DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th July 2013
Sonya's Avatar
Sonya Sonya is offline
Real Name: Sonya Fox
New User
 
Join Date: Jan 2009
Posts: 8
Thanked 0 Times in 0 Posts
Default Help me setup my new router

So I've just put together a new router and I'm having a little trouble getting the packets going where I want them. The machine is running FreeBSD 9.01, and current versions of BIND, ISC's DHCP server and PF. Here's my setup:

INTERNAL SWITCH<---->[re1=10.0.0.1 FreeBSD Machine re0=184.111.12.14]<---->INTERNET

After following the (outdated) guide "Build a Home-Office Router Using FreeBSD and PF" to the letter, I'm still having problems. The DHCP server is giving my LAN computers addresses, and they can talk to each other and the FreeBSD machine, and the FreeBSD machine can access the internet, but none of the LAN computers can get to the internet through the FreeBSD machine. I know I've screwed up the routing somehow, but I didn't want to change anything until I've consulted the experts.
Reply With Quote
  #2   (View Single Post)  
Old 12th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

I'm no expert on FreeBSD, as I don't use it, but the first thing I'd do is ensure that packet forwarding is enabled. Without it, your FreeBSD machine will not act as a router.

If you've confirmed you have that enabled, post your pf.conf here. But don't do that until you've you've edited your post above to hide your actual Internet address. There's no need to post that, and it might lead to an attack if you have misconfigured PF.
Reply With Quote
  #3   (View Single Post)  
Old 14th July 2013
Sonya's Avatar
Sonya Sonya is offline
Real Name: Sonya Fox
New User
 
Join Date: Jan 2009
Posts: 8
Thanked 0 Times in 0 Posts
Default

I used the pf.conf from the article (it wouldn't let me link to that before for some reason); here it is with my modifications.
Code:
### macros
# internal and external interfaces (run 'ifconfig' to find interfaces)
int_if = "re1"
ext_if = "re0"

# Allow Telnet, web, etc...
tcp_services = "{ 22, 23, 25, 80 }"

# ping requests
icmp_types = "echoreq"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### options
set block-policy return
set loginterface $ext_if
set skip on lo0

### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)

### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state

# allow in FTP control port
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy
flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Side note, that's not my real IP address - I just made one up off the top of my head. re0 and re1 are the network interfaces.
Reply With Quote
  #4   (View Single Post)  
Old 14th July 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

Do you have this in your /etc/pf.conf?
Code:
gateway_enable="yes"
This is needed to tell FreeBSD to forward packets between the network interfaces.

You can check this setting with
Code:
# sysctl -a | grep forward

kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 0
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0
net.wlan.hwmp.replyforward: 1
The setting highlighted in blue is '0" here. It needs to be "1".
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 14th July 2013
Sonya's Avatar
Sonya Sonya is offline
Real Name: Sonya Fox
New User
 
Join Date: Jan 2009
Posts: 8
Thanked 0 Times in 0 Posts
Default

Here we go, I've got some more dox for you;
I do have net.inet.ip.forwarding: 1

Here's my rc.conf:
Code:
hostname="Mainframe"
ifconfig_re0="DHCP"
ifconfig_re1="inet 10.0.0.1 netmask 255.255.255.0"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
dhcpd_enable="YES"
named_enable="YES"
inetd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
Here's the output of ifconfig:
Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether 00:e0:4c:68:10:eb
	inet 184.13.1.104 netmask 0xffffff00 broadcast 184.13.1.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
	ether bc:5f:f4:49:35:49
	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
pflog0: flags=0<> metric 0 mtu 33152
pfsync0: flags=0<> metric 0 mtu 1500
	syncpeer: 0.0.0.0 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet 127.0.0.1 netmask 0xff000000
Here's my routing table (netstat -rn)
Code:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            184.13.1.111       UGS         0       62    re0
10.0.0.0/24        link#7             U           0       10    re1
10.0.0.1           link#7             UHS         0        0    lo0
127.0.0.1          link#12            UH          0        0    lo0
184.13.1.0/24      link#1             U           0        8    re0
184.13.1.128       link#1             UHS         0        0    lo0
And finally, here's the output of ipconfig of a machine connected to re1:
Code:
Windows IP Configuration


Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . :
    IP Address. . . . . . . . . . . . : 10.0.0.187
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 10.0.0.1
I pretty much followed that guide right to the letter on a pristine install, I did exactly what they did and nothing else.
Reply With Quote
  #6   (View Single Post)  
Old 14th July 2013
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,116
Thanked 182 Times in 149 Posts
Default

It could be DNS.

On the Windows machine can you ping yahoo.com by address?
Code:
c:\Users\j65nko  ping -n2 87.248.112.181
Can you do DNS lookups on the Windows machine?

Code:
nslookup www.yahoo.com
BTW the output of ipconfig /all would have been better. That shows all relevant settings, including DNS server etc
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 14th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
I just made one up off the top of my head
You're not a FrontierNet customer?

Looking at your pf.conf, I can't help but wonder if PF has failed to load it, due to syntax errors. You haven't mentioned which release of FreeBSD you are using, and FreeBSD has used varying versions of PF, each with varying syntax. Following a 2006-era "howto" might have been a disservice.

# pfctl -sr will show you what rules are currently loaded. If the default rules are loaded instead of your pf.conf, then you'll know this is the reason. You can test your rules: # pfctl -nf /etc/pf.conf will do a syntax check. No output = good.

If your rules are syntactically correct, the next step would be to check to see which rules are being applied to your traffic. You do this by adding the log option to your block and your pass rules and then monitoring rule use traffic on the pflog0 device with tcpdump(1).
Reply With Quote
  #8   (View Single Post)  
Old 14th July 2013
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by J65nko View Post
It could be DNS.
Good point.
Reply With Quote
  #9   (View Single Post)  
Old 16th July 2013
gpatrick gpatrick is offline
Shell Scout
 
Join Date: Nov 2009
Posts: 103
Thanked 0 Times in 0 Posts
Default

The kernel module may not be loaded
Code:
# kldload pf
Then
Code:
# /etc/rc.d/pf start
You can check if it loaded
Code:
# kldstat
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help with NAT setup Quaxo OpenBSD Installation and Upgrading 6 27th January 2009 08:03 PM
DJ Setup tad1214 FreeBSD General 8 21st July 2008 01:50 PM
problem on setup!! josue Other OS 6 24th June 2008 05:29 AM
How To Setup WPA? warriors OpenBSD General 8 15th June 2008 04:39 PM
postfix setup Demodog General software and network 12 11th June 2008 07:43 PM


All times are GMT. The time now is 07:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick