У меня проблема с зависанием сервера после подключения. После того как подключение прошло, видно что выданный ip попал в table(10) и от него пакеты идут (см. ipfw show). Но интернета нету.
Код: Выделить всё
gate2# ipfw show
09970 0 0 skipto 10130 ip from table(14) to table(3) in recv ng*
09975 0 0 skipto 10135 ip from table(3) to table(15) out xmit ng*
09980 0 0 skipto 10120 ip from table(12) to table(2) in recv ng*
09985 0 0 skipto 10125 ip from table(2) to table(13) out xmit ng*
10000 96 6989 netgraph tablearg ip from table(10) to any in recv ng*
10010 0 0 netgraph tablearg ip from any to table(11) out xmit ng*
10020 0 0 allow ip from table(9) to any in recv ng*
10025 0 0 allow ip from any to table(9) out xmit ng*
10030 6 823 allow ip from any to any via ng*
10120 0 0 netgraph tablearg ip from table(12) to any in recv ng*
10125 0 0 netgraph tablearg ip from any to table(13) out xmit ng*
10130 0 0 netgraph tablearg ip from table(14) to any in recv ng*
10135 0 0 netgraph tablearg ip from any to table(15) out xmit ng*
10220 0 0 allow ip from table(9) to table(2) in recv ng*
10225 0 0 allow ip from table(2) to table(9) out xmit ng*
10230 0 0 allow ip from table(9) to table(3) in recv ng*
10235 0 0 allow ip from table(3) to table(9) out xmit ng*
64010 87 70514 allow tcp from me 9443 to any via re0
64011 116 13648 allow tcp from any to me dst-port 9443 via re0
65000 10 764 allow tcp from me 1723 to any via re0
65001 10 824 allow tcp from any to me dst-port 1723 via re0
65002 0 0 allow udp from me 53 to any via re0
65003 0 0 allow udp from any to me dst-port 53 via re0
65003 0 0 allow tcp from me 1812 to any via re0
65004 0 0 allow tcp from any to me dst-port 1812 via re0
65005 0 0 allow tcp from me 1813 to any via re0
65006 0 0 allow tcp from any to me dst-port 1813 via re0
65012 17 824 reset log logamount 1000 tcp from any to any via re0
65013 525 79577 deny log logamount 1000 udp from any to any via re0
65030 1 71 nat 123 ip from 172.16.201.0/24 to any
65040 84 6896 nat 123 ip from any to ххх.ххх.188.53
65535 423 32418 allow ip from any to any
FreeBSD 8.1 + MPD5 + FreeRadius 1.1.8 + ng_car
Вот конфигурация ядра:
Код: Выделить всё
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=1000
options IPFIREWALL_NAT
options DUMMYNET
options IPFIREWALL_FORWARD
options NETGRAPH
options NETGRAPH_IPFW
options LIBALIAS
options NETGRAPH_NAT
options NETGRAPH_NETFLOW
options NETGRAPH_SPLIT
options NETGRAPH_ECHO
options NETGRAPH_ETHER
options NETGRAPH_TEE
options NETGRAPH_BPF
options NETGRAPH_IFACE
options NETGRAPH_KSOCKET
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_SOCKET
options NETGRAPH_TCPMSS
options NETGRAPH_VJC
Здесь конфигурация Freeradius
Код: Выделить всё
gate2# env LD_PRELOAD=/usr/local/lib/perl5/5.10.1/mach/CORE/libperl.so radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 5242880
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded perl
perl: module = "/usr/abills/libexec/rlm_perl.pl"
perl: func_authorize = "authorize"
perl: func_authenticate = "authenticate"
