|
||||||||
Yes on the internal LAN using the NTRadping utility I am able to successfully test Radius on ports 1812 and 1645. From the WAN side I am only able to get a successful test on the 1645 port. Andrew Armstrong Chattanooga Online andrew at chattanooga dot net 423-267-8867 Ext. 303 fax: 423-648-2808 Austin Montford wrote: > When you say radius works internally does it use 1812? Like as in your > LAN side Captive Portal setup, does the radius server ip you put in use > 1812 successfully to verify the radius server is answering? Maybe I'm > missing something but as far as your m0n0wall setup goes, it looks like > mine. :-) > >>>> Andrew Armstrong <andrew at chattanooga dot net> 10/16/2006 4:37 PM >>> > I am having problems with a firewall rule that applies to a radius > server on the LAN side of my m0n0wall. I have the following aliases > setup. > > www 172.29.1.176 > mail 172.29.1.177 > auth 172.29.1.178 > > I have a static WAN IP setup as x.x.2.176 and proxy arp entries for > x.x.2.177 and x.x.2.178. All three public IP's are available and > working. The 3 aliases above relate to these 3 public IP's. > > I have 1:1 NAT setup to map > > x.x.2.177 -> 172.29.1.177 > x.x.2.178 -> 172.29.1.178 > > as well as Inbound NAT rules for port forwards for the primary WAN IP > x.x.2.176. > > I have added the following firewall rules: > > Proto Src Sport Dst Dport > ------------------------------------------- > TCP * * www 21(FTP) > TCP * * www 80(HTTP) > TCP * * www 443(HTTPS) > TCP * * mail 25(SMTP) > TCP * * mail 110(POP3) > TCP * * mail 80(HTTP) > TCP * * mail 443(HTTPS) > TCP * * LAN net 5805(VNC) > TCP * * auth 22(SSH) > TCP * * auth 80(HTTP) > TCP * * auth 443(HTTPS) > UDP * * auth 1645-1646 > UDP * * auth 1812-1813 > > All of these rules work fine except the last one. The last 2 rules are > > exactly the same configuration on everything other than the port range > > but for some reason the radius on 1812-1813 does not work. The clients > > on the WAN side will authenticate on port 1645-1646 but not the main > ports of 1812-1813. > > I have tested the radius server on the LAN side and everything checks > out ok. It is configured to listen on both sets of ports on all > available IP's and I have verified this with radtest from the CLI and > ntradping from another server on the LAN. Both are fine. > > I have sniffed the traffic on the WAN side and the radius client is > sending the info. As I stated before If I use the 1645 ports it works. > > If I use the 1812 ports it does not work. > > I have broken this down to something the m0n0wall is doing but for the > > life of me I cannot find anything that could be doing this. It seems > that if one set of radius ports works the other set should also work. > > Here is my full m0nowall config: > > ############################################################ > ##### BEGIN STATUS.PHP DUMP > ############################################################ > System uptime > > 8:23PM up 3:05, 0 users, load averages: 0.00, 0.00, 0.00 > > Interfaces > > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=40<POLLING> > inet 172.29.1.1 netmask 0xffffff00 broadcast 172.29.1.255 > ether 00:00:e8:5b:5e:17 > media: Ethernet autoselect (100baseTX) > status: active > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > options=1<RXCSUM> > inet x.x.2.176 netmask 0xffffff00 broadcast x.x.2.255 > ether 00:01:02:30:22:b2 > media: Ethernet autoselect (100baseTX <full-duplex>) > status: active > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > > Routing tables > > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif > Expire > default x.x.2.1 UGSc 4 13310 xl0 > x.x.2/24 link#2 UC 1 0 xl0 > x.x.2.1 00:04:23:08:43:be UHLW 4 3 xl0 > 1200 > 127.0.0.1 127.0.0.1 UH 0 0 lo0 > 172.29.1/24 link#1 UC 3 0 rl0 > 172.29.1.176 00:01:03:2f:6b:e4 UHLW 1 13525 rl0 > 1130 > 172.29.1.177 00:0a:e6:2a:1e:6b UHLW 0 6040 rl0 > 1003 > 172.29.1.178 00:0e:0c:84:7c:c8 UHLW 1 8730 rl0 > 366 > > ipfw show > > ipfw: getsockopt(IP_FW_GET): Protocol not available > > ipnat -lv > > List of active MAP/Redirect filters: > bimap xl0 172.29.1.177/32 -> x.x.2.177/32 > bimap xl0 172.29.1.178/32 -> x.x.2.178/32 > map xl0 172.29.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp > map xl0 172.29.1.0/24 -> 0.0.0.0/32 portmap tcp/udp auto > map xl0 172.29.1.0/24 -> 0.0.0.0/32 > rdr xl0 0.0.0.0/0 port 21 -> 172.29.1.176 port 21 tcp > rdr xl0 0.0.0.0/0 port 80 -> 172.29.1.176 port 80 tcp > rdr xl0 0.0.0.0/0 port 5805 -> 172.29.1.176 port 5805 tcp > rdr xl0 0.0.0.0/0 port 9000- 9100 -> 172.29.1.176 port 9000 tcp > > List of active sessions: > BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [204.16.208.75 > 45434] > age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 104/1089 flags 2 drop > 0/0 > ifp xl0 bytes 444 pkts 1 > BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [204.16.208.75 > 45434] > age 1095 use 0 sumd 0x689c/0x689c pr 17 bkt 98/1083 flags 2 drop > 0/0 > ifp xl0 bytes 444 pkts 1 > BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [65.164.168.27 > 15380] > age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 1231/169 flags 2 drop > 0/0 > ifp xl0 bytes 1066 pkts 1 > BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [65.99.21.136 > 5689] > age 1086 use 0 sumd 0x689c/0x689c pr 17 bkt 930/1915 flags 2 drop > 0/0 > ifp xl0 bytes 1066 pkts 1 > BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3122] > age 330 use 0 sumd 0x689c/0x689c pr 6 bkt 1229/167 flags 1 drop > 0/0 > ifp xl0 bytes 23756 pkts 67 > BIMAP 172.29.1.178 15164 <- -> x.x.2.178 15164 [74.241.113.131 > 50847] > age 270 use 0 sumd 0x689c/0x689c pr 6 bkt 997/1982 flags 1 drop > 0/0 > ifp xl0 bytes 144 pkts 3 > BIMAP 172.29.1.177 25 <- -> x.x.2.177 25 [66.226.44.60 > 5268] > age 290 use 0 sumd 0x689c/0x689c pr 6 bkt 838/1823 flags 1 drop > 0/0 > ifp xl0 bytes 22214 pkts 52 > BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3115] > age 208 use 0 sumd 0x689c/0x689c pr 6 bkt 1484/422 flags 1 drop > 0/0 > ifp xl0 bytes 1978 pkts 24 > BIMAP 172.29.1.178 10000 <- -> x.x.2.178 10000 [69.56.214.58 > 38077] > age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 434/1419 flags 1 drop > 0/0 > ifp xl0 bytes 60 pkts 1 > BIMAP 172.29.1.177 10000 <- -> x.x.2.177 10000 [69.56.214.58 > 38076] > age 148 use 0 sumd 0x689c/0x689c pr 6 bkt 172/1157 flags 1 drop > 0/0 > ifp xl0 bytes 60 pkts 1 > BIMAP 172.29.1.177 110 <- -> x.x.2.177 110 [x.x.6.178 3114] > age 86 use 0 sumd 0x689c/0x689c pr 6 bkt 1228/166 flags 1 drop > 0/0 > ifp xl0 bytes 1978 pkts 24 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1052] > age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1950/888 flags 1 drop > 0/0 > ifp xl0 bytes 45963 pkts 68 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1051] > age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1694/632 flags 1 drop > 0/0 > ifp xl0 bytes 46767 pkts 72 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1050] > age 199 use 0 sumd 0x689c/0x689c pr 6 bkt 1438/376 flags 1 drop > 0/0 > ifp xl0 bytes 101535 pkts 136 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [x.x.4.147 1049] > age 198 use 0 sumd 0x689c/0x689c pr 6 bkt 1182/120 flags 1 drop > 0/0 > ifp xl0 bytes 99249 pkts 125 > BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [24.157.202.217 > 19940] > age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 1194/132 flags 2 drop > 0/0 > ifp xl0 bytes 1081 pkts 1 > BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [24.50.9.43 > 31817] > age 703 use 0 sumd 0x689c/0x689c pr 17 bkt 612/1597 flags 2 drop > 0/0 > ifp xl0 bytes 1081 pkts 1 > BIMAP 172.29.1.177 1026 <- -> x.x.2.177 1026 [24.240.35.68 > 10452] > age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 188/1173 flags 2 drop > 0/0 > ifp xl0 bytes 1058 pkts 1 > BIMAP 172.29.1.178 1026 <- -> x.x.2.178 1026 [24.147.130.236 > 2230] > age 650 use 0 sumd 0x689c/0x689c pr 17 bkt 1870/808 flags 2 drop > 0/0 > ifp xl0 bytes 1058 pkts 1 > MAP 172.29.1.176 1128 <- -> x.x.2.176 45496 [192.175.48.1 53] > age 476 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 0/1168 flags 2 drop > 0/0 > ifp xl0 bytes 185 pkts 2 > MAP 172.29.1.176 1122 <- -> x.x.2.176 45490 [65.182.99.55 53] > age 475 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 855/2023 flags 2 drop > 0/0 > ifp xl0 bytes 173 pkts 2 > MAP 172.29.1.176 1119 <- -> x.x.2.176 45487 [65.182.99.55 53] > age 474 use 0 sumd 0x44b4/0x44b4 pr 17 bkt 87/1255 flags 2 drop > 0/0 > ifp xl0 bytes 161 pkts 2 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [208.35.159.6 4385] > age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 1262/200 flags 1 drop > 0/0 > ifp xl0 bytes 2460 pkts 11 > RDR 172.29.1.176 80 <- -> x.x.2.176 80 [208.35.159.6 3532] > age 339 use 0 sumd 0x689c/0x689c pr 6 bkt 0/985 flags 1 drop 0/0 > ifp xl0 bytes 4079 pkts 15 > BIMAP 172.29.1.178 22 <- -> x.x.2.178 22 [x.x.1.252 2833] > age 16171 use 0 sumd 0x689c/0x689c pr 6 bkt 1167/105 flags 1 drop > 0/0 > ifp xl0 bytes 584779 pkts 5271 > > List of active host mappings: > 172.29.1.176 -> 0.0.0.0 (use = 3 hv = 144) > > ipfstat -v > > opts 0x40 name /dev/ipl > IPv6 packets: in 0 out 0 > input packets: blocked 2430 passed 62213 nomatch 0 counted 0 > short 0 > output packets: blocked 220 passed 67737 nomatch 0 counted 0 > short 0 > input packets logged: blocked 2430 passed 0 > output packets logged: blocked 0 passed 0 > packets logged: input 0 output 0 > log failures: input 0 output 0 > fragment state(in): kept 0 lost 0 not fragmented 0 > fragment state(out): kept 0 lost 0 not fragmented 0 > packet state(in): kept 1102 lost 0 > packet state(out): kept 27 lost 220 > ICMP replies: 0 TCP RSTs sent: 0 > Invalid source(in): 0 > Result cache hits(in): 318 (out): 0 > IN Pullups succeeded: 0 failed: 0 > OUT Pullups succeeded: 0 failed: 0 > Fastroute successes: 0 failures: 0 > TCP cksum fails(in): 0 (out): 0 > Packet log flags set: (0) > none > > ipfstat -nio > > @1 pass out quick on lo0 from any to any > @2 pass out quick on rl0 proto udp from 172.29.1.1/32 port = 67 to any > > port = 68 > @3 pass out quick on xl0 proto udp from any port = 68 to any port = 67 > @4 pass out quick on rl0 from any to any keep state > @5 pass out quick on xl0 from any to any keep state > @6 block out log quick from any to any > @1 pass in quick on lo0 from any to any > @2 block in log quick from any to any with short > @3 block in log quick from any to any with ipopt > @4 pass in quick on rl0 proto udp from any port = 68 to > 255.255.255.255/32 port = 67 > @5 pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1/32 > port = 67 > @6 block in log quick on xl0 from 172.29.1.0/24 to any > @7 block in log quick on xl0 proto udp from any port = 67 to > 172.29.1.0/24 port = 68 > @8 pass in quick on xl0 proto udp from any port = 67 to any port = 68 > @9 block in log quick on rl0 from !172.29.1.0/24 to any > @10 block in log quick on xl0 from 10.0.0.0/8 to any > @11 block in log quick on xl0 from 127.0.0.0/8 to any > @12 block in log quick on xl0 from 172.16.0.0/12 to any > @13 block in log quick on xl0 from 192.168.0.0/16 to any > @14 skip 1 in proto tcp