mpd5 + pf + nat = не более 1 коннекта входящего vpn

[SniZ]

Добрый день всем!

Есть небольшая проблема, стоит шлюз в инет, на нём поставлен mpd5 в качестве сервера pptp, а так же pptp клиента к филлиалу и pppoe клиента ко второму инету

Есть проблема такого плана: когда подключаются люди из вне, к этому серверу через vpn, работает только один клиент что подключился. И не более. То есть когда подключаешься со второго к примеру компа, отваливается первый клиент что подключился.
Проблема, такого плана, как будто не пропускает более 1 vpn коннекта, знаете, как на линухе, без модуля mod_pptp.

Подскажите куда копать...

Вот конфиги:

Код: Выделить всё

[root@gate /]# uname -v
FreeBSD 6.2-RELEASE #1: Mon Jan 14 11:30:50 EET 2008

Код: Выделить всё

[root@gate /]# cat /etc/pf.conf
# macros
int_if = "rl1"
ext_if = "rl0"

int_net = "192.168.10.0/24"
ext_addr = "XXX.XXX.XXX.XXX"
ftp_server = "192.168.100.47"

tcp_services = "{ pop3, smtp, http, https, ftp , ssh }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return

rdr on $ext_if proto tcp from any to $ext_addr port ftp tag TRAF_FTP ->XXX.XXX.XXX.XXX port 8021

nat on $ext_if from any to 192.168.254.254 -> 192.168.254.1
nat on $ext_if from {192.168.10/24, 192.168.100/24, 192.168.11/24} to any -> $ext_addr
nat on ng0 from any to any -> YYY.YYY.YYY.YYY
nat on ng1 from any to any -> (ng1)

rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 22 -> 192.168.10.3 port 22
rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 33892 -> 192.168.10.205 port 3389
rdr on ng0 proto tcp from any to YYY.YYY.YYY.YYY port 45684 -> 192.168.10.205 port 80

pass quick on lo0 all
pass quick on vlan0 all
block drop in quick on $ext_if from any to !$ext_addr

pass in on $int_if from $int_net to 192.168.10.1 keep state

pass in quick on $int_if route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {19322, 35322, 35323, 250, 995, 993, 251, 996, 994, 80, 443, 33897, 25, 110, 5222, 5223, 5269, 5280} keep state

pass in quick on {$int_if,$ext_if,tun,vlan0} route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {43306, 33895, 19322, 35322,35323, 250, 995, 993, 251, 996, 994, 80, 443, 33897, 25, 110, 5222, 5223, 5269, 5280, 143, 21} keep state

pass in quick on $ext_if route-to (vlan0 192.168.100.2) inet proto {udp,tcp}  from any to any port 53 keep state

pass in quick on vlan0 route-to (vlan0 192.168.100.2) inet proto tcp from any to $ext_addr port {6666,8081,25,80,21} keep state

pass out on $ext_if proto tcp from any to any port 22 keep state queue ext_high
pass out on $ext_if proto tcp all keep state flags S/SA queue (ext_low, ext_high)
pass in on $ext_if proto tcp from any to $ext_addr keep state queue ext_low

pass out on $int_if inet

pass in on $int_if route-to (ng0 YYY.YYY.YYY.XXX) from { 192.168.100.20} to !192.168.0.0/16
pass in on $ext_if reply-to ($ext_if YYY.YYY.YYY.YYY) proto tcp tagged TRAF_FTP flags S/SA keep state
pass out on $ext_if proto tcp from $ext_addr to any flags S/SA user proxy keep state
pass in on $ext_if proto tcp from any to $ext_addr flags S/SA user proxy keep state
pass out on vlan0 proto tcp from 192.168.100.1 to any flags S/SA user proxy keep state
pass in on vlan0 proto tcp from any to 192.168.100.1 flags S/SA user proxy keep state

Код: Выделить всё

[root@gate /]# cat /usr/local/etc/mpd5/mpd.conf
startup:
        # configure mpd users
        set user admin pass admin

        # configure the console
        set console self 127.0.0.1 5005
        set console open

        # configure the web server
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_server
        load anitex
        load pptp_bai_client


anitex:
        create bundle static anitex
#        set iface route default
#        set iface up-script "/usr/local/etc/mpd5/mpd.script"
#        set iface down-script "/usr/local/etc/mpd5/mpd.script"
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
#        set iface enable tcpmssfix

        create link static L1_anitex pppoe
        set link action bundle anitex
        set auth authname user
        set auth password pass
        set link max-redial 0
        set link mtu 1460
        set link keep-alive 10 60
        set pppoe iface vr0
        set pppoe service ""
        open

pptp_server:
#
# Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients.
#
# Suppose you have a private Office LAN numbered 192.168.1.0/24 and the
# machine running mpd is at 192.168.1.1, and also has an externally visible
# IP address of 1.2.3.4.
#
# We want to allow a client to connect to 1.2.3.4 from out on the Internet
# via PPTP.  We will assign that client the address 192.168.1.50 and proxy-ARP
# for that address, so the virtual PPP link will be numbered 192.168.1.1 local
# and 192.168.1.50 remote.  From the client machine's perspective, it will
# appear as if it is actually on the 192.168.1.0/24 network, even though in
# reality it is somewhere far away out on the Internet.
#
# Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4.
# If you don't have an NBNS server, leave that line out.
#

