View Single Post
  #1   (View Single Post)  
Old 25th June 2008
TiN-MAN TiN-MAN is offline
Bsd n00b
 
Join Date: Jun 2008
Posts: 3
Question Newbie NAT problem

I was wondering if anyone can help me. I have been trying to configure an internet gateway with freebsd. I'm a unix newbie.

The system is up and running. Problem is i want to use PF and NAT to control my internet trough a gateway. But I cannot get it to work. And I have compiled PF support into my current kernel.

sis0 is my external network getting dynamic ip from isp.
rl0 is my internal network running dhcp.

Code:
ADSL Router
(10.0.0.1)
 |
 |
(10.0.0.2)
Freebsd server
(100.0.0.1)
 |
 -----------------
 |               |
(100.0.0.30)    (100.0.0.31)
PC1             PC2
I want to be able to access telnet (SSH) from both sides of the server (both 10.0.0.2 and 100.0.0.1).

I want LAN computers to be able to access the internet but also services on the server (eg. samba shares).

ifconfig output:
Code:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:1c:c0:49:c2:06
        inet 10.0.0.5 netmask 0xffffff00 broadcast 10.0.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:11:6b:94:cc:f8
        inet 100.0.0.1 netmask 0xffffff00 broadcast 100.0.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>))
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128
My my pathetic attempt at creating a working pf.conf

Code:
if_ext = "sis0"                # macro for interface facing int
if_int = "rl0"                 # macro for interface facing loc
localnet = $if_int:network
icmp_types = "{ echoreq, unreach }"
nonroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, \
                     10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
                     0.0.0.0/8, 240.0.0.0/4 }"

set block-policy return
scrub in all
nat on $if_ext from $localnet to any -> ($if_ext)
antispoof for $if_ext
antispoof for $if_int
block all

pass inet proto tcp from {lo0, $localnet } to any keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $if_ext proto { tcp, udp } from any to any port 3709 #telnet

block drop in quick on $if_ext from $nonroute to any
block drop out quick on $if_ext from any to $nonroute
any ideas where i fail? and how to fix it?

Last edited by TiN-MAN; 25th June 2008 at 07:33 PM.
Reply With Quote