From i.m@vikulin.in.ua  Sun May 18 15:39:17 2008
Return-Path: <i.m@vikulin.in.ua>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88A34106566C
	for <freebsd-gnats-submit@freebsd.org>; Sun, 18 May 2008 15:39:17 +0000 (UTC)
	(envelope-from i.m@vikulin.in.ua)
Received: from pl1.cyfra.ua (pl1.cyfra.ua [62.80.178.142])
	by mx1.freebsd.org (Postfix) with ESMTP id 9C7638FC1E
	for <freebsd-gnats-submit@freebsd.org>; Sun, 18 May 2008 15:39:16 +0000 (UTC)
	(envelope-from i.m@vikulin.in.ua)
Received: (qmail 26081 invoked by uid 33); 18 May 2008 18:12:26 +0300
Received: from 192.168.0.90 (192.168.0.90 [192.168.0.90]) by
	webmail.vikulin.in.ua (Horde MIME library) with HTTP; Sun, 18 May 2008
	18:12:26 +0300
Message-Id: <20080518181226.8g6u2fdc4goocg0c@webmail.vikulin.in.ua>
Date: Sun, 18 May 2008 18:12:26 +0300
From: i.m@vikulin.in.ua
To: freebsd-gnats-submit@FreeBSD.org
Cc: nobody@FreeBSD.org
Subject: Port mapping does not work

>Number:         123796
>Category:       kern
>Synopsis:       [ipfilter] FreeBSD 6.1+VPN+ipnat+ipf: port mapping does not work
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    cy
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 18 15:40:03 UTC 2008
>Closed-Date:    
>Last-Modified:  Wed Jul 03 05:20:21 UTC 2013
>Originator:     
>Release:        
>Organization:
>Environment:
>Description:

 [bugmaster note: this is a followup to closed conf/102429).

 Hello!
 
 I have had a problems to map 21 and 80 ports.
 There is FreeBSD router for 192.168.0.=F5 LAN
 WAN Interface has ip address (IP: 192.168.25.135).
 IP LAN Interface is: (IP: 192.168.0.1).
 For provider access I'm using VPN from 192.168.25.135 to =20
 192.168.25.1(Provider's VPN server). NAT works via ipnat with ipf
 
 Summary problems:
 Port mapping does not work for are mapped ips 21 and 80 to local ip =20
 address 192.168.0.5
 
 Router's interface:
 VPN vitual interface tun0: 195.39.x.x
 
 ifconfig is making it:
 ____________________________________________________________________________=
 ______________________________________
 
 rl0: 192.168.0.1/24 active
 rl1: 192.168.25.135/24 active
 tun0:195.39.x.x->10.100.101.1
 ping is working to any internet addresses
 
 rc.conf and another conf files are showed below:
 ____________________________________________________________________________=
 ______________________________________
 
 hostname=3DFreeBS.
 nisdomainname=3D"NO"
 dhclient_program=3D"/sbin/dhclient"
 dhclient_flags=3D""
 background_dhclient=3D"NO"
 firewall_enable=3D"NO"
 firewall_script=3D"/etc/rc.firewall"
 firewall_type=3D"/etc/firewall.conf"
 firewall_quiet=3D"NO"
 firewall_logging=3D"NO"
 firewall_flags=3D""
 ip_portrange_first=3D"NO"
 ip_portrange_last=3D"NO"
 ike_enable=3D"NO"
 ike_program=3D"/usr/local/sbin/isakmpd"
 ike_flags=3D""
 ipsec_enable=3D"NO"
 ipsec_file=3D"/etc/ipsec.conf"
 natd_program=3D"/sbin/natd"
 natd_enable=3D"NO"
 #natd_interface=3D"rl1"
 #natd_flags=3D"-redirect_port tcp 192.168.0.5:21 21"
 #natd_flags=3D"-a 192.168.25.1"
 #natd_flags=3D"-f /etc/natd.conf"
 ipfilter_enable=3D"YES"
 ipfilter_program=3D"/sbin/ipf"
 ipfilter_rules=3D"/etc/ipf.rules"
 