from any to any flags S/FSRA > @15 block in log quick proto tcp from any to any > @16 block in log quick on rl0 from any to any head 100 > @1 pass in quick from 172.29.1.0/24 to 172.29.1.1/32 keep state group > 100 > @2 pass in quick from 172.29.1.0/24 to any keep state group 100 > @17 block in log quick on xl0 from any to any head 200 > @1 pass in quick proto icmp from x.x.2.1/32 to x.x.2.176/32 keep state > > group 200 > @2 pass in quick proto tcp from x.x.1.0/24 to x.x.2.176/32 port = 8080 > > keep state group 200 > @3 pass in quick proto tcp from x.x.25.56/29 to x.x.2.176/32 port = > 8080 > keep state group 200 > @4 pass in quick proto tcp from any to 172.29.1.176/32 port = 80 keep > state group 200 > @5 pass in quick proto tcp from any to 172.29.1.177/32 port = 25 keep > state group 200 > @6 pass in quick proto tcp from any to 172.29.1.177/32 port = 110 keep > > state group 200 > @7 pass in quick proto tcp from any to 172.29.1.177/32 port = 80 keep > state group 200 > @8 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 > > keep state group 200 > @9 pass in quick proto tcp from x.x.6.178/32 to 172.29.1.0/24 port = > 5805 keep state group 200 > @10 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = > 5805 keep state group 200 > @11 pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = > 14147 keep state group 200 > @12 pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = > 14147 keep state group 200 > @13 pass in quick proto tcp from any to 172.29.1.176/32 port = 21 keep > > state group 200 > @14 pass in quick proto tcp from any to 172.29.1.176/32 port 8999 >< > 9101 keep state group 200 > @15 pass in quick proto tcp from any to 172.29.1.178/32 port = 22 keep > > state group 200 > @16 pass in quick proto tcp from any to 172.29.1.178/32 port = 80 keep > > state group 200 > @17 pass in quick proto tcp from any to 172.29.1.178/32 port = 443 keep > > state group 200 > @18 pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178/32 keep > state group 200 > @19 pass in quick proto icmp from x.x.2.1/32 to 172.29.1.178/32 keep > state group 200 > @20 pass in quick proto udp from any to 172.29.1.178/32 port 1644 >< > 1647 keep state group 200 > @21 pass in quick proto udp from any to 172.29.1.178/32 port 1811 >< > 1814 keep state group 200 > @18 block in log quick from any to any > > unparsed ipnat rules > > bimap xl0 172.29.1.177/32 -> x.x.2.177/32 > bimap xl0 172.29.1.178/32 -> x.x.2.178/32 > map xl0 172.29.1.0/24 -> 0/32 proxy port ftp ftp/tcp > map xl0 172.29.1.0/24 -> 0/32 portmap tcp/udp auto > map xl0 172.29.1.0/24 -> 0/32 > rdr xl0 0/0 port 21 -> 172.29.1.176 port 21 tcp > rdr xl0 0/0 port 80 -> 172.29.1.176 port 80 tcp > rdr xl0 0/0 port 5805 -> 172.29.1.176 port 5805 tcp > rdr xl0 0/0 port 9000-9100 -> 172.29.1.176 port 9000 tcp > > unparsed ipfilter rules > > # loopback > pass in quick on lo0 all > pass out quick on lo0 all > > # block short packets > block in log quick all with short > > # block IP options > block in log quick all with ipopts > > # allow access to DHCP server on LAN > pass in quick on rl0 proto udp from any port = 68 to 255.255.255.255 > port = 67 > pass in quick on rl0 proto udp from any port = 68 to 172.29.1.1 port = > 67 > pass out quick on rl0 proto udp from 172.29.1.1 port = 67 to any port = > 68 > > # WAN spoof check > block in log quick on xl0 from 172.29.1.0/24 to any > > # allow our DHCP client out to the WAN > # XXX - should be more restrictive > # (not possible at the moment - need 'me' like in ipfw) > pass out quick on xl0 proto udp from any port = 68 to any port = 67 > block in log quick on xl0 proto udp from any port = 67 to 172.29.1.0/24 > > port = 68 > pass in quick on xl0 proto udp from any port = 67 to any port = 68 > > # LAN/OPT spoof check (needs to be after DHCP because of broadcast > addresses) > block in log quick on rl0 from ! 