Internet sharing question...

[trybeingarun]

Hi,
I have the following topology.

1. A modem(192.168.1.1) which supports DHCP and NAT with one ethernet port
2. A pc with 2 network cards(rl0 and re0) one of which is connected to the modem(re0)
3. Another pc with 1 network card(eth0) which is connected to the unused NIC(rl0) of the pc earlier specified.

I was guessing if i could make all traffic from re0 to go to rl0 and vice versa(like a hub) I can share internet between the two PCs.

Is my assumption valid? If so what PF rules will be required(I am completely new to PF btw.)

 

[Speedy]

Well, I see two possibilities here:

0. Modem with NAT > Switch > Computers
1. Modem in bridge mode > Computer0 with NAT > Computer1

NB! This Computer0 cannot run Microsoft operating systems because it is exposed to the internet.

 

[trybeingarun]

Could you also tell how to set up NAT pf rules?

This is the rule that I am using

nat on re0 from rl0:network to any -> re0

re0 is the external interface and rl0 is the internal interface.

I have also set net.inet.ip.forwarding to 1

This apparently doesn't work for me. Am i missing any other configuration(esp. browser)?

 

[trybeingarun]

Neither Computer0 nor Computer1 runs Windows bec I love my machines

 

[DutchDaemon]

Post you entire pf.conf. Also, are the two PCs connected using a cross-cable?

 

[trybeingarun]

My pf.conf file:

nat on re0 from rl0:network to any -> re0
block in all
pass out all keep state

Ya, my PCs are connected with a cross-cable

 

[DutchDaemon]

You do understand that traffic from your internal PC comes in on rl0?

Add

set skip on lo0
set skip on rl0

and add re0 to the block/pass rules.

Always specify rules per interface, or make interfaces exempt from blocking (like you should almost always do with the loopback interface).

 

[trybeingarun]

I don't know much about PF; I am learning it now only. Can you plz write a pf.conf file for me and also explain what every rule is expected to do...that is, only if you have time to do so...

 

[DutchDaemon]

Learning means: pf.conf(5) and looking at probably dozens of pf.conf examples on the forums.

 

[trybeingarun]

Thanks! I will look at it and get back if I have doubts

 

[dennylin93]

There's also the FAQ as well.

 

[trybeingarun]

Hi,

Thanks u for the link. It was very useful. Also I went through `man pf.conf` which was quite good. But I still am facing problems...

I changed my pf.conf file and now it looks like

ext_if = "re0"
int_if = "rl0"
nat_ip = "192.168.1.5"
localnet = "rl0:network"

nat on $int_if from $localnet to any -> $nat_ip

Now if i ping from my PC-2 to ext_if-ip even that is not working. My internal network is in 172.31 subnet.

I have also added to my routing table configuration.

route add 192.168.1.5/32 rl0

I tried tcpdump on re0 and it is not receiving any packet.

 

[DutchDaemon]

Did you add pass rules for your interfaces? Did you set skip on lo0? Is IP-forwarding on? Did you define a default gateway?

 

[trybeingarun]

This is my PC-1 Configuration

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.1.1        UGS         5    10542    re0
127.0.0.1          link#3             UH          0       16    lo0
172.31.0.0/16      link#2             U           0        9    rl0
172.31.113.78      link#2             UHS         0        0    lo0
192.168.1.0/24     link#1             U           0      411    re0
192.168.1.2        link#1             UHS         0        0    lo0

# ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:19:d1:85:be:29
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:4d:07:a4:9d
        inet 172.31.113.78 netmask 0xffff0000 broadcast 172.31.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200

Pf.conf file

int_if = "rl0"
nat_ip = "192.168.1.5/32"
nat on $int_if from $localnet to any -> $nat_ip

Pc-2

ip route add default via 172.31.113.78

which is the rl0 in PC-1

I dont understand...what pass rules do you mean? I am assuming after the packets pass through the NAT in rl0 they will be automatically routed outside via re0(ext_if).
Similarly all packets destined to 192.168.1.5(NAT-ip) will be routed properly.

 

[DutchDaemon]

Ok, try the following:

In /etc/rc.conf:

defaultrouter="192.168.1.1"
gateway_enable="YES"
ifconfig_re0="192.168.1.2/24"
ifconfig_rl0="172.31.113.78/16"

(are you sure you have a /16 on the network behind the router?)