 ipfilter_flags=3D""
 ipnat_enable=3D"YES"
 ipnat_program=3D"/sbin/ipnat"
 ipnat_rules=3D"/etc/ipnat.rules"
 ipnat_flags=3D""
 ipmon_enable=3D"YES"
 ipmon_program=3D"/sbin/ipmon"
 ipmon_flags=3D"-Ds"
 ipfs_enable=3D"YES"
 
 ipfs_program=3D"/sbin/ipfs"
 ipfs_flags=3D""
 pf_enable=3D"NO"
 pf_rules=3D"/etc/pf.conf"
 pf_program=3D"/sbin/pfctl"
 pf_flags=3D""
 pflog_enable=3D"NO"
 pflog_logfile=3D"/var/log/pflog"
 pflog_program=3D"/sbin/pflogd"
 pflog_flags=3D""
 pfsync_enable=3D"NO"
 pfsync_syncdev=3D""
 pfsync_ifconfig=3D""
 tcp_extensions=3D"YES"
 log_in_vain=3D"0"
 tcp_keepalive=3D"YES"
 
 tcp_drop_synfin=3D"NO"
 
 icmp_drop_redirect=3D"YES"
 icmp_log_redirect=3D"YES"
 network_interfaces=3D"rl0 rl1 tun0 ng0"
 cloned_interfaces=3D""
 sppp_interfaces=3D""
 gif_interfaces=3D"NO"
 
 ppp_enable=3D"NO"
 ppp_program=3D"/usr/sbin/ppp"
 ppp_mode=3D"auto"
 
 ppp_nat=3D"YES"
 ppp_profile=3D"papchap"
 ppp_user=3D"root"
 hostapd_enable=3D"NO"
 syslogd_enable=3D"YES"
 syslogd_program=3D"/usr/sbin/syslogd"
 syslogd_flags=3D"-s"
 inetd_enable=3D"NO"
 inetd_program=3D"/usr/sbin/inetd"
 inetd_flags=3D"-wW -C 60"
 #
 # named.  It may be possible to run named in a sandbox, man security for
 # details.
 #
 named_enable=3D"NO"
 named_program=3D"/usr/sbin/named"
 #named_flags=3D""
 named_pidfile=3D"/var/run/named/pid"
 named_uid=3D"bind"
 named_chrootdir=3D"/var/named"
 named_chroot_autoupdate=3D"YES"
 
 named_symlink_enable=3D"YES"
 
 defaultrouter=3D192.168.25.1
 static_routes=3D""
 natm_static_routes=3D""
 gateway_enable=3D"YES"
 router_enable=3D"NO"
 router=3D"/sbin/routed"
 router_flags=3D"-q"
 mrouted_enable=3D"NO"
 mrouted_flags=3D""
 ipxgateway_enable=3D"NO"
 ipxrouted_enable=3D"NO"
 ipxrouted_flags=3D""
 arpproxy_all=3D"NO"
 forward_sourceroute=3D"NO"
 accept_sourceroute=3D"NO"
 
 ### Miscellaneous network options: ###
 icmp_bmcastecho=3D"NO"
 if [ -z "${source_rc_confs_defined}" ]; then
 =09source_rc_confs_defined=3Dyes
 =09source_rc_confs () {
 =09=09local i sourced_files
 =09=09for i in ${rc_conf_files}; do
 =09=09=09case ${sourced_files} in
 =09=09=09*:$i:*)
 =09=09=09=09;;
 =09=09=09*)
 =09=09=09=09sourced_files=3D"${sourced_files}:$i:"
 =09=09=09=09if [ -r $i ]; then
 =09=09=09=09=09. $i
 =09=09=09=09fi
 =09=09=09=09;;
 =09=09=09esac
 =09=09done
 =09}
 fi
 ifconfig_rl0=3D"inet 192.168.0.1 netmask 0xffffff00"
 ifconfig_rl1=3D"inet 192.168.25.135 netmask 0xffffff00"
 ifconfig_lo0=3D"inet 127.0.0.1"
 ____________________________________________________________________________=
 ______________________________________
 ppp.conf
 ____________________________________________________________________________=
 ______________________________________
 
