I am using a Snapgear frees/wan VPN router to connect to my company's
network, which is behind a Sonicwall Pro firewall. We have a Windows 2000
Active Directory based domain.
It seems that something is wrong with my frees/wan firewall, as if it is
blocking certain packets or something because I can't seem to log onto the
domain at the startup of my Win2K Pro machine at home and I can't fileshare.
I can ping the internal private network just fine, but I can authenticate my
user to fileshare because of some sort of communication problem between me
and the PDC, which is located at a colo facility. It is pretty strange.
Can you tell me how to open every port of my firewall up to IP within the
192.168.200.* subnet, which is the colo subnet. My home network is
192.168.111.* subnet. I'm attaching the config file from my Snapgear with
hopes that it will help you.
I can fileshare to the machines behind my Snapgear from behind the
Sonicwall, but not vice-versa, even though I can ping the IP of the PDC and
other machines in the WAN just fine. Whenever I try to fileshare to those
machines, I get the message "There are currently no logon servers available
to service the logon request," which seems to be related to the Active
Directory authentication problem that results in my computer hanging for a
long time when trying to logon to the domain from behind the Snapgear. I
know it isn't an issue with this machine because I've duplicated the
scenario with other machines that can log onto the domain just fine when
they are behind the Sonicwall or using some other VPN client software.
Any help would be much appreciated. Thanks in advance!
----------------------------------------------------------------------
FILE:/etc/config/config
ipfwrules_override 0
ipfwrules_type 3
passwd .K2ua0T/aTpAv
wizard 0
dnsmasq 1
gw 168.***.***.1
dhcpcd 0
snmeth0 255.255.255.0
ipeth0 192.168.111.1
masqeth1 1
snmeth1 255.255.255.0
ipeth1 168.***.***.135
web0 0
tel0 0
web1 1
tel1 1
web2 0
tel2 0
icmp_protounreach 1
icmp_echo 1
web_admin_port 80
sroute_addr_1 168.***.***.132
sroute_type_1 0
sroute_nm_1 255.255.255.0
sroute_gw_1 168.***.***.135
sroute_met_1 NONE
sroute_if_1 NONE
ipsec 1
dhcpd 1
ipsec_nat_GroupVPN none
ipsec_nat_Sonicwall_to_SnapGear_RW none
ipsec_nat_snap_at_gear none
ipsec_nat_GroupVPN-Warehouse none
sroute_addr_2 168.***.***.134
sroute_type_2 0
sroute_nm_2 255.255.255.0
sroute_gw_2 168.***.***.135
sroute_met_2 NONE
sroute_if_2 NONE
sroute 2
sec_global 1
sec_dialin 1
sec_machines 0
ipsec_nat_Snapgear_to_Colo none
FILE:/etc/config/inittab
dns:unknown:/bin/dnsmasq
boa:unknown:/bin/boa -p 80
dhsd:unknown:/bin/dhcpd eth0
idb:unknown:/bin/idb
FILE:/etc/config/dhcpcd-change
#!/bin/sh
/bin/firewall
FILE:/etc/config/ip-up
#!/bin/sh
/bin/firewall
FILE:/etc/config/options
FILE:/etc/config/start
ifconfig lo 127.0.0.1
route add -net 127.0.0.0 netmask 255.0.0.0 lo
ifconfig eth0 192.168.111.1 netmask 255.255.255.0 broadcast 192.168.111.255
ifconfig eth1 168.***.***.135 netmask 255.255.255.0 broadcast
168.***.***.255
route add default gw 168.***.***.1
FILE:/etc/config/idb.conf
TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
UDP_PORTS="1,7,9,69,161,162,513,640,700,31337,32770,32771,32772,32773,32774,54321"
IGNORE_FILE="/etc/config/idb.ignore"
HISTORY_FILE="/var/log/idb.history"
BLOCK_UDP="0"
BLOCK_TCP="0"
CHECK_UDP="1"
CHECK_TCP="1"
KILL_ROUTE="/bin/iptables -I INPUT -s %s -j DROP"
SCAN_TRIGGER="0"
FILE:/etc/config/idb.ignore
0.0.0.0
127.0.0.1
FILE:/etc/config/resolv.conf
nameserver 168.150.253.1
FILE:/etc/config/dhcpcd-eth0.info
IPADDR=192.168.150.116
NETMASK=255.255.255.0
NETWORK=192.168.150.0
BROADCAST=192.168.150.255
GATEWAY=192.168.150.1
DNS=168.150.253.1,168.150.253.2
DHCPSID=192.168.150.1
DHCPGIADDR=0.0.0.0
DHCPSIADDR=192.168.150.1
DHCPCHADDR=00:D0:CF:00:58:94
DHCPSHADDR=00:04:5A:5F:F4:FE
DHCPSNAME=
LEASETIME=86400
RENEWALTIME=15000000
REBINDTIME=26250000
FILE:/etc/config/resolv.user
nameserver 168.150.253.1
FILE:/etc/config/options.cua0
ms-dns 168.150.253.1
FILE:/etc/config/options.cua1
ms-dns 168.150.253.1
FILE:/etc/config/dhcpd.leases~
# All times in this file are in UTC (GMT), not your local timezone. This
is
# not a bug, so please don't ask about it. There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature. If this is inconvenient or confusing to you, we sincerely
# apologize. Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
lease 192.168.111.100 {
starts 0 1999/12/12 16:42:11;
ends 1 1999/12/13 16:42:11;
hardware ethernet 00:a0:cc:a1:29:2b;
uid 01:00:a0:cc:a1:29:2b;
client-hostname "bigblue";
}
lease 192.168.111.102 {
starts 0 1999/12/12 04:16:48;
ends 1 1999/12/13 04:16:48;
hardware ethernet 00:01:03:8c:c9:70;
uid 01:00:01:03:8c:c9:70;
client-hostname "ARMSTRONG";
}
lease 192.168.111.101 {
starts 6 1999/12/11 01:50:50;
ends 0 1999/12/12 01:50:50;
hardware ethernet 00:30:65:cc:47:e0;
uid 01:00:30:65:cc:47:e0;
}
lease 192.168.111.100 {
starts 1 1999/12/13 04:42:10;
ends 2 1999/12/14 04:42:10;
hardware ethernet 00:a0:cc:a1:29:2b;
uid 01:00:a0:cc:a1:29:2b;
client-hostname "bigblue";
}
FILE:/etc/config/dhcpd.leases
# All times in this file are in UTC (GMT), not your local timezone. This
is
# not a bug, so please don't ask about it. There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature. If this is inconvenient or confusing to you, we sincerely
# apologize. Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
lease 192.168.111.100 {
starts 1 1999/12/13 04:42:10;
ends 2 1999/12/14 04:42:10;
hardware ethernet 00:a0:cc:a1:29:2b;
uid 01:00:a0:cc:a1:29:2b;
client-hostname "bigblue";
}
lease 192.168.111.102 {
starts 0 1999/12/12 04:16:48;
ends 1 1999/12/13 04:16:48;
hardware ethernet 00:01:03:8c:c9:70;
uid 01:00:01:03:8c:c9:70;
client-hostname "ARMSTRONG";
}
lease 192.168.111.101 {
starts 6 1999/12/11 01:50:50;
ends 0 1999/12/12 01:50:50;
hardware ethernet 00:30:65:cc:47:e0;
uid 01:00:30:65:cc:47:e0;
}
FILE:/etc/config/dhcpd.conf
subnet 192.168.111.0 netmask 255.255.255.0 {
range 192.168.111.100 192.168.111.200;
default-lease-time 86400;
max-lease-time 172800;
option broadcast-address 192.168.111.255;
option routers 192.168.111.1;
option subnet-mask 255.255.255.0;
}
FILE:/etc/config/ipsec.conf
config setup
interfaces = %defaultroute
klipsdebug = none
plutodebug = none
plutoload = %search
plutostart = %search
conn GroupVPN-Warehouse
type = tunnel
left = %defaultroute
leftsubnet = 192.168.111.0/255.255.255.0
leftnexthop =
right = 66.***.*.243
rightsubnet = 192.168.100.0/255.255.255.0
rightnexthop =
keyexchange = ike
auth = esp
authby = secret
pfs = no
keylife = 14h
keyingtries = 0
auto = start
conn Snapgear_to_Colo
type = tunnel
left = %defaultroute
leftid = snap_at_gear
leftsubnet = 192.168.111.0/255.255.255.0
leftnexthop =
right = 12.***.***.110
rightid = POSCOLO_at_ZZZZZZZ.COM
rightsubnet = 192.168.200.0/255.255.255.0
rightnexthop =
aggrmode = yes
keyexchange = ike
auth = esp
authby = secret
pfs = yes
keylife = 30h
keyingtries = 0
auto = start
FILE:/etc/config/ipsec.secrets
0.0.0.0 66.***.*.243 : PSK "***I CHANGED IT FOR THIS EMAIL**"
snap_at_gear POSCOLO_at_ZZZZZZZ.COM : PSK "***I CHANGED IT FOR THIS EMAIL**"
FILE:/etc/config/routeconfig
route add -net 168.***.***.132 netmask 255.255.255.0 gw 168.***.***.135
route add -net 168.***.***.134 netmask 255.255.255.0 gw 168.***.***.135
Firewall Rules
filter table
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
6 2104 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 127.0.0.0/8
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Loopback src: '
0 0 DROP all -- * * 127.0.0.0/8
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0
127.0.0.0/8 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Loopback dest: '
0 0 DROP all -- * * 0.0.0.0/0
127.0.0.0/8
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 state INVALID LOG flags 0 level
4 prefix `Invalid: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 LOG all -- * * 168.***.***.135
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Spoof: '
0 0 DROP all -- * * 168.***.***.135
0.0.0.0/0
5 1640 LOG all -- * * 192.168.111.1
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Spoof: '
9 2952 DROP all -- * * 192.168.111.1
0.0.0.0/0
14764 4086K Spoof all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- * * 255.255.255.255
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Bad
broadcast: '
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0
limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Bad
broadcast: '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0
0 0 LOG all -- * * 224.0.0.0/4
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix `Bad
multicast: '
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 Smurf icmp -- * * 0.0.0.0/0
168.***.***.255
0 0 Smurf icmp -- * * 0.0.0.0/0
255.255.255.255
14237 3968K EstabRel all -- eth1 * 0.0.0.0/0
168.***.***.135
17 992 ExtAcc all -- eth1 * 0.0.0.0/0
168.***.***.135
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0
168.***.***.135 tcp spts:1024:65535 dpt:1723
0 0 ACCEPT 47 -- eth1 * 0.0.0.0/0
168.***.***.135
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
168.***.***.135 udp spt:500 dpt:500
3 304 ACCEPT esp -- eth1 * 0.0.0.0/0
168.***.***.135
0 0 ACCEPT ah -- eth1 * 0.0.0.0/0
168.***.***.135
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0
0.0.0.0/0 udp dpt:5050
14 688 IdbTcp tcp -- eth1 * 0.0.0.0/0
168.***.***.135
0 0 IdbUdp udp -- eth1 * 0.0.0.0/0
168.***.***.135
348 59291 DROP all -- eth1 * 0.0.0.0/0
168.***.***.255
179 58712 DROP all -- eth1 * 0.0.0.0/0
255.255.255.255
14 688 LOG all -- eth1 * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4
14 688 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0
10184 1549K PrivServ all -- * * 0.0.0.0/0
0.0.0.0/0
10184 1549K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 state INVALID LOG flags 0 level
