Есть небольшая проблема, стоит шлюз в инет, на нём поставлен mpd5 в качестве сервера pptp, а так же pptp клиента к филлиалу и pppoe клиента ко второму инету
Есть проблема такого плана: когда подключаются люди из вне, к этому серверу через vpn, работает только один клиент что подключился. И не более. То есть когда подключаешься со второго к примеру компа, отваливается первый клиент что подключился.
Проблема, такого плана, как будто не пропускает более 1 vpn коннекта, знаете, как на линухе, без модуля mod_pptp.
Подскажите куда копать...
Вот конфиги:
Код: Выделить всё
[root@gate /]# uname -v
FreeBSD 6.2-RELEASE #1: Mon Jan 14 11:30:50 EET 2008
Код: Выделить всё
[root@gate /]# cat /etc/pf.conf
# macros
int_if = "rl1"
ext_if = "rl0"
int_net = "192.168.10.0/24"
ext_addr = "XXX.XXX.XXX.XXX"
ftp_server = "192.168.100.47"
tcp_services = "{ pop3, smtp, http, https, ftp , ssh }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# options
set block-policy return
rdr on $ext_if proto tcp from any to $ext_addr port ftp tag TRAF_FTP ->XXX.XXX.XXX.XXX port 8021
nat on $ext_if from any to 192.168.254.254 -> 192.168.254.1
nat on $ext_if from {192.168.10/24, 192.168.100/24, 192.168.11/24} to any -> $ext_addr
nat on ng0 from any to any -> YYY.YYY.YYY.YYY
nat on ng1 from any to any -> (ng1)
rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 22 -> 192.168.10.3 port 22
rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 33892 -> 192.168.10.205 port 3389
rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 45684 -> 192.168.10.205 port 80
pass quick on lo0 all
pass quick on vlan0 all
block drop in quick on $ext_if from any to !$ext_addr
pass in on $int_if from $int_net to 192.168.10.1 keep state
pass in quick on $int_if route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {19322, 35322, 35323, 250, 995, 993, 251, 996, 994, 80, 443, 33897, 25, 110, 5222, 5223, 5269, 5280} keep state
pass in quick on {$int_if,$ext_if,tun,vlan0} route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {43306, 33895, 19322, 35322,35323, 250, 995, 993, 251, 996, 994, 80, 443, 33897, 25, 110, 5222, 5223, 5269, 5280, 143, 21} keep state
pass in quick on $ext_if route-to (vlan0 192.168.100.2) inet proto {udp,tcp} from any to any port 53 keep state
pass in quick on vlan0 route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {6666,8081,25,80,21} keep state
pass out on $ext_if proto tcp from any to any port 22 keep state queue ext_high
pass out on $ext_if proto tcp all keep state flags S/SA queue (ext_low, ext_high)
pass in on $ext_if proto tcp from any to $ext_addr keep state queue ext_low
pass out on $int_if inet
pass in on $int_if route-to (ng0 YYY.YYY.YYY.XXX) from { 192.168.100.20} to !192.168.0.0/16
pass in on $ext_if reply-to ($ext_if YYY.YYY.YYY.YYY) proto tcp tagged TRAF_FTP flags S/SA keep state
pass out on $ext_if proto tcp from $ext_addr to any flags S/SA user proxy keep state
pass in on $ext_if proto tcp from any to $ext_addr flags S/SA user proxy keep state
pass out on vlan0 proto tcp from 192.168.100.1 to any flags S/SA user proxy keep state
pass in on vlan0 proto tcp from any to 192.168.100.1 flags S/SA user proxy keep state
Код: Выделить всё
[root@gate /]# cat /usr/local/etc/mpd5/mpd.conf
startup:
# configure mpd users
set user admin pass admin
# configure the console
set console self 127.0.0.1 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load pptp_server
load anitex
load pptp_bai_client
anitex:
create bundle static anitex
# set iface route default
# set iface up-script "/usr/local/etc/mpd5/mpd.script"
# set iface down-script "/usr/local/etc/mpd5/mpd.script"
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
# set iface enable tcpmssfix
create link static L1_anitex pppoe
set link action bundle anitex
set auth authname user
set auth password pass
set link max-redial 0
set link mtu 1460
set link keep-alive 10 60
set pppoe iface vr0
set pppoe service ""
open
pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote. From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
#
# Define dynamic IP address pool.
set ippool add pool1 192.168.11.10 192.168.11.254
# Create clonable bundle template named B
create bundle template B
set iface enable proxy-arp
set iface idle 1800
set iface enable tcpmssfix
set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
set ipcp ranges 192.168.11.1/32 ippool pool1
set ipcp dns 192.168.100.10
set ipcp nbns 192.168.100.13
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
set bundle enable compression
set ccp yes mppc
set mppc yes e40
set mppc yes e128
set mppc yes stateless
# Create clonable link template named L
create link template L pptp
# Set bundle template to use
set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
set link enable multilink
set link yes acfcomp protocomp
set link no pap chap
set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
load radius
set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
set link mtu 1460
# Configure PPTP
set pptp self 0.0.0.0
# Allow to accept calls
set link enable incoming
radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
set radius config /etc/radius.conf
# or specify the server directly here
set radius server ldap.dmz gatepwd 1812 1813
set radius retries 3
set radius timeout 3
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
set radius me 192.168.10.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
pptp_bai_client:
create bundle static bai
# set iface route default
set iface route 10.1.1.0/24
set iface enable proxy-arp tcpmssfix
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set bundle yes compression
set bundle no encryption
set ccp yes mppc
set mppc yes compress e40 e56 e128 stateless
create link static L2_bai pptp
set link accept chap
set link accept chap-msv2
set link yes multilink
set link yes magicnum check-magic shortseq acfcomp protocomp
set bundle yes compression
set bundle no encryption
set ccp yes mppc
set mppc yes compress e40 e56 e128 stateless
set link no eap
set link action bundle bai
set auth authname "user"
set auth password "pass"
set pptp peer mega-vpn.server
set link max-redial 0
set link mtu 1460
set link keep-alive 60 180
set pptp disable windowing
set pptp enable always-ack
set pptp enable delayed-ack
open