 vpn:
   dns enable
   nat enable yes
   set authname nikolay
   set authkey 911
   set timeout 0
   set ifaddr 0 0
   add default HISADDR
 ____________________________________________________________________________=
 ______________________________________
 ipnat.rules
 ____________________________________________________________________________=
 ______________________________________
 
 rdr tun0 195.39.253.24/32 port 21 -> 192.168.0.5 port 21
 rdr tun0 195.39.253.24/32 port 80 -> 192.168.0.5 port 80
 map tun0 192.168.0.0/24 -> 195.39.253.24/32 proxy port ftp ftp/tcp
 map tun0 192.168.0.0/24 -> 195.39.253.24/32 portmap tcp/udp 10000:60000
 map tun0 192.168.0.0/24 -> 195.39.253.24/32
 ____________________________________________________________________________=
 ______________________________________
 ipf.rules
 ____________________________________________________________________________=
 ______________________________________
 
 pass in all
 pass out all
 ____________________________________________________________________________=
 ______________________________________
 =E4=EB=FF =F1=EE=E5=E4=E8=ED=E5=ED=E8=FF =F1 ftp =F1=E5=F0=E2=E5=F0=E0(192.1=
 68.0.5) =ED=E0 =EF=EE=F0=F2 21
 tcpdump rl0 =E4=E0=E5=F2 =F2=E0=EA=EE=E5:
 ____________________________________________________________________________=
 ______________________________________
 
 08:38:19 3528202 arp who-has 192.168.0.1 tell 192.168.0.5
 352829 arp replay 192.168.0.1 is-at 00:02:44:66:05:a1 (oi Unknown)
 352925 IP 192.168.0.5.4332 > 195.39.253.24.ftp: S =20
 2706215230:2706215230 (0) win 65535 <msss 1460,nop, nop, sack Ok>
 352969 IP 195.39.x.x.ftp: > 192.168.0.5.4332: R 0:0(0) ack 2706215231 win 0
 813373 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 =20
 (0) win 65535 <mss 1460, nop, nop,sackOk>
 813400 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
 316291 IP 192.168.0.5.4332 > 195.39.x.x.ftp : S 2706215230:2706215230 =20
 (0) win 65535 <mss 1460, nop, nop, sackOk>
 316324 IP 195.39.x.x.ftp > 192.168.0.5.4332 : R 0:0(0) ack 1 win 0
 ____________________________________________________________________________=
 ______________________________________
 
 =C0=ED=E0=EB=EE=E3=E8=F7=ED=EE =E8 =E4=EB=FF =EF=EE=F0=F2=E0 80.
 > Fix:
 =CD=E5 =E8=E7=E2=E5=F1=F2=ED=EE
 > Release-Note:
 > Audit-Trail:
 State-Changed-From-To: open->feedback
 State-Changed-By: gavin
 State-Changed-When: Wed Jun 13 22:25:18 UTC 2007
 State-Changed-Why:
 
 To submitter:  Please, if possible, submit your problem report
 in English.  If not possible, you will probably have more luck
 with one of the FreeBSD mailing lists in your own language, see
 http://www.freebsd.org/community/mailinglists.html
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D102429
 State-Changed-From-To: feedback->closed
 State-Changed-By: gavin
 State-Changed-When: Mon Jul 16 13:11:35 UTC 2007
 State-Changed-Why:
 Feedback timeout (1 month).  To submitter:  If this still a problem,
 please try to summarise your problem in English, or ask on a mailing
 list in your native language.  Thanks!
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=3D102429
 > Unformatted:
 
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-net 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sun May 18 22:45:21 UTC 2008 
Responsible-Changed-Why:  
Rescue this PR from the 'pending' category. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123796 
Responsible-Changed-From-To: freebsd-net->cy 
Responsible-Changed-By: cy 
Responsible-Changed-When: Wed Jul 3 05:20:07 UTC 2013 
Responsible-Changed-Why:  
Mine. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=123796 
>Unformatted:
