Shorewall users - Apr 2005 - 1 to 1 nat of multiply pptp tunnels

Hi !

Recently i switched my internet provider, to get more speed but another 
braindead setup regarding public ip addresses.

I now have 4 PPTP Tunnel available, of which i''m using one as the 
gateway ip doing masquerading to other machines in my local lan, 
excluding three other machines, which i would like to use 1:1 nat to 
get them a direct access to one of the pptp tunnels.

I was able to do get all pptp tunnels established and
the net pptp tunnel to share with the machines in 
my localnet successfully.

But Tunnel two to four i''m not able to do 1:1 nat.

What could be a solution ?


Kind regards,

   Felix.



interfaces:
loc     eth0    detect  tcpflags
modem   eth1    detect  dhcp,tcpflags,routefilter,nosmurfs,arp_filter
net     ppp0    -       tcpflags,routefilter,nosmurfs,arp_filter
pptp2   ppp1    -       tcpflags,routefilter,nosmurfs,arp_filter
pptp3   ppp2    -       tcpflags,routefilter,nosmurfs,arp_filter
pptp4   ppp3    -       tcpflags,routefilter,nosmurfs,arp_filter


zones:
modem  InodeInternal     PPTP Connector via 10.0.0.0
loc    Local             Local networks via 192.168.47.0
net    Tunnel1-Internet  Inode PPTP Tunnel 1
pptp2  Tunnel2-Internet  Inode PPTP Tunnel 2
pptp3  Tunnel3-Internet  Inode PPTP Tunnel 3
pptp4  Tunnel4-Internet  Inode PPTP Tunnel 4


tunnel: (10.0.0.138 is the pptp server)
pptpclient  modem   10.0.0.138   net,pptp2,pptp3,pptp4


policy:
fw		fw		ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
fw		modem		ACCEPT
pptp2		net		ACCEPT
pptp3		net		ACCEPT
pptp4		net		ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT
loc		pptp2		ACCEPT
loc		pptp3		ACCEPT
loc		pptp4		ACCEPT
net             all             DROP
all             all             REJECT          info

masq:
ppp0    eth0!192.168.47.31,192.168.47.32,192.168.47.33

nat: 
85.124.1.42	ppp1	192.168.47.31	no	no
85.124.5.46	ppp2	192.168.47.32	no	no
85.124.3.196	ppp3	192.168.47.33	no	no


network routes:
172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp0
172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp1
172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp2
172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp3
192.168.47.0    0.0.0.0         255.255.255.0   U   0  0  0 eth0
10.0.0.0        10.10.0.1       255.255.0.0     UG  0  0  0 eth1
10.10.0.0       0.0.0.0         255.255.0.0     U   0  0  0 eth1
0.0.0.0         172.25.46.39    0.0.0.0         UG  0  0  0 ppp0

/etc/network/interfaces:
auto lo eth0 eth1 pptp1 pptp2 pptp3 pptp4

iface lo inet loopback

# The local network interface
iface eth0 inet static
address 192.168.47.254
netmask 255.255.255.0

# The PPTP Server Interface
iface eth1 inet dhcp
  up/etc/network/ifup-eth1
  down/etc/network/ifdown-eth1
  # This adds and deletes a route to 10.0.0.0
  # where the pptp server is located,
  # because the standard netmask via dhcp is 10.10.0.0

# The net PPTP Internet Tunnel
iface ppp0 inet ppp
  provider pptp1
    
# Other Tunnels
iface ppp1 inet ppp
  provider pptp2
  up /etc/network/ifup-ppp ppp2
  # This changed /etc/shorewall nat ip address of tunnel in future

iface ppp2 inet ppp
  provider pptp3
  up /etc/network/ifup-ppp ppp3
  # This changed /etc/shorewall nat ip address of tunnel in future

iface ppp3 inet ppp
  provider pptp4
  up /etc/network/ifup-ppp ppp4
  # This changed /etc/shorewall nat ip address of tunnel in future

Felix Erkinger wrote:
> Hi !
> 
> Recently i switched my internet provider, to get more speed but another 
> braindead setup regarding public ip addresses.
> 
> I now have 4 PPTP Tunnel available, of which i''m using one as the 
> gateway ip doing masquerading to other machines in my local lan, 
> excluding three other machines, which i would like to use 1:1 nat to 
> get them a direct access to one of the pptp tunnels.
> 
> I was able to do get all pptp tunnels established and
> the net pptp tunnel to share with the machines in 
> my localnet successfully.
> 
> But Tunnel two to four i''m not able to do 1:1 nat.
> 
> What could be a solution ?
A better question is "What is the problem?". You say
"I''m not able to do
1:1 nat"; that gives us virtually nothing to go on.

a) Does Shorewall start?
b) What tests are you trying to perform?
c) What results do you see?
d) What log messages (if any) do you see?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tue, Apr 19, 2005 at 10:03:18AM -0700, Tom Eastep
wrote:
> Felix Erkinger wrote:
> > Hi !
> > 
> > Recently i switched my internet provider, to get more speed but
another
> > braindead setup regarding public ip addresses.
> > 
> > I now have 4 PPTP Tunnel available, of which i''m using one as
the
> > gateway ip doing masquerading to other machines in my local lan, 
> > excluding three other machines, which i would like to use 1:1 nat to 
> > get them a direct access to one of the pptp tunnels.
> > 
> > I was able to do get all pptp tunnels established and
> > the net pptp tunnel to share with the machines in 
> > my localnet successfully.
> > 
> > But Tunnel two to four i''m not able to do 1:1 nat.
> > 
> > What could be a solution ?
> 
> A better question is "What is the problem?". You say
"I''m not able to do
> 1:1 nat"; that gives us virtually nothing to go on.
> 
> a) Does Shorewall start?
> b) What tests are you trying to perform?
> c) What results do you see?
> d) What log messages (if any) do you see?
Im sorry, 
  a) yes, everything (outside access, masq of the other machines) is 
working
  b) trying to reach an outside ip (which is known to answer) with one 
     of the internal ip addresses which should be 1:1 natted
  c) no answer (packets get lost in the viewpoint of the local machine)
  d) to my shame, i was not able to see any reject, dropped or other 
     log message

Felix Erkinger wrote:
> Hi !
> What could be a solution ?
> 
I took another look at your setup and I see one big problem -- your routing.
> 
> 
> network routes:
> 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp0
> 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp1
> 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp2
> 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp3
The above is silly -- the last three routes are basically ignored. Why
are they there (maybe being automatically generated by pppd?)? Is the
peer address on all four tunnels really 172.25.36.39?
> 0.0.0.0         172.25.46.39    0.0.0.0         UG  0  0  0 ppp0
All output traffic is going through ppp0! This can''t possibly work for
connections arriving on ppp1-ppp3.

Maybe someone on this list is adept enough at policy routing to help you
-- I''m not sure that I am.

I _think_ what you want is to add three additional routing tables, with
a default route out of ppp1, ppp2 and ppp3 respectively. Then you need
to use the source address (192.168.47.31,32,33) to select the routing
table to use.


The LARTC Howto (www.lartc.org) is a good source of information about
how to do this. If you need additional help, you might be better off
posting on the LARTC list than here.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tue, Apr 19, 2005 at 10:19:20AM -0700, Tom Eastep
wrote:
> 
> I took another look at your setup and I see one big problem -- your
routing.
> 
> > network routes:
> > 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp0
> > 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp1
> > 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp2
> > 172.25.46.39    0.0.0.0         255.255.255.255 UH  0  0  0 ppp3
> 
> The above is silly -- the last three routes are basically ignored. Why
> are they there (maybe being automatically generated by pppd?)? Is the
> peer address on all four tunnels really 172.25.36.39?
> 
Yes, the peer address on all four tunnels is 172.25.46.39,
and the routes are auto generated by pppd ... 
> > 0.0.0.0         172.25.46.39    0.0.0.0         UG  0  0  0 ppp0
> 
> All output traffic is going through ppp0! This can''t possibly work
for
> connections arriving on ppp1-ppp3.
> 
> Maybe someone on this list is adept enough at policy routing to help you
> -- I''m not sure that I am.
> 
> I _think_ what you want is to add three additional routing tables, with
> a default route out of ppp1, ppp2 and ppp3 respectively. Then you need
> to use the source address (192.168.47.31,32,33) to select the routing
> table to use.
Hmm, i will try this one.
> The LARTC Howto (www.lartc.org) is a good source of information about
> how to do this. If you need additional help, you might be better off
> posting on the LARTC list than here.
Thank you for your help, after trying adding more default routes, i 
will dig trough lartc.org , to find an answer there.


Many thanks for your fast answer,
   Felix

Felix wrote on 19/04/2005 14:31:12:
> On Tue, Apr 19, 2005 at 10:19:20AM -0700, Tom Eastep wrote:
> > 
[...]
> > 
> Yes, the peer address on all four tunnels is 172.25.46.39,
> and the routes are auto generated by pppd ... 
IIRC, there''s a way to control which routes pppd generates once a pppoe
connection is 
stablished.
> 
[...]
> Hmm, i will try this one.
> 
> Thank you for your help, after trying adding more default routes, i 
> will dig trough lartc.org , to find an answer there.
No, No, No. dig lartc.org first.  Your answer is there.  There''s no
sense
in trying to
add more default routes if you don''t understand how routing is really
done
in Linux.

regards,

________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606