In /etc/pf.conf:

ext_if="re0"
int_net="172.31.0.0/16"
nat on $ext_if from $int_net to any -> $ext_if

Avoid all the 'route' statements, you don't need them. Traffic between the directly connected networks is handled by IP-forwarding and NAT.

Check with [cmd=]pfctl -s nat[/cmd], and to make sure: [cmd=]pfctl -s rules[/cmd] shouldn't turn up anything.

 

[DutchDaemon]

An alternative would be to drop NAT on the FreeBSD box and add the 172.31 network to the modem's routing table, with a default route to 192.168.1.2. I don't know if that modem supports that kind of operation. One normally doesn't use NAT to translate an RFC1918 network to another RFC1918 network, only from an RFC1918 network to a public IP address (which the modem already does).

 

[trybeingarun]

At last it is working now!!
Thanks a lot DutchDaemon for taking your time off to reply.

 

[DutchDaemon]

Can you browse by IP? Try http://74.125.77.104/ (one of Google's). If you can't force Firefox online, you may try a reboot. I've seen strange things on Linuces when altering network settings on the fly.

 

[trybeingarun]

It is working fine now. Even though the lan connection was up firefox seems to have think it is down. I unchecked the work offline checkbox and things are fine . Thanks once again

 

[trybeingarun]

While the configuration that you have given works perfectly fine can you tell why the following pf.conf is not working for me

ext_if="re0"
int_if="rl0"
int_net="172.31.0.0/16"
madan = "172.31.113.80"
madan_ex = "192.168.1.5"

#nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $ext_if from $madan  -> $madan_ex
rdr on $ext_if to $madan_ex -> $madan

If I remove the rdr rules and uncomment the nat rule then things are fine.

With the rdr rules ping to ext_if works but ping 192.168.1.1 (my modem) does not work

 

[trybeingarun]

I found that my modem is sending ARP request for 192.168.1.5 to ext_if and PC-1 did not have any corresponding entry in ARP cache. So I created an arp entry in PC-1 with ip 192.168.1.5 and mac the same as ext_if.
Still I am not able to access internet from PC-2

 

[DutchDaemon]

Without a NAT rule only the directly connected IP address (192.168.1.2) is reachable. Anything beyond that (192.168.1.1, 192.168.1.5, etc.) has no routing back to the 172.31 network -- it has no knowledge of its existence and how to route traffic to it, so it will reject packets from that network.

Because NAT translates all traffic from the 172.31 network to 192.168.1.2 before it gets sent to the 192.168.1 network, all hosts on the 192.168.1 network will be able to reply to it, simply by replying back to 192.168.1.2 which NAT's it back to 172.31 using the state table.

Your rdr on the external interface will not work, because either NAT will have translated the IP addresses to 192.168.1.2 (so $madan becomes meaningless, because 172.31.113.80 will not arrive with that IP address on the external interface, it's translated first), or the 192.168.1.5 host will get un-NAT'ed traffic from 172.31 -- and there's no route back, as stated in the first paragraph (72.31.113.80 -> 192.168.1.5 (who?! can't route back!)).

You can try the rdr on the internal interface, so NAT will take care of the rest (172.31.113.80 <-> NAT <-> 192.168.1.2 <-> 192.168.1.5)

I don't think your second rdr rule can work at all, because 192.168.1.5 is not an IP address on that interface, so the rule will never 'take'.

I really think you should look into possibilities to add 172.31.0.0/16 to the routing table of the modem, in order to make that entire network available behind a single gateway address (192.168.1.2 would be its default gateway in this case). That would cut out the entire unnecessary NAT layer.

Even bridging the public IP address to the FreeBSD host and turning that into a router for all of the networks (with or without an extra NIC) would be a step forward and reduce complexity enormously.

If you stick with NAT, read up on it so you understand how it works and especially when the address translation takes place (i.e. before the packets reach the filtering and redirection rules for the interface where NAT happens).

Also reading up on routing basics is probably advisable. To get two different networks to interact you need either NAT (public/private interaction) or static routing (private/private, public/public interaction). The only way two IP addresses from two different networks can interact without routing or NAT is when they're directly connected (like on your two interfaces).