Murus startup fails due to missing ppp0

Murus
Post Reply
pentcheff
Posts: 4
Joined: Fri Feb 12, 2016 10:09 pm

Murus startup fails due to missing ppp0

Post by pentcheff » Sun Oct 16, 2016 3:10 am

I've got Murus running on a server that is also acting as a VPN host, using Mac Server VPN (L2TP). To allow VPN clients from outside to access servers inside the VPN network, I've got Murus's NAT enabled, connecting LAN interface ppp0 to WAN interface en0 ("Share VPN" is off).

This all appears to work fine.

The problem is that the Mac server only creates the ppp0 port when it receives a VPN connection. Hence, at boot time, Murus fails to start because there is no ppp0 port (so the NAT configuration is broken).

If I first make a VPN connection from outside, Murus starts fine, and persists even after the VPN client disconnects.

Any ideas on how to make the Murus startup work in the absence of a pre-existing VPN client connection? Thanks!

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus startup fails due to missing ppp0

Post by hany » Thu Oct 27, 2016 4:13 pm

we are trying to reproduce your configuration, we will let you know if we find a solution asap

pentcheff
Posts: 4
Joined: Fri Feb 12, 2016 10:09 pm

Re: Murus startup fails due to missing ppp0

Post by pentcheff » Fri Nov 11, 2016 9:19 pm

If it's any help, here are some screenshots and ifconfig listings:

OSXServer-VPN.tiff — Screenshot of the VPN setting in OSX Server
murus-NAT.tiff — Screenshot of the NAT setting in Murus

ifconfig BEFORE a VPN connection from outside is made:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether xx:xx:xx:xx:xx:xx
inet6 xxxxx
inet 10.1.15.38 netmask 0xffffff00 broadcast 10.1.15.255
nd6 options=1<PERFORMNUD>
media: autoselect (1000baseT <full-duplex,flow-control>)
status: active
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether xx:xx:xx:xx:xx:xx
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive
en2: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether xx:xx:xx:xx:xx:xx
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr 70:cd:60:ff:fe:9c:35:38
nd6 options=1<PERFORMNUD>
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether xx:xx:xx:xx:xx:xx
media: autoselect
status: inactive
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33080

ifconfig DURING a VPN connection from outside:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
nd6 options=1<PERFORMNUD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether xx:xx:xx:xx:xx:xx
inet6 xxxxx
inet xx.xx.xx.xx netmask 0xffffff00 broadcast xx.xx.xx.xx
nd6 options=1<PERFORMNUD>
media: autoselect (1000baseT <full-duplex,flow-control>)
status: active
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether xx:xx:xx:xx:xx:xx
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive
en2: flags=8823<UP,BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
ether xx:xx:xx:xx:xx:xx
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr 70:cd:60:ff:fe:9c:35:38
nd6 options=1<PERFORMNUD>
media: autoselect <full-duplex>
status: inactive
p2p0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 2304
ether xx:xx:xx:xx:xx:xx
media: autoselect
status: inactive
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33080
ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet xx.xx.xx.xx --> yy.yy.yy.yy netmask 0xffffff00

Notably, the "ppp0" interface appears when a VPN connection is made from outside, but is not present when a VPN connection from outside is not in place. The "ppp0" interface disappears after the VPN connection is dropped.

Since "ppp0" does not exist when the server is started, Murus fails to launch, because the "ppp0" interface in Murus's NAT setting is nonexistent. Murus starts fine (manually) if a VPN connection is already in place. Reasonably, the settings made by Murus seem to persist just fine as the "ppp0" interface comes and goes (as VPN connections are made and broken).
You do not have the required permissions to view the files attached to this post.

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus startup fails due to missing ppp0

Post by hany » Sat Nov 12, 2016 9:46 pm

pentcheff, thank you so much for your report.
We have not forgotten you, don't worry. We are currently very busy developing Vallum 2.0, release date is near.
I will look at your issue immediately after Vallum 2.0 release. I think I have a solution but I need to test it on 4 different OSes, so it takes time to implement it, test it and release it.
During this time I will let you try beta builds, if you want.

But I don't want you to wait too much time, so here's a workaround. I know it's tricky but it should work.
You have to manually edit two PF configuration files and then run PF and keep Murus closed (to avoid override your hand-made changes). You just have to modify /etc/murus/murus.nat and /etc/murus/murus.natclients:

original /etc/murus/murus.nat:

Code: Select all

nat on en0   from ppp0:network to any  -> (en0)
new /etc/murus/murus.nat:

Code: Select all

nat on en0   from (ppp0:network) to any  -> (en0)
original /etc/murus/murus.natclients (yours may look a bit different or longer, in this example we assume ppp0 network is 10.0.0.0/8)

Code: Select all

table <NatLanInterfaces> { ppp0  }
pass  inet proto {tcp, udp} from { 10.0.0.0/8 } to !<NatLanInterfaces>  port {1:65535}
new /etc/murus/murus.natclients

Code: Select all

table <NatLanInterfaces> { 10.0.0.0/8  }
pass  inet proto {tcp, udp} from { 10.0.0.0/8 } to !<NatLanInterfaces>  port {1:65535}

In other words: you have to substitute "ppp0" with "(ppp0)" or with "ppp0 CIDR network" (like "192.168.100.0/24" or "12.10.0.0/16", whatever it is). Doing so, PF will not trigger any error at boot time.

Once files has been modified you need to manually start (reload) pf from terminal , NOT FROM MURUS. You can't click "PLAY" in Murus any more, or your files will be overwritten. However Pf will start at boot as usual.
To manually start (reload) pf from shell terminal type:

Code: Select all

sudo pftcl -f /etc/murus/murus.conf
Please let me know :)

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: Murus startup fails due to missing ppp0

Post by hany » Wed Nov 23, 2016 9:10 pm

Murus 1.4.5 is now available at http://murusfirewall.com/forum/viewtopic.php?f=2&t=558
NAT window shows a new option "Lazy interfaces". Check this box and click PLAY to update Murus/PF rules while ALL necessary interfaces are up. This ruleset will correctly load at boot even if LAN/VPN interfaces are not immediately available.

Post Reply