FreeBSD as Router

fullauto · #1 April 19th, 2012, 00:08

Thanks in advance for any help.

I have a GENERIC FreeBSD 9.0 machine (+ options ip_divert) that I would like to use as a router/firewall for my network. I have done ALL the how-to's and the reading associated with this project and have thus far only managed to pull most of my hair out.

Let me explain my wanted network topography:

Code:

                   ::Commercial Cable with static IP::
                                      |
                                      |
          ::FreeBSD router with NATD/IPFW:: (68.15.xxx.xxx[rl0]/192.168.1.1[dc0])
                                      |
                                      |
                                      |
                            ::10/100 8 port switch::
                                      |
                                      |
            -----------------------------------------------------
            :Server 192.168.1.10:   :Wintel/DHCP:   :Wintel/DHCP:

rc.conf

Code:

##################################
# Network Name of Machine
hostname="Bender"

# IP4 address and Netmask
ifconfig_rl0="68.15.62.102 netmask 255.255.255.224"
ifconfig_dc0=" inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
defaultrouter="68.15.62.97"

# Alternet IP4
#ifconfig_rl0="DHCP"
#ifconfig_dc0=" inet 192.168.1.2 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="OPEN"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
ntpd_enable="YES"
ntpd_flags="-g"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

# Added to get X11 working 3-25-12
hald_enable="YES"
dbus_enable="YES"

###############################
#
# Services
sshd_enable="YES"
ftpd_enable="NO"
inetd_enable="NO"
proftpd_enable="NO"
sendmail_enable="NO"
apache22_enable="NO"
qpopper_enable="NO"
named_enable="NO"

Code:

port 8668
interface rl0

# Apache22 HTTPd
redirect_port tcp 192.168.1.10:80 80

# ProFTPd
redirect_port tcp 192.168.1.10:20-21 20-21

# POP3
redirect_port tcp 192.168.1.10:110 110

# SMTPd
redirect_port tcp 192.168.1.10:25 25

file "natd.conf", 15 lines

Code:

ipfw -q -f flush                # delete all rules
#set defaults
oif="rl0"                       # Outbound Interface
iif="dc0"                       # Inbound Interface
cmd="ipfw -q add "              # Build rule prefix

## Start Rules  #####################################

$cmd 00050 divert natd from any to any via $oif
$cmd 00100 allow ip from any to any via lo0
$cmd 00250 allow ip from any to 192.168.1.10 20-21
$cmd 00300 allow ip from any to 192.168.1.10 22
$cmd 00350 allow ip from any to 192.168.1.10 25
#$cmd 00400 allow ip from any to 192.168.1.10 53
$cmd 00450 allow ip from any to 192.168.1.10 80
$cmd 00500 allow ip from any to 192.168.1.10 110
$cmd 35000 allow all from 192.168.1.0 out via $oif

## Last Rule: Deny EVERYTHING that ipfw didn't get already ##
$cmd 65535 deny ip from any to any

file "ipfw.rules", 22 lines

I know I have many errors. Please don't poke too much as I am a novice, but can anyone help me with this? When I hook the FreeBSD[rl0] to the cable modem, and the [dc0] to the switch with the other systems, I cannot get onto the internet from any machine including the router. Another thing: for some reason, the router stops accepting my ssh requests.

I am willing to take this one step at a time, and if anyone out there is willing to give me a hand with this, as well as explain it to me so I don't have to burden this community constantly, I am willing to let someone ssh in.

throAU · #2 April 19th, 2012, 05:38

If you get rid of all your firewall rules (leave it open), can you access the internet from the FreeBSD machine?

Verify basic connectivity first, once you're happy that works (which means your IP addressing scheme, subnet masks, gateways, etc are correct) then get your firewall set up.

What are the goals you are aiming for with this setup? (e.g., i need server A to access the internet, and incoming requests to port 80 to hit it, etc).

Also: rather than just passing ports straight through to your internal hosts, you are better off setting up some sort of inspection/sanity checking via a local daemon on your FreeBSD box as appropriate. If you just pass the port through, you're opening a hole directly to the internal host for the internal host's service to be potentially exploited.

aa · #3 April 19th, 2012, 08:47

If that DHCP for rl0 was already working, stick to it, or put the modem in router mode and use PPPoE, either way, you can not manually set rl0, it won't work.

fluca1978 · #4 April 19th, 2012, 10:19

I will check, as already suggested, the base connectivity of the FreeBSD machine before and after having loaded the firewall rules. Is the router able to ping either the default gateway and the server? From which side you are not able to SSH-into the router?

And a couple of hints:
1) if your aim is to use a free firewall solution I would suggest you to take a look at pfsense, which is based on FreeBSD and simplifies a lot of tasks
2) hiding your public IPs in the diagram and exposing them via rc.conf is probably not the information-hiding you wanted

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] FreeBSD Router with PF	ryuusoultaker	Firewalls	9	January 8th, 2012 08:45
[IPF] Connecting Cisco ASA VPN through FreeBSD 8.2 router vs FreeBSD 7.4 router	gilcel	Firewalls	0	July 12th, 2011 10:40
FreeBSD router	dpetka2001	Networking	17	March 23rd, 2011 21:34
FreeBSD as a router	Myron	Networking	5	December 6th, 2009 09:51
[Solved] FreeBSD as a router	gpatrick	Networking	8	October 23rd, 2009 19:55