Prev: Error help, please
Next: Solaris 10 free download
From: Hubert Quarantel-Colombani on 10 Dec 2006 13:54
Hi,

I'm slowly but surely getting mad at this one, so any help or clue
would be appreciable for my mental health ! ;-)


I have a Sun Ultra 2 workstation running Solaris 10
(Generic_118833-24)with 2 FastEthernet NIC hme0 and hme1.

My goal is to make that Ultra2 a firewall/router for my ADSL connection:
- hme0 is directly connected to the ADSL modem,
- hme1 is connected to the LAN switch
- sppptun/pppoec/pppd work all just fine and the ADSL link gets up
both in IPVv4 and IPv6, the Ultra2 gets a public IPv4 address and a
link-local IPv6 one,
- IP forwarding is enabled (routeadm says so) for both protocol,
- as long as my IPv6 global prefix is a 48bit, I do not need any
NAT, and the LAN workstation are eventually able to gain access to the
IPv6 world, with
- as long as I only have 1 public IPv4 address I started to set up
NAT using ipnat, my /etc/ipf/ipnat.conf looks like:
map sppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map sppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
map sppp0 192.168.0.0/16 -> 0.0.0.0/32

- for testing purposes my /etc/ipf/ipf.conf looks like:
pass in quick on hme0 log all
pass out quick on hme0 log all
pass in quick on hme1 log all
pass out quick on hme1 log all
pass in quick on sppp0 log all
pass out quick on sppp0 log all
- both hme and sppp are uncommented in /etc/ipf/pfil.ap
- all IP Filter related services are online (svcs says so)

But when a computer in the LAN tries to send packets over the
Internet nothing is natted (ipnat -lhrs says thera no active sessions,
nothing mapped in and nothing mapped out) and of course nothing comes
back...

I snooped sppp0, and I can see the ICMP/UDP/TCP packets from the
LAN computer going out (with their original 192.168.0.0/16 IPv4
addresses)...

As I first thought I was going completly wrong, I added a test line
to ipnat.conf:
map hme1 0.0.0.0/0 -> 0/32
And then I could see (ipnat -lrhs) that IP Filter did eventually
map the hme1 private IPv4 address to itself (192.168.128.15 <- ->
192.168.128.15).
So I deemed I was not as wrong as I first thought...

But nevertheless I'm still far from achieving my goal !

ndd /dev/pfil qif_status doesn't show any line for sppp0, even
though sppp is present and not commented in /etc/ipf/pfil.ap
I tried ipf -y, autopush -f /etc/ipf.pfil.ap, unplumb and re-plumb
the hme0 (the one that's connected to the ADSL modem), stopped and
restarted pppd/ppoec, svcadm restart pfil
But no change, IPF just ignores my sppp0 interface...


Any hint ? What is it that I forgot ?

Hubert.
From: Rodrick R. Brown on 10 Dec 2006 16:27
"Hubert Quarantel-Colombani" <l-u-r-e-n-z-u(a)w-h-a-l-e---q-u-e-e-n-s.org>
wrote in message news:elhl55$11rq$1(a)biggoron.nerim.net...
> Hi,
>
> I'm slowly but surely getting mad at this one, so any help or clue
> would be appreciable for my mental health ! ;-)
>
>
> I have a Sun Ultra 2 workstation running Solaris 10
> (Generic_118833-24)with 2 FastEthernet NIC hme0 and hme1.
>
> My goal is to make that Ultra2 a firewall/router for my ADSL
connection:
> - hme0 is directly connected to the ADSL modem,
> - hme1 is connected to the LAN switch
> - sppptun/pppoec/pppd work all just fine and the ADSL link gets up
> both in IPVv4 and IPv6, the Ultra2 gets a public IPv4 address and a
> link-local IPv6 one,
> - IP forwarding is enabled (routeadm says so) for both protocol,
> - as long as my IPv6 global prefix is a 48bit, I do not need any
> NAT, and the LAN workstation are eventually able to gain access to the
> IPv6 world, with
> - as long as I only have 1 public IPv4 address I started to set up
> NAT using ipnat, my /etc/ipf/ipnat.conf looks like:
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32
>
> - for testing purposes my /etc/ipf/ipf.conf looks like:
> pass in quick on hme0 log all
> pass out quick on hme0 log all
> pass in quick on hme1 log all
> pass out quick on hme1 log all
> pass in quick on sppp0 log all
> pass out quick on sppp0 log all
> - both hme and sppp are uncommented in /etc/ipf/pfil.ap
> - all IP Filter related services are online (svcs says so)
>
> But when a computer in the LAN tries to send packets over the
> Internet nothing is natted (ipnat -lhrs says thera no active sessions,
> nothing mapped in and nothing mapped out) and of course nothing comes
> back...
>
> I snooped sppp0, and I can see the ICMP/UDP/TCP packets from the
> LAN computer going out (with their original 192.168.0.0/16 IPv4
> addresses)...
>
> As I first thought I was going completly wrong, I added a test line
> to ipnat.conf:
> map hme1 0.0.0.0/0 -> 0/32
> And then I could see (ipnat -lrhs) that IP Filter did eventually
> map the hme1 private IPv4 address to itself (192.168.128.15 <- ->
> 192.168.128.15).
> So I deemed I was not as wrong as I first thought...
>
> But nevertheless I'm still far from achieving my goal !
>
> ndd /dev/pfil qif_status doesn't show any line for sppp0, even
> though sppp is present and not commented in /etc/ipf/pfil.ap
> I tried ipf -y, autopush -f /etc/ipf.pfil.ap, unplumb and re-plumb
> the hme0 (the one that's connected to the ADSL modem), stopped and
> restarted pppd/ppoec, svcadm restart pfil
> But no change, IPF just ignores my sppp0 interface...
>
>
> Any hint ? What is it that I forgot ?
>
> Hubert.

