View Single Post
Old 7th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Ok, not to start this thread over but I finally have a pc to run "outside" of my router. This will be a test in patience for me for sure. Im going to set up two or three jails on this pc and only allow connections to this pc inside of the jails. I will be attempting to setup a gateway with a firewall that works basically like a router allowing only solicited traffic to and from my linksys router but also limiting connections to this pc with the firewall. This should be fun. My biggest curve will be getting the pc set up as a gateway and get port forwarding setup (very few ports) and not lock my other computers from the net. Setting up a gateway sounds like it should be easy? My first question on this, would it be easiest to setup dhcpd to assign the router an ip address? Is there a better way? Most write ups I find use dhcpd but with only one router connecting through the freebsd firewall/gateway it doesnt seem necessary to set up dhcpd? I am also finding that the writeups explain different ways to get the same results and the routing is leaving me a bit confused. some seem to use natd

Code:
  ifconfig_(WAN nic) = "DHCP" (assuming your ISP provides you with
a dynamic IP address)
        ifconfig_(LAN nic) = "inet XXX.XXX.X.XXX netmask 255.255.255.0" (I
used 192.168.1.1)
        gateway_enable="YES"
        firewall_enable="YES"
        firewall_script="/etc/rc.nat"
        firewall_type="OPEN"
        natd_enable="YES"
        natd_interface="(WAN nic)"
        natd_flags="-dynamic"
Then one explains it this way.

Code:
The NAT
Next we want to set up Network Address Translation for other devices on our internal network. NAT allows many internal clients to share one internet address.
To do this, we need to add some more lines to /etc/rc.conf:

gateway_enable="YES"
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""

Pretty much like the firewall stuff, but this time the rules are in /etc/ipnat.rules.
NAT is really easy to set up. We want to allow anything on 172.16.0.0/16 to use the internet, so our rule is:

map dc0 172.16.0.0/16 -> dc0/32 portmap tcp/udp auto
map dc0 172.16.0.0/16 -> dc0/32 proxy port ftp ftp/tcp

The first line maps internet access outbound on dc0 to appear from "dc0/32", which is shorthand for "the IP address currently associated with the interface dc0".
The second line will proxy outbout ftp access. This is necessary if you don't want to have to use passive ftp all the time because the ftp protocol sucks.

To get ipnat up and running, do:

# /etc/rc.d/routing start
# /etc/rc.d/ipnat start


At this point, any client on the 172.16.0.0 network which has a netmask of 255.255.0.0 or stricter and 172.16.3.200 as its router should be able to access the internet, with its packets being "mapped" by the NAT setup on the firewall machine.
The hand book makes it look less complicated but im not sure that i understand it 100% although it looks allot simpler and doesnt require natd????


Code:
If we look at the routing table for RouterA we would see something like the following:

% netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif  Expire
default            10.0.0.1           UGS         0    49378    xl0
127.0.0.1          127.0.0.1          UH          0        6    lo0
10.0.0/24          link#1             UC          0        0    xl0
192.168.1/24       link#2             UC          0        0    xl1

With the current routing table RouterA will not be able to reach our Internal Net 2. It does not have a route for 192.168.2.0/24. One way to alleviate this is to manually add the route. The following command would add the Internal Net 2 network to RouterA's routing table using 192.168.1.2 as the next hop:

# route add -net 192.168.2.0/24 192.168.1.2

Now RouterA can reach any hosts on the 192.168.2.0/24 network.
32.2.5.2 Persistent Configuration

The above example is perfect for configuring a static route on a running system. However, one problem is that the routing information will not persist if you reboot your FreeBSD machine. The way to handle the addition of a static route is to put it in your /etc/rc.conf file:

# Add Internal Net 2 as a static route
static_routes="internalnet2"
route_internalnet2="-net 192.168.2.0/24 192.168.1.2"

The static_routes configuration variable is a list of strings separated by a space. Each string references to a route name. In our above example we only have one string in static_routes. This string is internalnet2. We then add a configuration variable called route_internalnet2 where we put all of the configuration parameters we would give to the route(8) command. For our example above we would have used the command:

# route add -net 192.168.2.0/24 192.168.1.2

so we need "-net 192.168.2.0/24 192.168.1.2".

As said above, we can have more than one string in static_routes. This allows us to create multiple static routes. The following lines shows an example of adding static routes for the 192.168.0.0/24 and 192.168.1.0/24 networks on an imaginary router:

static_routes="net1 net2"
route_net1="-net 192.168.0.0/24 192.168.0.1"
route_net2="-net 192.168.1.0/24 192.168.1.1"
Which would be the easiest and correct way to accomplish what I am looking to do? My external ip from my isp is DHCP. My Linksys router I want to set up with a static ip behind the freebsd firewall. The network inside of the Linksys is already set up so I dont have to worry about that.

should I post this question in another area of the forum or start a new thread on it since its not 100% related to the original question?

Last edited by neurosis; 7th November 2008 at 09:26 PM.
Reply With Quote