172.29.1.0/24 to any > > # block anything from private networks on WAN interface > block in log quick on xl0 from 10.0.0.0/8 to any > block in log quick on xl0 from 127.0.0.0/8 to any > block in log quick on xl0 from 172.16.0.0/12 to any > block in log quick on xl0 from 192.168.0.0/16 to any > > # Block TCP packets that do not mark the start of a connection > skip 1 in proto tcp all flags S/SAFR > block in log quick proto tcp all > > #--------------------------------------------------------------------------- > # group head 100 - LAN interface > #--------------------------------------------------------------------------- > block in log quick on rl0 all head 100 > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on rl0 all keep state > > #--------------------------------------------------------------------------- > # group head 200 - WAN interface > #--------------------------------------------------------------------------- > block in log quick on xl0 all head 200 > > # let out anything from the firewall host itself and decrypted IPsec > traffic > pass out quick on xl0 all keep state > > # make sure the user cannot lock himself out of the webGUI > pass in quick from 172.29.1.0/24 to 172.29.1.1 keep state group 100 > > # User-defined rules follow > pass in quick proto icmp from x.x.2.1 to x.x.2.176 keep state group > 200 > pass in quick proto tcp from x.x.1.0/24 to x.x.2.176 port = 8080 keep > state group 200 > pass in quick proto tcp from x.x.25.56/29 to x.x.2.176 port = 8080 keep > > state group 200 > pass in quick proto tcp from any to 172.29.1.176 port = 80 keep state > group 200 > pass in quick proto tcp from any to 172.29.1.177 port = 25 keep state > group 200 > pass in quick proto tcp from any to 172.29.1.177 port = 110 keep state > > group 200 > pass in quick proto tcp from any to 172.29.1.177 port = 80 keep state > group 200 > pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 5805 > keep state group 200 > pass in quick proto tcp from x.x.6.178 to 172.29.1.0/24 port = 5805 > keep > state group 200 > pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 5805 > > keep state group 200 > pass in quick proto tcp from x.x.1.0/24 to 172.29.1.0/24 port = 14147 > keep state group 200 > pass in quick proto tcp from x.x.25.56/29 to 172.29.1.0/24 port = 14147 > > keep state group 200 > pass in quick proto tcp from any to 172.29.1.176 port = 21 keep state > group 200 > pass in quick proto tcp from any to 172.29.1.176 port 8999 >< 9101 keep > > state group 200 > pass in quick proto tcp from any to 172.29.1.178 port = 22 keep state > group 200 > pass in quick proto tcp from any to 172.29.1.178 port = 80 keep state > group 200 > pass in quick proto tcp from any to 172.29.1.178 port = 443 keep state > > group 200 > pass in quick proto icmp from x.x.1.0/24 to 172.29.1.178 keep state > group 200 > pass in quick proto icmp from x.x.2.1 to 172.29.1.178 keep state group > 200 > pass in quick proto udp from any to 172.29.1.178 port 1644 >< 1647 keep > > state group 200 > pass in quick proto udp from any to 172.29.1.178 port 1811 >< 1814 keep > > state group 200 > pass in quick from 172.29.1.0/24 to any keep state group 100 > > #--------------------------------------------------------------------------- > # default rules (just to be sure) > #--------------------------------------------------------------------------- > block in log quick all > block out log quick all > > unparsed ipfw rules > > add 50000 set 4 pass all from 172.29.1.1 to any > add 50001 set 4 pass all from any to 172.29.1.1 > > |