1/32 to 172.29.1.178/32 keep 
> state group 200
> @20 pass in quick proto udp from any to 172.29.1.178/32 port 1644 >< 
> 1647 keep state group 200
> @21 pass in quick proto udp from any to 172.29.1.178/32 port 1811 >< 
> 1814 keep state group 200
> @18 block in log quick from any to any
> 
> unparsed ipnat rules
> 
> bimap xl0 172.29.1.177/32 -> x.x.2.177/32
> bimap xl0 172.29.1.178/32 -> x.x.2.178/32
> map xl0 172.29.1.0/24  -> 0/32 proxy port ftp ftp/tcp
> map xl0 172.29.1.0/24  -> 0/32 portmap tcp/udp auto
> map xl0 172.29.1.0/24  -> 0/32
> rdr xl0 0/0 port 21 -> 172.29.1.176 port 21 tcp
> rdr xl0 0/0 port 80 -> 172.29.1.176 port 80 tcp
> rdr xl0 0/0 port 5805 -> 172.29.1.176 port 5805 tcp
> rdr xl0 0/0 port 9000-9100 -> 172.29.1.176 port 9000 tcp
> 
> unparsed ipfilter rules
> 
> # loopback
> pass in quick on lo0 all
> pass out quick on lo0 all
> 
> # block short packets
> block in log quick all with short
> 
> # block IP options
> block in log quick all with ipopts
> 
> # allow access to DHCP server on LAN
> pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255 
> port = 67
> pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1 port =
> 67
> pass out quick on rl0 proto udp from 172.29.1.1 port = 67 to any port =
> 68
> 
> # WAN spoof check
> block in log quick on xl0 from 172.29.1.0/24 to any
> 
> # allow our DHCP client out to the WAN
> # XXX - should be more restrictive
> # (not possible at the moment - need 'me' like in ipfw)
> pass out quick on xl0 proto udp from any port = 68 to any port = 67
> block in log quick on xl0 proto udp from any port = 67 to 172.29.1.0/24
> 
> port = 68
> pass in quick on xl0 proto udp from any port = 67 to any port = 68
> 
> # LAN/OPT spoof check (needs to be after DHCP because of broadcast 
> addresses)
> block in log quick on rl0 from ! 172.29.1.0/24 to any
> 
> # block anything from private networks on WAN interface
> block in log quick on xl0 from 10.0.0.0/8 to any
> block in log quick on xl0 from 127.0.0.0/8 to any
> block in log quick on xl0 from 172.16.0.0/12 to any
> block in log quick on xl0 from 192.168.0.0/16 to any
> 
> # Block TCP packets that do not mark the start of a connection
> skip 1 in proto tcp all flags S/SAFR
> block in log quick proto tcp all
> 
> #---------------------------------------------------------------------------
> # group head 100 - LAN interface
> #---------------------------------------------------------------------------
> block in log quick on rl0 all head 100
> 
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on rl0 all keep state
> 
> #---------------------------------------------------------------------------
> # group head 200 - WAN interface
> #---------------------------------------------------------------------------
> block in log quick on xl0 all head 200
> 
> # let out anything from the firewall host itself and decrypted IPsec
> traffic
> pass out quick on xl0 all keep state
> 
> # make sure the user cannot lock himself out of the webGUI
> pass in quick from 172.29.1.0/24 to 172.29.1.1 keep state group 100
> 
> # User-defined rules follow
> pass in quick proto icmp from x.x.2.1 to x.x.2.176 keep state group
> 200
> pass in quick proto tcp from x.x.1.0/24 to x.x.2.176 port = 8080 keep 
> state group 200
> pass in quick proto tcp from x.x.25.56/29 to x.x.2.176 port = 8080 keep
> 
> state group 200
> pass in quick proto tcp from any to 172.29.1.176 port = 80 keep state 
> group 200
> pass in quick proto tcp from any to 172.29.1.177 port = 25 keep state 
> group 200
> pass in quick proto tcp from any to 172.29.1.177 port = 110 keep state
> 
> group 200
> pass in quick proto tcp from any to 172.29.1.177 port = 80 keep state 
> group 200
> pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 
> keep state group 200
> pass in quick proto tcp from x.x.6.178 to 172.29.1.0/24 port = 5805
> keep 
> state group 200
> pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 5805
> 
> keep state group 200
> pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 14147 
> keep state group 200
> pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 14147
> 
> keep state group 200
> pass in quick proto tcp from any to 172.29.1.176 port = 21 keep state 
> group 200
> pass in quick proto tcp from any to 172.29.1.176 port 8999 >< 9101 keep
> 
> state group 200
> pass in quick proto tcp from any to 172.29.1.178 port = 22 keep state 
> group 200
> pass in quick proto tcp from any to 172.29.1.178 port = 80 keep state 
> group 200
> pass in quick proto tcp from any to 172.29.1.178 port = 443 keep state
> 
> group 200
> pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178 keep state 
> group 200
> pass in quick proto icmp from x.x.2.1 to 172.29.1.178 keep state group
> 200
> pass in quick proto udp from any to 172.29.1.178 port 1644 >< 1647 keep
> 
> state group 200
> pass in quick proto udp from any to 172.29.1.178 port 1811 >< 1814 keep
> 
> state group 200
> pass in quick from 172.29.1.0/24 to any keep state group 100
> 
> #---------------------------------------------------------------------------
> # default rules (just to be sure)
> #---------------------------------------------------------------------------
> block in log quick all
> block out log quick all
> 
> unparsed ipfw rules
> 
> add 50000 set 4 pass all from 172.29.1.1 to any
> add 50001 set 4 pass all from any to 172.29.1.1
> 
>