forum.lissyara.su

Код: Выделить всё

ext_if="rl0" - интерфейс сети провадера
wan_if="ng0" - интернет через vpn
int_if="bridge0" - сетевые карты смотрящие в локальную сеть
vmail_if="fxp0" - сетвая для vbox бриджа (dmz)
vpn_if="ng1" - (ВПН сервер)
Extr_if="{ng0 rl0}"

#lan="172.16.5.0/24"
#dmz="172.16.6.0/24"

icmp_types="{echoreq, unreach}"

set block-policy drop
set loginterface $wan_if
set skip on lo0
set optimization conservative

scrub in all
scrub out on $wan_if random-id max-mss 1460

#  NAT
nat on $ext_if proto { tcp udp icmp } from $int_if:network to any -> ($ext_if)
nat on $wan_if proto { tcp udp icmp gre } from $int_if:network to any -> ($wan_if)
rdr pass on $wan_if proto tcp from any to any port 25 -> 172.16.6.7

block all

# Traffic from gateway
pass out on $ext_if from ($ext_if) to any
pass out on $wan_if from ($wan_if) to any
# Traffic from LAN to INET
pass out on $Extr_if from ($int_if) to any
pass out on $Extr_if from ($vmail_if) to any

#-------------------VPN
pass in on $wan_if inet proto tcp from any to any port 1723
pass in on $wan_if inet proto { tcp udp } from any to any port 1701
pass in on $wan_if inet proto gre from any to any

#=================== Sever ports { Web 80 SSH 450 Zimbra SOAP 7071 }
pass in on $wan_if proto tcp from any to ($wan_if) port { 80 450 }
# ICMP
pass log inet proto icmp all icmp-type $icmp_types

pass quick on $int_if
pass quick on $vpn_if
pass quick on $vmail_if

Код: Выделить всё

-route PRINT
    172.16.0.0      255.255.0.0     172.16.5.200     172.16.5.200     21
  172.16.5.200  255.255.255.255         On-link      172.16.5.200    276

Пинг VPN сервера
ping 172.16.5.3
Обмен пакетами с 172.16.5.3 по с 32 байтами данных:
Ответ от 172.16.5.3: число байт=32 время=15мс TTL=64

Пинг машины в локальной сети VPN сервера
ping 172.16.5.1
Обмен пакетами с 172.16.5.1 по с 32 байтами данных:
Превышен интервал ожидания для запроса.

tracert 172.16.5.1
Трассировка маршрута к 172.16.5.1 с максимальным числом прыжков 30

  1    13 ms    14 ms    16 ms  172.16.5.200
  2     *        *        *     Превышен интервал ожидания для запроса.
  3 

Код: Выделить всё

tcpdump -vv -i bridge0
tcpdump: listening on bridge0, link-type EN10MB (Ethernet), capture size 96 bytes
17:11:33.521633 IP (tos 0x0, ttl 127, id 361, offset 0, flags [none], proto ICMP (1), length 60)
    172.16.5.200 > 172.16.5.1: ICMP echo request, id 1, seq 615, length 40
17:11:33.522288 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:34.514226 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:35.511779 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:38.366538 IP (tos 0x0, ttl 127, id 362, offset 0, flags [none], proto ICMP (1), length 60)
    172.16.5.200 > 172.16.5.1: ICMP echo request, id 1, seq 616, length 40
17:11:38.367095 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:39.362153 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:40.359593 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 172.16.5.200 tell 172.16.5.1, length 46
17:11:43.366298 IP (tos 0x0, ttl 127, id 363, offset 0, flags [none], proto ICMP (1), length 60)
    172.16.5.200 > 172.16.5.1: ICMP echo request, id 1, seq 617, length 40

Код: Выделить всё

netstat -rn

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            xx.21.0.243        UGS         0  4398344    ng0
10.0.0.0/8         10.73.xx.1        UGS         0      672    rl0
10.73.xx.0/21     link#3             U           0        0    rl0 - это все провайдеровское ....
10.73.xx.179      link#3             UHS         0      439    lo0
далее куча неинтересных маршрутов к днс провайдера

127.0.0.1          link#5             UH          0    46738    lo0
172.16.5.0/24      link#1             U           0     9447   msk0
172.16.5.3         link#1             UHS         0       18    lo0
172.16.5.200       link#11            UH          0        2    ng1

Код: Выделить всё

# VPN Interface
vpn_if="tun0"
vpn_network="10.10.200.0/24"
lan_net="{ 10.10.30.0/24 , 192.168.0.0/24 }"
amiga_net="{ 192.168.0.0/24 }"

............................

# VPN Network
# NAT the VPN connections (for access to the remote secure networks)
nat on $ext_if from $vpn_network to any -> $ext_if

nat pass on $int_if from $vpn_network to $lan_net -> 10.10.30.71
nat pass on $int_if from $vpn_network to $amiga_net -> 10.10.30.78

.................................
# VPN connections inbound
pass in on $ext_if proto udp from any to port 2000 keep state
pass in on $vpn_if