4 prefix `Invalid: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 SynFlood tcp -- eth1 * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
5945 5371K EstabRel all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ExtAcc all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 LOG all -- eth1 * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4
0 0 DROP all -- eth1 * 0.0.0.0/0
0.0.0.0/0
5315 581K Filter all -- * eth1 0.0.0.0/0 0.0.0.0/0
33161 7484K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 24149 packets, 6831K bytes)
pkts bytes target prot opt in out source
destination
Chain EstabRel (2 references)
pkts bytes target prot opt in out source
destination
0 0 IcmpConf icmp -- * * 0.0.0.0/0
0.0.0.0/0
20165 9337K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
Chain ExtAcc (2 references)
pkts bytes target prot opt in out source
destination
Chain Filter (1 references)
pkts bytes target prot opt in out source
destination
Chain IcmpConf (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 12
0 0 DROP icmp -- * * 0.0.0.0/0
0.0.0.0/0
Chain IdbSyn (20 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02 limit: avg 5/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x16/0x02
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain IdbTcp (1 references)
pkts bytes target prot opt in out source
destination
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:11
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:15
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:111
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:143
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:540
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:635
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1080
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:1524
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:2000
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:12345
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:12346
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20034
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:32771
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:32772
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:32773
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:32774
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:49724
0 0 IdbSyn tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:54320
Chain IdbUdp (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:7
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:9
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:69
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:161
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:162
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:513
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:640
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:700
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:31337
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:32770
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:32771
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:32772
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:32773
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:32774
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:54321
Chain PrivServ (1 references)
pkts bytes target prot opt in out source
destination
Chain Smurf (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Smurf: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain Spoof (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 192.168.111.0/24
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Spoof: '
0 0 DROP all -- * * 192.168.111.0/24
0.0.0.0/0
0 0 LOG all -- * * 192.168.111.1
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`Spoof: '
0 0 DROP all -- * * 192.168.111.1
0.0.0.0/0
Chain SynFlood (1 references)
pkts bytes target prot opt in out source
destination
0 0 RETURN all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 5/sec burst 5
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/hour burst 5 LOG flags 0 level 4 prefix
`SynFlood: '
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
nat table
Chain PREROUTING (policy ACCEPT 4081 packets, 1004K bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 2552 packets, 779K bytes)
pkts bytes target prot opt in out source
destination
580 54816 MASQUERADE all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 MASQUERADE all -- * * 0.0.0.0/0
0.0.0.0/0 MARK match 0x1
Chain OUTPUT (policy ACCEPT 109 packets, 32644 bytes)
pkts bytes target prot opt in out source
destination
mangle table
Chain PREROUTING (policy ACCEPT 64107 packets, 18M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 24181 packets, 6859K bytes)
pkts bytes target prot opt in out source
destination
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST