примерный конфиг запуска mpd4 до кучи:
Код:
#!/bin/sh -x
#
# $FreeBSD: ports/net/mpd4/files/mpd4.sh.in,v 1.3 2007/07/06 07:35:54 sem Exp $
#
# PROVIDE: mpd
# REQUIRE: SERVERS
# BEFORE: DAEMON
# KEYWORD: shutdown
. /etc/rc.subr
#
#
name="mpd4"
rcvar=`set_rcvar`
start_cmd="${name}_start"
stop_cmd="${name}_stop"
load_rc_config $name
NGCTL=/usr/sbin/ngctl
KILLALL=/usr/bin/killall
mods="ng_nat ng_ipfw ng_bpf ng_netflow ng_split ng_socket ng_ksocket ng_ppp ng_pptpgre ng_car"
case "$1" in
start)
sysctl net.inet.ip.forwarding=1
for mod in ${mods}; do
kldload -v $mod
sleep 1
done
#
${NGCTL} -f- <<-SEQ1
mkpeer ipfw: nat 1 out
name ipfw:1 nat1
connect ipfw: nat1: 2 in
msg nat1: setaliasaddr x.x.x.x1
mkpeer ipfw: netflow 3 iface0
name ipfw:3 netflow
mkpeer netflow: split out0 in
name netflow:out0 split
mkpeer netflow: ksocket export inet/dgram/udp
connect split: netflow: out iface1
connect ipfw: netflow: 5 out1
mkpeer split: nat mixed out
name split:mixed nat2
connect ipfw: nat2: 4 in
msg nat2: setaliasaddr 89.222.180.235
msg netflow: setdlt { iface=0 dlt=12 }
msg netflow: setifindex { iface=0 index=1001 }
msg netflow: setdlt { iface=1 dlt=12 }
msg netflow: setifindex { iface=1 index=1002 }
msg netflow:export connect inet/127.0.0.1:8888
SEQ1
/usr/local/bin/samplicate -s 127.0.0.1 -p 8888 -f x.x.x.x2/555 x.x.x.x3/2001
#
ipfw add 1 deny tcp from any to any 135,137,138,139,445
ipfw add 2 deny udp from any to any 135,137,138,139,445
ipfw add 3 deny ip from any to 224.0.0.0/4
ipfw add 4 skipto 65535 ip from any to any via lo0
ipfw add 5 deny ip from 10.0.0.0/16 to any out via fxp0
ipfw add 6 deny ip from any to 10.0.0.0/16 in via fxp0
ipfw add 7 deny ip from 10.0.0.0/16 to any out via fxp1
ipfw add 8 deny ip from any to 10.0.0.0/16 in via fxp1
#
ipfw add 300 netgraph 2 all from any to x.x.x.x1 in via fxp1
ipfw add 400 netgraph 1 all from 192.168.111.0/24 to any out via fxp1
#
ipfw add 500 netgraph 4 all from any to y.y.y.y1 in via fxp0
ipfw add 600 netgraph 3 all from 192.168.111.0/24 to any out via fxp0
#
/usr/local/etc/mpd4/genconf
/usr/local/sbin/mpd4 -b -p /var/run/mpd4.pid -d /usr/local/etc/mpd4 -k
;;
stop)
killall -TERM mpd4
sleep 4
cat /dev/null > /usr/local/etc/mpd4/mpd.conf
cat /dev/null > /usr/local/etc/mpd4/mpd.links
/usr/sbin/ngctl shutdown netflow:
/usr/sbin/ngctl shutdown nat1:
/usr/sbin/ngctl shutdown nat2:
/usr/sbin/ngctl shutdown ipfw:
/usr/sbin/ngctl shutdown split:
/usr/sbin/ngctl shutdown ngX:
for mod in ${mods}; do
kldunload -v $mod
sysctl net.inet.ip.forwarding=0
sleep 1
done
ipfw -f flush
/usr/bin/killall samplicate
;;
esac
и скрипт, генерирующий конфиг mpd4 для юзеров , коннектящихся к нему из разный vlan:( с вид 8- по 34) c указанием зарезервированных links в каждом vlan:
Код:
#!/bin/sh
#set -x
NODE_8="0";NODE_9="0";NODE_10="0";NODE_11="0";NODE_12="0";NODE_15="0";NODE_20="0";NODE_21="10"
NODE_22="0";NODE_23="0";NODE_24="5";NODE_25="0";NODE_31="0";NODE_33="0";NODE_34="0"
#
IP_8="252";IP_9="252";IP_10="252";IP_11="252";IP_12="252";IP_15="252";IP_20="252"
IP_21="252";IP_22="252";IP_23="252";IP_24="252";IP_25="252";IP_31="252";IP_33="252";IP_34="252"
#
DNS_SERVER="x.x.x.x1 y.y.y.y1"
VPN_RANGE="192.168.111.1/32 192.168.111.0/24"
# ====================
NODES=`expr ${NODE_8} + ${NODE_9} + ${NODE_10} + ${NODE_11} + ${NODE_12} + ${NODE_20} + ${NODE_21} + ${NODE_22} + ${NODE_23} \
+ ${NODE_15} + ${NODE_24} + ${NODE_25} + ${NODE_31} + ${NODE_33} + ${NODE_34}`
FREE_NODES=`expr 1000 - ${NODES}`
if [ ${FREE_NODES} -lt 0 ]
then
echo "no free nodes!!!"
exit 0
else
echo "used nodes = ${NODES} , free nodes = ${FREE_NODES}"
fi
NODENAME="vpn"
LINKNAME="p"
RADSERV="62.140.248.11"
RADME="62.140.248.8"
SECRET="qwerASDF"
FILE_CONF="/usr/local/etc/mpd4/mpd.conf"
FILE_LINKS="/usr/local/etc/mpd4/mpd.links"
cat /dev/null > ${FILE_LINKS}
# mpd.conf
printf "startup:\n\tset console port 510\n\tset console ip 127.0.0.1\n\tset console user mpd mpd\n\tset console disable logging\n\tset console open\n" > ${FILE_CONF}
printf "\tset web port 8080\n\tset web ip 127.0.0.1\n\tset web disable auth\n\tset web open\n\n" >> ${FILE_CONF}
printf "default:\n" >> ${FILE_CONF}
node="0"
while [ ${node} -lt ${NODES} ]; do
printf "\tload ${NODENAME}${node}\n" >> ${FILE_CONF}
node=`expr ${node} + 1`
done
node="0"
printf "\n\n" >> ${FILE_CONF}
while [ ${node} -lt ${NODES} ]; do
printf "${NODENAME}${node}:
new -i ng${node} ${LINKNAME}${node} ${LINKNAME}${node}
load vpnstd
\n" >> ${FILE_CONF}
node=`expr ${node} + 1`
done
printf "vpnstd:\n\tset iface disable on-demand\n\tset iface idle 10800\n\tset iface enable tcpmssfix\n\tset link no acfcomp protocomp\n" >> ${FILE_CONF}
printf "\tset link no pap\n\tset link no chap-msv1\n\tset link no chap-msv2\n\tset link yes chap-md5\n\tset link mtu 1460\n\tset link mru 1460\n" >> ${FILE_CONF}
printf "\tset link keep-alive 30 180\n\tset link max-redial -1\n\tset ipcp ranges ${VPN_RANGE}\n\tset ipcp no vjcomp\n\tset ipcp dns ${DNS_SERVER}\n" >> ${FILE_CONF}
printf "\tset bundle no compression\n\tset bundle disable multilink\n\tset ccp no mppc\n\tset ccp no mpp-e40\n\tset ccp no mpp-e128\n" >> ${FILE_CONF}
printf "\tset ccp no mpp-stateless\n\tset radius retries 2\n\tset radius timeout 10\n" >> ${FILE_CONF}
printf "\tset radius server ${RADSERV} ${SECRET}\n\tset radius me ${RADME}\n\tset auth enable radius-auth\n\tset auth enable radius-acct\n" >> ${FILE_CONF}
printf "\tset auth disable internal\n\tset auth acct-update 600\n\tset auth timeout 40\n\tset auth max-logins 0\n" >> ${FILE_CONF}
#===========================================
node="0"
for I in 8 9 10 11 12 15 20 21 22 23 24 25 31 33 34
do
A="$(eval echo '$'NODE_$I)"
B="$(eval echo '$'IP_$I)"
node0="0"
if [ $A -ne 0 ]
then
while [ ${node0} -lt ${A} ]; do
printf "${LINKNAME}${node}:\n\tset link type pptp\n" >> ${FILE_LINKS}
printf "\tset pptp self 10.0.$I.${B}\n\tset pptp enable incoming\n\tset pptp disable originate\n\tset pptp disable windowing\n\n" >> ${FILE_LINKS}
node0=`expr ${node0} + 1`
node=`expr ${node} + 1`
done
else
echo " vlan $I is empty"
fi
done
.....