Trying to connect networks and local servers through routing

[sidetone]

I'm trying to connect LAN networks to servers. When I ran ftpd from the same IP range connecting it to a network for other devices, I could access them from these devices. But when, I put ftpd on a different range, I couldn't route them, despite following the instructions.

Installed net/dhcpd, and edited /usr/local/etc/dhcpd.conf

option subnet-mask 255.255.255.224;
default-lease-time 600;
max-lease-time 7200

subnet 172.16.1.3 netmask 255.255.255.254 {
    range 172.16.1.3 172.0.1.29;
    option broadcast-address 10.0.0.255;
}
# this is so my devices like phones can automatically connect

172.16.1.1 was left off, because this is the static IP address of the hostap on wlan0 connection. For some reason, 172.16.1.2 didn't work with dhcpd. IP's of 172.16.1.30 and 172.16.0.1 are also set as static in /etc/hosts and /etc/rc.conf.
I didn't add the IP's from my computer to my ISP router in dhcpd.conf, because that's taken care of. It seems that this is for devices which don't have DHCPd to the devices/phones.

For the wifi and ftp server/etc/rc.conf:

create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 172.16.0.x/8 ssid ..."
ifconfig_wlan0_alias="inet 172.16.1.1/12"
ftpd_enable="YES"
ftpd_flags="-A -D -l -a 172.16.1.1"

Tried adding a route from the ftp server at 172.16.0.1, to 172.16.1.3. /etc/rc.conf:

static_routes="ftp2devices"
route_ftp2devices="-net 172.16.0.1 172.16.1.3"

This, and varying combinations hasn't worked for me.

When I put the ftp server, wlan inet, and dhcp address on the same IP block, I can access ftp from my device. However, I need to learn how to route, by putting the ftp server on a different IP range. I'll need to route from behind by computer, to the Internet. I've done a bridge from FreeBSD allowing it to work as a wifi access point, using IP's from my ISP modem, though I haven't been able to bridge the ftp server to anything else. dhcpd allowed me to use my devices to access the ftp server on my computer without bridging, when before, I couldn't do that.

Other issues, which isn't as important, as functionality of the above is needed first. One is that I can't use what I set in /etc/hosts and /etc/networks from my phone to access the ftp server, when it is on the same IP range as the ftp server, however, it can be used from command-line. The other issue is, when I set the namespace of the IP range starting in 172 or anything else from /etc/networks, it doesn't show up in netstat -i4. It only works when I set in the first digits of the IP range starting in 10 to match the network.

In /etc/networks, the following don't work (dont' show up in netstat -i4):

private 172
private 172.16
private 172.16.0 # or any other number

Except only private 10, works for the 10.0.0.0 IP block. Though, no other combination seems to work, including private 10.0. For basic use from the computer, the naming in hosts works. Maybe, it depends on what I set my wlan0 to? Can I set multiple wlan's for multiple hostap access points?

As for DNS, I rather use hosts, and networks, with unbound that comes with the base system. I see how nsswitch.conf allows to choose between files and dns for setting names. If I have to fall back to DNS, I'll use dns/nsd with tools of dns/dnsutl.

I'm trying to set up a LAN behind my BSD computer, in a layout like:

• ISP modem
  • wifi connections
  • possible wired connections
  • FreeBSD computer
    • ftp server
    • hostap wifi dhcp connections to phones/devices

 

[ondra_knezour]

option subnet-mask 255.255.255.224;
subnet 172.16.1.3 netmask 255.255.255.254 
option broadcast-address 10.0.0.255;

For some reason, 172.16.1.2 didn't work with dhcpd.

ifconfig_wlan0="inet 172.16.0.x/8 ssid ..."
ifconfig_wlan0_alias="inet 172.16.1.1/12"

Try to understand how subneting work. I often used this tool to see which addresses are in given subnet. There are some tools in ports which helps calculate subnets, for example net_mgmt/cidr or net_mgmt/netmask.

 

[sidetone]

There are some tools in ports which helps calculate subnets, for example net_mgmt/cidr or net_mgmt/netmask.

In the above, I've made a mistake, I meant to put the netmask of /12 as that's what's in /etc/hosts. netmask(1), gives me /32 for everything I've typed yet. I haven't gotten a hang of cidr. Though, either way, any netmask I had above was incorrect.

That helped with progress. With that, the netmask and IP address had to match across hosts, network, and the set alias in rc.conf. 172.16 has a different netmask than 172, and the private range starts from 172.16. The website helps with proper netmasks. It helps, that these can be set in the alias in rc.conf, hosts and networks for testing, without connecting a server to them. With netstat -ir4, the proper namespace domain name shows up.

To be clear, the netmask of 172.16.0.0 is /16, which is a different netmask than that of 172.0.0.0. In private networks, this is represented as 172.16. The netmask of 10.0.0.0 is /8. In networks, this is represented as 10. These netmasks and IP's must match the alias, names and ranges in rc.conf and hosts.

dhcpd
With dhcpd turned on, dhclient must be turned off in rc.conf, otherwise, it will give a fatal error. dhcpd isn't supposed to manage the uplink to the ISP modem. It will say, "Can't listen on", which is ok for the link to the ISP modem, managed by that modem.

In the above example, I made a mistake in /usr/local/etc/dhcpd.conf, for net/dhcpd. It should be:

option subnet-mask 255.255.255.224;
default-lease-time 600;
max-lease-time 7200

subnet 172.16.1.3 netmask 255.255.255.254 {
   range 172.16.1.3 172.16.1.29;
   option broadcast-address 10.0.0.255;}

Correction:
option broadcast-address 172.16.0.254;}
This range is so my devices like phones can automatically connect: this range doesn't include static IP's.

DNS naming
Now, I understand why my devices don't pick up what I have in networks and in hosts. It's because, when I had my ftp server between my computer and ISP modem, the modem set the namespace with DNS records, plus the computer's hostname and alias. With my ftp server behind my FreeBSD computer this time, I didn't set it with DNS (instead with hosts and networks), so it works from the command line, but not from my DHCP connected devices. So, from my DHCP connected devices, I must use the IP address.

/etc/nsswitch.conf sets the priority whether to use files or DNS for hosts and networks. dns/dnsutl is a tool to make a zone file out of hosts and networks. If I use DNS, I'll go with dns/nsd.

It's ok for unbound(8) to be on.

Firewall
I must allow services to pass through, until I determine the names of those devices to allow through the firewall.

to routing
I'll simplify my setup, and put the alias with ftp server, wlan connection and dynamic IP range on the same block. Static IP's in alias and the main wlan connection aren't included in /usr/local/etc/dhcpd.conf.

Though, whatever I've put for a route in rc.conf, I haven't gotten a route. From online, it looks like, to add a route to make the FreeBSD computer allow connections from both sides of the computer.

I'll keep trying to see if putting in the proper route is the answer. I've gotten a bridge to successfully work from my DHCP devices to the ISP router, though it issues the IP's of the ISP router. I've never gotten a bridge to work from the alias IP which the ftp server to the DHCP connected devices, but I don't know if that's possible to do.

 

[ondra_knezour]

Not sure if I ever touched net/dhcpd, but I am quite sure, that this combination is absolute nonsense

option subnet-mask 255.255.255.224;
subnet 172.16.1.3 netmask 255.255.255.254 {
    option broadcast-address 10.0.0.255;
}

Removed lines may be correct.

There are no netmasks in /etc/hosts and you can ignore /etc/networks.

This may nudge you in the right direction https://forums.freebsd.org/threads/freebsd-subnetting-help.79194/#post-498068

 

[sidetone]

I made a mistake in the example I posted. The broadcast should be of the same subnet to be correct.

I meant for what related to hosts and networks, the alias prefix mask from rc.conf has to match. Though, adding it correctly to networks, makes the network name show up with netstat -ir4. The arguments in networks aren't needed, but are nice to have.


I need to figure out routing, or allowing devices behind my FreeBSD computer to use the Internet now. As now, they're able to access my ftp server, but that's all.

 

[sidetone]

In this, do I set my FreeBSD machine or my ISP modem as the gateway route path? I tried both, and neither worked. When I changed these settings, both settings showed on my device. My device still can use servers from my computer, but still can't access the Internet. I'm not asking about the IP for defaultrouter, because I know that's the IP of my ISP modem.

/etc/rc.conf:

defaultrouter="192.168.1.254" # this is for my computer, not subnet
ifconfig_re0_alias2="inet 192.168.1.200" # static IP between ISP modem & computer
static_routes="sn2int"

route_sn2int="-net 172.16.0.0 192.168.1.254"
or
route_sn2int="-net 172.16.0.0 192.168.1.200"
From reading, the IP by -net is the IP range, and the IP on the right is the gateway. In the alias above, there's other aliases, as they're all in consecutive order starting from 0.

Then for /usr/local/etc/dhcpd.conf, under my subnet setting:
option routers ;
Which IP goes in there? the one of my ISP modem, or the wired ethernet alias of my BSD machine? The one I set, shows up on my device, but no Internet from it.

I also dropped my firewall to try these settings.

Similar thread, Thread cannot-route-between-two-interfaces.94011.

 

[VladiBG]

Do you have access to the configuration of your ISP router?

 

[sidetone]

Do you have access to the configuration of your ISP router?

Yes. Also, it's using DHCP.

Also, forgot to mention, I see why my ISP modem isn't using DNS for one of its subnets, so it's no longer setting up my DNS hostname and network domain address like it used to. It's only using DNS for one of its subnet networks, and not for the one between it and my computer. That's not needed though. As long as what's behind my BSD computer does the job for its subnets.

 

[VladiBG]

Yes, every soho router use DHCP to configure the IP address of the clients in the LAN. In big corporate network this service (dhcp) is provided by servers.

What is your current network topology, can you draw a picture of it and what is your final goal?

 

[sidetone]

What is your current network topology, can you draw a picture of it and what is your final goal?

to set up a LAN behind my BSD computer, in a layout like:

• ISP modem
  • wifi connections
  • possible wired connections
  • FreeBSD computer
    • ftp server
    • hostap wifi dhcp connections to phones/devices

For my devices on DHCPD using FreeBSD's hostap to access the Internet through the modem.

In this setup, I'll simplify parts from earlier in this thread. In parts changing what I've had above:

/etc/rc.conf:

ifconfig_wlan0="inet 172.16.1.1/16 ssid ..."
ifconfig_wlan0_alias0="inet 172.16.1.2/16"
ifconfig _re0_alias1="inet 192.168.x.x"
ftpd_enable="YES"
ftpd_flags="-A -D -l -a 172.16.1.2"
static_routes="sn2int"
route_sn2int="-net 172.16.1.0 [route]"

A question for route, can the network interface like re0 be used there, instead of an IP address?
/usr/local/etc/dhcpd.conf:

subnet 172.16.1.0 netmask 255.255.0.0 {
  range 172.16.1.3 172.16.1.29;
  option broadcast-address 172.16.1.255;
  option routers [?];}

I looked if I could set the interface to option routers, but it looks like this can't be done. This would need to be the same IP as for the route example for sn2int in rc.conf.

So, it seems that I need to set my FreeBSD box as a route gateway, independent of the upstream gateway of my modem. Alias could be tried, however, it seems this would require my ISP modem, to have this set statically, or will it pick up an IP outside of the DHCP range?

Maybe, this is what is left, to figure out which IP route to use, statistically from my BSD machine to my ISP gateway. In this thread, I've used the term gateway for both my ISP modem, and potentially for the interface on my BSD box wired to the ISP modem.

My ISP modem uses DHCP, and when I use dhcpd.conf, it must be limited to one connection, which can be changed. Maybe, dhcpd.conf isn't the answer, unless it can select one IP from a range of DHCP, without causing an error. Or, I must set a static alias from my ISP modem.

Maybe, the answer is a range of IP's to be used from routing in rc.conf, maybe a network interface, but not from dhcpd.conf? As my computer is already taken care of for dhcp as a client to the ISP modem. However, turning on background_dhclient="YES" in rc.conf, breaks dhcpd functionality from my wired interface to my ISP modem. But option routers in dhcpd.conf needs an IP address, maybe that one uses my ISP gateway instead?


Those were my first thoughts about the route. In rc.conf(5), there's iface, which can be set for background_dhclient, and for the static route in rc.conf! It's important that dhclient isn't set for the dhcpd subnet, in my case for wlan0, or dhcpd won't start.

background_dhclient_re0="YES"
statis_routes="sn2int"
route_sn2int="inet 172.16.1.0 -iface re0"

For my dhcpd.conf, I'll experiment with setting option routers to my ISP gateway.

An interesting error, is that when nsswitch.conf for networks is set to dns, and when a mistake is made in networks for the 172.16 IP range, it picks up a leaked domain resolution, which can be found as so in an Internet search.

 

[drsnx60]

The info you are looking for is in chapter 34.2.2 https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-routing inthe freebsd Handbook.

 

[ondra_knezour]

Regarding your network schema above, what do you want to achieve by not using ISP modem wireless/wired connections also for phones/devices and inserting FreeBSD machine with hostap wifi dhcp connection?

Anyway

Code:
ifconfig_wlan0="inet 172.16.1.1/16 ssid ..."
ifconfig_wlan0_alias0="inet 172.16.1.2/16"
route_sn2int="-net 172.16.1.0 [route]"

172.16.1.1/16 and 172.16.1.2/16 addresses are in same network, you probably don't want to put two addresses from same network on one interface. Rereading about network subnetting may help here?

You don't need route to local network.

Code:
subnet 172.16.1.0 netmask 255.255.0.0 {
range 172.16.1.3 172.16.1.29;
option broadcast-address 172.16.1.255;
option routers [?];}

Broadcast for given network (172.16.1.0/16 or 255.255.0.0) is 172.16.255.255. Rereading about network subnetting may help here again?

 

[VladiBG]

The topology will look like this:

There's two way to achieve this.
First option:
To use routing only without NAT but it's only possible if you have access to your home ISP router and only if it support additional static routing or some dynamic routing protocol. You will need to add the following route into your ISP router so the clients in 192.168.1.0/24 to know how to reach 10.0.1.0/24 via 192.168.1.10

route add -net 10.0.1.0/24 192.168.1.10

For your FreeBSD router there's no need to add any routes because it's interfaces 192.168.1.10 and 10.0.1.1 will have connected routes in it's routing table and FreeBSD will know how to reach both networks.
Then you will need to configure your firewall to filter the traffic if you don't want to allow 192.168.1.0/24 to access devices in 10.0.1.0/24

Second option:
If you don't have access to your ISP router configuration or it doesn't support adding additional static routes then the only way is to use NAT on your FreeBSD.
Then you will need to set up the following services on your FreeBSD:

PF firewall - to perform NAT
unbound DNS from ports or pkg, not the preinstalled one which is restricted only to the localhost - to perform DNS services
DHCPd - to dynamic config your clients behind your FreeBSD router
You can also skip the DNS part and access your ftp using your IP address (10.0.1.1) instead of ftp.sidetone.local

rc.conf

hostname="router.sidetone.local"
sshd_enable="yes"
defaultrouter="192.168.1.1"
gateway_enable="yes"
ifconfig_bge0="inet 192.168.1.10 netmask 255.255.255.0"
ifconfig_bge1="inet 10.0.1.1 netmask 255.255.255.0"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_flags=""
pflog_logfile="/var/log/pflog"
dhcpd_enable="YES"
unbound_enable="YES"
....

resolv.conf

# Generated by resolvconf
search sidetone.local
nameserver 127.0.0.1

dhcpd.conf

default-lease-time 600;
max-lease-time 7200;
log-facility local7;

subnet 10.0.1.0 netmask 255.255.255.0 {
range 10.0.1.101 10.0.1.200;
option domain-name-servers 10.0.1.1;
option domain-name "sidetone.local";
option routers 10.0.1.1;
option broadcast-address 10.0.1.255;
default-lease-time 432000;
max-lease-time 604800;
}

unbound.conf

server:
interface: 10.0.1.1
access-control: 127.0.0.0/8 allow
access-control: 10.0.1.0/24 allow
forward-zone:
name: "."
forward-addr: YOUR.PRIMARY_ISP.DNS.ADDRESS # example 8.8.8.8
forward-addr: YOUR.SECONDARY_ISP.DNS.ADDRESS
auth-zone:
name: "sidetone.local"
zonefile: "sidetone.local.zone"
for-downstream: yes
for-upstream: no
zonemd-check: no
zonemd-reject-absence: no

sidetone.local.zone

$ORIGIN sidetone.local.
$TTL 3600
@ IN SOA ns.sidetone.local. router.sidetone.local. (
2025151001 ; Serial
86400 ; Refresh
3600 ; Retry
3600000 ; Expire
300 ) ; Negative Cache TTL
@ IN NS ns.
@ IN NS router.
@ IN MX 10 sidetone.local.
@ IN A 10.0.1.1
www IN A 10.0.1.1
ftp IN CNAME sidetone.local.

pf.conf

# macros
int_if = "bge1"
ext_if = "bge0"

tcp_services = "{ 21,22, 80, 443}"
icmp_types = "{ 3, 4, 8, 11 }"
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if
set skip on lo0

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> 192.168.1.10

# filter rules
block all
pass quick on lo0 all

# block incoming and outgoing traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

# Allow access to www
pass in on $int_if inet proto tcp from any to any port www keep state

# Allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# Allow ping from type icmp_types
pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow all trafic from internal network to internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# Allow all trafic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state