# Define dynamic IP address pool.
        set ippool add pool1 192.168.11.10 192.168.11.254

# Create clonable bundle template named B
        create bundle template B
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
        set ipcp ranges 192.168.11.1/32 ippool pool1
        set ipcp dns 192.168.100.10
        set ipcp nbns 192.168.100.13
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless

# Create clonable link template named L
        create link template L pptp
# Set bundle template to use
        set link action bundle B
# Multilink adds some overhead, but gives full 1500 MTU.
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
# We can use use RADIUS authentication/accounting by including
# another config section with label 'radius'.
        load radius
        set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation.
        set link mtu 1460
# Configure PPTP
        set pptp self 0.0.0.0
# Allow to accept calls
        set link enable incoming

radius:
# You can use radius.conf(5), its useful, because you can share the
# same config with userland-ppp and other apps.
        set radius config /etc/radius.conf
# or specify the server directly here
        set radius server ldap.dmz gatepwd 1812 1813
        set radius retries 3
        set radius timeout 3
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the server.
        set radius me 192.168.10.1
# send accounting updates every 5 minutes
        set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
        set auth enable radius-auth
# enable RADIUS accounting
        set auth enable radius-acct
# protect our requests with the message-authenticator
        set radius enable message-authentic


pptp_bai_client:

        create bundle static bai
#       set iface route default
        set iface route 10.1.1.0/24
        set iface enable proxy-arp tcpmssfix
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
        set bundle yes compression
        set bundle no encryption
        set ccp yes mppc
        set mppc yes compress e40 e56 e128 stateless

        create link static L2_bai pptp
    set link accept chap
    set link accept chap-msv2
    set link yes multilink
    set link yes magicnum check-magic shortseq acfcomp protocomp
    set bundle yes compression
    set bundle no encryption
    set ccp yes mppc
    set mppc yes compress e40 e56 e128 stateless
        set link no eap
        set link action bundle bai
        set auth authname "user"
        set auth password "pass"
        set pptp peer mega-vpn.server
        set link max-redial 0
        set link mtu 1460

        set link keep-alive 60 180
        set pptp disable windowing
        set pptp enable always-ack
        set pptp enable delayed-ack
        open

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[hroft]

А IP клиентам разные выдает ?

[SniZ]

вроде ж как да....

Код: Выделить всё

set ippool add pool1 192.168.11.10 192.168.11.254

[hroft]

а реально на клиенте отслеживали ?

[SniZ]

угу. разные даёт адреса....

[SniZ]

только что проверил, убедился что работает из локалки...
тупо подключался к внутреннему адресу сервера. с разных машин. работает...
а вот если через инет - то фиг...
подключение у сервера и клиентов - прямое.

Код: Выделить всё

ng2: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 576
        inet 192.168.11.1 --> 192.168.11.10 netmask 0xffffffff
ng3: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> mtu 576
        inet 192.168.11.1 --> 192.168.11.11 netmask 0xffffffff

Код: Выделить всё

[root@gate /]# tcpdump -n -i ng2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng2, link-type NULL (BSD loopback), capture size 96 bytes
16:10:11.678798 IP 192.168.11.10 > 192.168.11.1: ICMP echo request, id 1, seq 395, length 40
16:10:11.678814 IP 192.168.11.1 > 192.168.11.10: ICMP echo reply, id 1, seq 395, length 40
16:10:12.678858 IP 192.168.11.10 > 192.168.11.1: ICMP echo request, id 1, seq 396, length 40
16:10:12.678873 IP 192.168.11.1 > 192.168.11.10: ICMP echo reply, id 1, seq 396, length 40

[root@gate /]# tcpdump -n -i ng3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng3, link-type NULL (BSD loopback), capture size 96 bytes
16:10:39.622025 IP 192.168.11.11 > 192.168.11.1: ICMP echo request, id 768, seq 51456, length 40
16:10:39.622041 IP 192.168.11.1 > 192.168.11.11: ICMP echo reply, id 768, seq 51456, length 40
16:10:40.622029 IP 192.168.11.11 > 192.168.11.1: ICMP echo request, id 768, seq 51712, length 40
16:10:40.622047 IP 192.168.11.1 > 192.168.11.11: ICMP echo reply, id 768, seq 51712, length 40

[schizoid]

у вас gre внутри gre
можно только 1 gre внутри другого.

[SniZ]

у вас gre внутри gre
можно только 1 gre внутри другого.

хм, где у меня gre внутри gre?

модем в режиме бриджа. прямой инет собсно..