perl: func_accounting = "accounting"
perl: func_preacct = "preacct"
perl: func_checksimul = "checksimul"
perl: func_detach = "detach"
perl: func_xlat = "xlat"
perl: func_pre_proxy = "pre_proxy"
perl: func_post_proxy = "post_proxy"
perl: func_post_auth = "post_auth"
perl: perl_flags = "(null)"
perl: func_start_accounting = "(null)"
perl: func_stop_accounting = "(null)"
Module: Instantiated perl (perl)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Далее вывод команды ngctl list без подключений
Код: Выделить всё
gate2# ngctl list
There are 7 total nodes:
Name: mpd1528-cso Type: socket ID: 0000000c Num hooks: 0
Name: mpd1528-eso Type: socket ID: 0000000d Num hooks: 0
Name: re0 Type: ether ID: 00000002 Num hooks: 0
Name: mpd1528-lso Type: socket ID: 0000000b Num hooks: 0
Name: xl0 Type: ether ID: 00000003 Num hooks: 0
Name: ipfw Type: ipfw ID: 00000001 Num hooks: 0
Name: ngctl1555 Type: socket ID: 0000000e Num hooks: 0
А это после подключения:
Код: Выделить всё
gate2# ngctl list
There are 19 total nodes:
Name: <unnamed> Type: car ID: 00000015 Num hooks: 2
Name: <unnamed> Type: car ID: 00000014 Num hooks: 2
Name: <unnamed> Type: mppc ID: 00000011 Num hooks: 1
Name: <unnamed> Type: mppc ID: 00000010 Num hooks: 1
Name: <unnamed> Type: ksocket ID: 0000000c Num hooks: 1
Name: <unnamed> Type: pptpgre ID: 0000000b Num hooks: 2
Name: mpd1031-lso Type: socket ID: 00000006 Num hooks: 1
Name: ng0 Type: iface ID: 0000000d Num hooks: 1
Name: re0 Type: ether ID: 00000002 Num hooks: 0
Name: xl0 Type: ether ID: 00000003 Num hooks: 0
Name: ipfw Type: ipfw ID: 00000001 Num hooks: 0
Name: mpd1031-B-1-lim Type: bpf ID: 00000013 Num hooks: 6
Name: mpd1031-B-1-mss Type: tcpmss ID: 00000012 Num hooks: 2
Name: mpd1031-B-1 Type: ppp ID: 0000000e Num hooks: 5
Name: mpd1031-stats Type: socket ID: 0000000f Num hooks: 0
Name: mpd1031-L-1-lt Type: tee ID: 00000009 Num hooks: 2
Name: ngctl1558 Type: socket ID: 00000016 Num hooks: 0
Name: mpd1031-cso Type: socket ID: 00000007 Num hooks: 0
Name: mpd1031-eso Type: socket ID: 00000008 Num hooks: 0
Вывод команды /usr/abills/libexec/linkupdown up ng0 test 10.11.11.11 debug
Код: Выделить всё
gate2# /usr/abills/libexec/linkupdown up ng0 test 10.11.11.11 debug
/sbin/ipfw -q table 10 add 10.11.11.11/32 1512
И еще заметил, комп чаще зависает когда я ввожу команды типа ngctl list или ipfw show
Кстати, есть еще один момент:
Код: Выделить всё
gate2# /usr/abills/libexec/linkupdown up ng0 test 10.10.10.20 debug
/sbin/ipfw -q table 10 add 10.10.10.20/32 1512
В таблицу 11 ничего не добавляется...
Код: Выделить всё
gate2# /usr/abills/libexec/billd checkspeed NAS_IDS=1 RECONFIGURE=1
Change Static Speed IN: Not set -> 512
Change Static Speed OUT: Not set -> 512
10000 pipe 10000 ip from table(10,1512) to any out xmit xl0
10001 pipe 10001 ip from any to table(10,1512) in recv xl0
gate2# ipfw table all list
gate2# ipfw show
10000 0 0 pipe 10000 ip from table(10,1512) to any out xmit xl0
10001 0 0 pipe 10001 ip from any to table(10,1512) in recv xl0
65535 71286 5819776 allow ip from any to any
