На машине, выступающей в роли шлюза в Инет, есть две сетевые карты : одна смотрит в локальную сеть, другая - через АДСЛ-модем соединена с ВПН-сервером. Поднял фаер на уровне ядра, настроил маршрутизацию через эти 2 интерфейса (ed0-лок.сеть, ed1-outside сет. карта), установил pptpclient. На этом шлюзе запустил pptpclient, в результате чего создался интерфейс tun0 и пошли пинги в Инет с этой машины. Все вроде красиво. Но когда я настроил соединение на клиентсой машине из локалки через этот шлюз - туши свет, пинги с нее еле доходят, о загрузке страниц вообще говорить страшно (гугл грузится минут 5). Вообще, машина-шлюз сама по себе слабая (4-ка, 8Мб, винт 4Гб, сетевые 10Мб каждая). Но не думаю, что скорость передачи трафика так зависит от ресурсов системы. Вроде бы проблема где-то в маршрутизации, но не пойму где? То ли natd нужно убрать и как-то настроить маршрутизацию на ppptpclient-е, то ли natd неправильно настроен? Вобщем HELP!!!Добавил в параметры ядра:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
Вот конфиги: rc.conf
# -- sysinstall generated deltas -- # Sat May 7 12:11:06 2005
# Created: Sat May 7 12:11:06 2005
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
firewall_enable="YES"
firewall_type="simple"
natd_enable="YES"
natd_interface="ed1"
gateway_enable="YES"
ifconfig_ed1="inet 10.199.1.19 netmask 255.255.255.0"
ifconfig_ed0="inet 10.0.2.3 netmask 255.255.255.0"
inetd_enable="NO"
ipv6_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sshd_enable="YES"
usbd_enable="YES"
Раздел "Simple" из rc.firewall
[Ss][Ii][Mm][Pp][Ll][Ee])
############
# This is a prototype setup for a simple firewall. Configure this
# machine as a named server and ntp server, and point all the machines
# on the inside at this machine for those services.
############
# set these to your outside interface network and netmask and ip
oif="ed1"
onet="10.199.1.0"
omask="255.255.255.0"
oip="10.199.1.19"
# set these to your inside interface network and netmask and ip
iif="ed0"
inet="10.0.2.0"
imask="255.255.255.0"
iip="10.0.2.3"
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation. This rule is placed here deliberately
# so that it does not interfere with the surrounding address-checking
# rules. If for example one of your internal LAN machines had its IP
# address set to 192.0.2.1 then an incoming packet for it after being
# translated by natd(8) would match the `deny' rule above. Similarly
# an outgoing packet originated from it before being translated would
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add divert natd all from any to any via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
# ${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# Reject&Log all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Everything else is denied by default, unless the
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
# config file.
;;