Are you 100% positive its not natting at all and not just a dns issue? try
using ipnat -l

Have you checked all the needed devices are commented in /etc/ipf/pfil.ap

Also make sure ipf is running svcadm -r enable ipfilter

--
Rodrick R. Brown


From: Hubert Quarantel-Colombani on 10 Dec 2006 17:18
Rodrick R. Brown a �crit :
> "Hubert Quarantel-Colombani" <l-u-r-e-n-z-u(a)w-h-a-l-e---q-u-e-e-n-s.org>
> wrote in message news:elhl55$11rq$1(a)biggoron.nerim.net...
>>
>> [...]
>
> Are you 100% positive its not natting at all and not just a dns issue? try
> using ipnat -l
>

I'm pretty sure it's not natting anything:

- "ipnat -lhrs" says there are no active sessions at all
- "snoop -d sppp0 -r" shows my RFC1918 private IP source addresses
- I'm first trying to reach hosts (mainly ping but SSH to) using their
IP addresses, and of course I can reach then from the Solaris host but
not from any host on my private LAN

> Have you checked all the needed devices are commented in /etc/ipf/pfil.ap

commented ? I thought they where supposed not to be commented for IPF to
take them in consideration ! Anyway, here's my /etc/ipf/pfil.ap:

# IP Filter pfil autopush setup
#
# See autopush(1M) manpage for more information.
#
# Format of the entries in this file is:
#
#major minor lastminor modules

#le -1 0 pfil
#qe -1 0 pfil
hme -1 0 pfil
#qfe -1 0 pfil
#eri -1 0 pfil
#ce -1 0 pfil
#bge -1 0 pfil
#be -1 0 pfil
#vge -1 0 pfil
#ge -1 0 pfil
#nf -1 0 pfil
#fa -1 0 pfil
#ci -1 0 pfil
#el -1 0 pfil
#ipdptp -1 0 pfil
#lane -1 0 pfil
#dmfe -1 0 pfil
sppp -1 0 pfil


> Also make sure ipf is running svcadm -r enable ipfilter

scvs says that both ipfilter and pfil are online


Hubert.
From: Hubert Quarantel-Colombani on 10 Dec 2006 17:34
Yessssssssssssss !!

I finally got it !

I had forgotten to add "plink" option to my /etc/ppp/options !!!

Now, ndd /dev/pfil qif_status shows lines for the sppp0 interface and
ipnat -lrhs shows active sessions for hosts on my private LAN. And they
eventually can reach the internet !

Hubert.


Hubert Quarantel-Colombani a �crit :
> Hi,
>
> I'm slowly but surely getting mad at this one, so any help or clue
> would be appreciable for my mental health ! ;-)
>
>
> I have a Sun Ultra 2 workstation running Solaris 10
> (Generic_118833-24)with 2 FastEthernet NIC hme0 and hme1.
>
> My goal is to make that Ultra2 a firewall/router for my ADSL connection:
> - hme0 is directly connected to the ADSL modem,
> - hme1 is connected to the LAN switch
> - sppptun/pppoec/pppd work all just fine and the ADSL link gets up
> both in IPVv4 and IPv6, the Ultra2 gets a public IPv4 address and a
> link-local IPv6 one,
> - IP forwarding is enabled (routeadm says so) for both protocol,
> - as long as my IPv6 global prefix is a 48bit, I do not need any
> NAT, and the LAN workstation are eventually able to gain access to the
> IPv6 world, with
> - as long as I only have 1 public IPv4 address I started to set up
> NAT using ipnat, my /etc/ipf/ipnat.conf looks like:
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32 proxy port ftp ftp/tcp
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
> map sppp0 192.168.0.0/16 -> 0.0.0.0/32
>
> - for testing purposes my /etc/ipf/ipf.conf looks like:
> pass in quick on hme0 log all
> pass out quick on hme0 log all
> pass in quick on hme1 log all
> pass out quick on hme1 log all
> pass in quick on sppp0 log all
> pass out quick on sppp0 log all
> - both hme and sppp are uncommented in /etc/ipf/pfil.ap
> - all IP Filter related services are online (svcs says so)
>
> But when a computer in the LAN tries to send packets over the
> Internet nothing is natted (ipnat -lhrs says thera no active sessions,
> nothing mapped in and nothing mapped out) and of course nothing comes
> back...
>
> I snooped sppp0, and I can see the ICMP/UDP/TCP packets from the LAN
> computer going out (with their original 192.168.0.0/16 IPv4 addresses)...
>
> As I first thought I was going completly wrong, I added a test line
> to ipnat.conf:
> map hme1 0.0.0.0/0 -> 0/32
> And then I could see (ipnat -lrhs) that IP Filter did eventually map
> the hme1 private IPv4 address to itself (192.168.128.15 <- ->
> 192.168.128.15).
> So I deemed I was not as wrong as I first thought...
>
> But nevertheless I'm still far from achieving my goal !
>
> ndd /dev/pfil qif_status doesn't show any line for sppp0, even
> though sppp is present and not commented in /etc/ipf/pfil.ap
> I tried ipf -y, autopush -f /etc/ipf.pfil.ap, unplumb and re-plumb
> the hme0 (the one that's connected to the ADSL modem), stopped and
> restarted pppd/ppoec, svcadm restart pfil
> But no change, IPF just ignores my sppp0 interface...
>
>
> Any hint ? What is it that I forgot ?
>
> Hubert.
 | 
Pages: 1
Prev: Error help, please
Next: Solaris 10 free download