URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID10
Нить номер: 5167
[ Назад ]
Исходное сообщение
"проблемы с Openvpn"
Отправлено yarik1986 , 10-Июл-13 14:46 
Вопрос такой, есть конфиг (см.ниже). Есть три офиса, они связанны между собой и даже идет пинг между сетями до шлюзов. Но за шлюзом не видна подсеть (пинг идет на локальную сеть). Что упущено ?
############
#  Macros  #
############
ext_if="re0"
int_if="re1"
vpn_if="tun0"

localnet = "192.168.5.0/24"

icmp_types = "{ echoreq, unreach, redir, timex }"
SSHport="*****"

############
#  Tables  #
############
table <VIPusers> persist file "/root/VIPusers.conf"

#############
#  Options  #
#############
set timeout udp.first           120
set timeout udp.single          60
set timeout udp.multiple        120
#
#set loginterface none
#set loginterface $ext_if
set block-policy drop
set skip on lo

set skip on tun
#set skip on $int_if

##########################
#     Normalization:     #
#  reassemble fragments  #
#  and resolve/reduce    #
#  traffic ambiguities.  #
##########################
scrub in all

#############
#  Queuing  #
#############

#################
#  Translation  #
#################
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"

no nat on $ext_if proto gre all
no nat on $ext_if proto tcp from any to any port = pptp
no nat on $ext_if proto tcp from any port = pptp to any
nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr pass on $ext_if inet proto tcp to ($ext_if:0) port { imap, pop3, smtp } -> 192.168.5.15
#rdr pass on $ext_if inet proto tcp from ***.***.***.*** to ($ext_if:0) port rdp -> 192.168.5.5 port rdp
rdr pass on $ext_if inet proto tcp from ***.***.***.*** to ($ext_if:0) port rdp -> 192.168.5.24 port rdp
rdr pass on $ext_if inet proto tcp to ($ext_if:0) port { 4899 } -> 192.168.5.3

#rdr pass on $ext_if inet proto tcp from any to ($ext_if:0) port rdp -> 192.168.5.5 port rdp

rdr pass on $ext_if proto tcp to any port 1723 -> 192.168.5.3 port 1723
rdr pass on $ext_if proto gre -> 192.168.5.3

no rdr on $int_if from <VIPusers> to any
rdr pass on $int_if inet proto tcp from !($int_if) to any port www -> ($int_if:0) port 3129

###############
#  Filtering  #
###############
#anchor "ftp-proxy/*"


block in all
block out all


pass quick on $ext_if inet proto tcp from any to any port 1723
pass quick on $ext_if inet proto tcp from any port 1723 to any
pass quick on $ext_if inet proto gre from any to any


#############
#out traffic#
#############

pass in on $int_if proto tcp from 192.168.5.24 to any
pass in on $int_if proto {tcp,udp} from 192.168.5.17 to any port 53
pass in on $int_if proto {tcp,udp} from 192.168.5.3 to any port 53
pass in on $int_if proto tcp from $localnet to any port 443
pass in on $int_if proto tcp from $localnet to any port 5938
pass in on $int_if proto tcp from $localnet to any port 5190
pass in on $int_if proto tcp from 192.168.5.15 to any port 25


############
#in traffic#
############

#pass in on $ext_if proto tcp from any to 192.168.5.15 port 25 flags S/SA synproxy state

#############

pass out on $ext_if proto tcp from any to any
pass out on $ext_if proto udp from any to any keep state
pass out on $int_if proto tcp from any to any
pass out on $int_if proto udp from any to any keep state


#pass in on $int_if

#pass out inet

#
# Incoming Internet traffic
#

# ICMP
pass in on $ext_if inet proto icmp to ($ext_if:0) icmp-type $icmp_types

# VPN
pass in quick on $ext_if proto udp to ($ext_if:0) port openvpn

# SSH
pass in on $ext_if proto tcp to ($ext_if:0) port $SSHport

anchor "openvpn"

Содержание
Сообщения в этом обсуждении
"проблемы с Openvpn"
Отправлено reader , 10-Июл-13 15:17 
tcpdump с внутреннего интерфейса при попытке пинговать подсеть за шлюзом