Putting together a cut down version of pfSense

[mer]

Sometimes investing in a book, especially early on, saves you money/time/effort in the long run. Not always, but some, especially in tech work do.
How many here have a copy of Stevens TCP/IP Illustrated on their shelf?

 

[tingo]

You need FreeBSD, plus the following things from ports / packages
- a DHCP server
- a firewall
-a NAT "thing" (if not built into the firewall)
configure will be command-line and (text) file based
There are a few "nice to have" things as well:
- a DNS server, to offload traffic from your clients (and to server your local dns zone, if you have that)
- traffic stats (I use net-mgmt/darkstat)
- web server configured as a proxy for your internally hosted web sites (I use www/nginx)

 

[balanga]

You need FreeBSD, plus the following things from ports / packages
- a DHCP server
- a firewall
-a NAT "thing" (if not built into the firewall)
configure will be command-line and (text) file based
There are a few "nice to have" things as well:
- a DNS server, to offload traffic from your clients (and to server your local dns zone, if you have that)
- traffic stats (I use net-mgmt/darkstat)
- web server configured as a proxy for your internally hosted web sites (I use www/nginx)

Just to break things down into small manageable without the possibility of screwing things up through too many options, my first goal is to be able to
ping 8.8.8.8 from anywhere on my LAN, where all the hosts have static IP addresses, at least initially, so I don't thing I need a DHCP server initially.
I guess NAT is a must have.

Do I need a firewall just to make it work in the first instance?

I'm looking for a step by step approach to getting things working. I've always relied on pfSense up until now to hide me from what goes on under the bonnet.

 

[Phishfry]

FreeBSD manpage has a an example:

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them

docs.freebsd.org

Section 33.3.2.1

ext_if = "xl0"    # macro for external interface - use tun0 for PPPoE
int_if = "xl1"    # macro for internal interface
localnet = $int_if:network
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state

No protection offered. Just PF NAT.

 

[plexinvise]

Just to break things down into small manageable without the possibility of screwing things up through too many options, my first goal is to be able to
ping 8.8.8.8 from anywhere on my LAN, where all the hosts have static IP addresses, at least initially, so I don't thing I need a DHCP server initially.
I guess NAT is a must have.

Do I need a firewall just to make it work in the first instance?

I'm looking for a step by step approach to getting things working. I've always relied on pfSense up until now to hide me from what goes on under the bonnet.

Phishfry gave a good reply. This example should work from the box. However you will still need a dhcpd setup, which is quite simple, look it up dhcpd(8). Boils down to specifying subnet and also configuring interface in /etc/rc.conf with this subnet

# /usr/local/etc/dhcpd.conf


# Subnet config
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.5 192.168.31.254;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}

 

[balanga]

To be honest I've never configured NAT, I'll give it a go after reading this FreeBSD guide.

1. Define NAT rules: Add the following lines to the file to configure NAT. Replace em0 with the name of your external network interface and 192.168.1.0/24 with the subnet of your local network:
   
   # Enable NAT
   nat on em0 from 192.168.1.0/24 to any -> (em0)
   
   
   This rule translates the private IP addresses of devices on the 192.168.1.0/24 network to the public IP address of the em0 interface when accessing the internet.
   

This comes from the above guide. Is it syntactically correct, because I get a syntax error when running service netif restart.

 

[balanga]

1. Define NAT rules: Add the following lines to the file to configure NAT. Replace em0 with the name of your external network interface and 192.168.1.0/24 with the subnet of your local network:
   
   # Enable NAT
   nat on em0 from 192.168.1.0/24 to any -> (em0)
   
   
   This rule translates the private IP addresses of devices on the 192.168.1.0/24 network to the public IP address of the em0 interface when accessing the internet.

This comes from the above guide. Is it syntactically correct, because I get a syntax error when running service netif restart.

Oops - I see this should be in pf.conf and I'd added it to rc.conf.

 

[balanga]

Here is the /etc/rc.conf of my gateway system which uses a USB tethered connection to the Internet using ue

hostname="W520"
#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.1.5/24"
pf_enable="YES"
gateway_enable="YES"
dbus_enable="YES"
moused_enable="YES"
sshd_enable="YES"
nfs_server_enable="YES"
sendmail_enable="NONE"
kld_list="i915kms fusefs"
pflog_enable="yes"

ping 8.8.8.8 works fine


Contents pf.conf:-

r[root@W520 ~/.config]#
cd /etc [root@W520 /etc]#
cat pf.conf
nat on em0 from 192.168.1.0/24 to any -> (em0)
[root@W520 /etc]#

ping 8.8.8.8 does not work from other hosts. and I can't ping the gateway from any of the hosts.

After some experimenting it looks like I can't ping the gateway when pf is running so there must be something wrong with my configuration.

 

[Phishfry]

ext_if="ue0"
int_if="em0"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

 

[ondra_knezour]

After some experimenting it looks like I can't ping the gateway when pf is running so there must be something wrong with my configuration.

I would guess that your USB device is not em0, last time I checked Intel didn't produced USB cables You want to NAT on outgoing interface.

 

[balanga]

Oops. That's quite embarassing for me . That's what happens when you follow a guide without understanding what is going on.

Many thanks for pointing this out, I have it working now.

 

[Phishfry]

Please be aware that you are running NAKED down the street.

You have no protection at all. Your SSH ports will be probed in no time. Hunker down.

 

[balanga]

How exactly would someone get into my LAN?

Just curious.

 

[Phishfry]

It will be like a truck you never saw hit you.
/security/metasploit

 

[Zare]

Can webmin take care of basic network server/router point and click configuration on FreeBSD?

 

[unitrunker]

balanga You said your LAN uses static IPs. If you want your tethered gateway to act as a gateway to these other hosts, they need a gateway address assigned to them. Please check via ifconfig.
An alternative is to reconfigure all hosts to DHCP clients and run the DHCP server on your gateway host.

 

[balanga]

balanga You said your LAN uses static IPs. If you want your tethered gateway to act as a gateway to these other hosts, they need a gateway address assigned to them. Please check via ifconfig.
An alternative is to reconfigure all hosts to DHCP clients and run the DHCP server on your gateway host.

Ny immediate task was to provide Internet access to my LAN without the distraction of getting a DHCP server up and running. because if things don't work (which they never do at first) you don't know where to look. Currently all the hosts have defaultrouter pointing at the gateway. Not sure if dhcp takes care of this.
Now that I have a system set up as a gateway. my next task is to move everything to dynamic IP which I will start on tomorrow.

 

[balanga]

Can webmin take care of basic network server/router point and click configuration on FreeBSD?

Good question.

I guess you need to understand the basic before trying to configure thing just in case you break something by not knowing what you are doing.

 

[lost_in_c]

Currently sailing similar waters. Maybe a good middle point between reading a book and running naked is this FreeBSD foundation intro to PF: https://freebsdfoundation.org/resource/an-introduction-to-packet-filter-pf/

 

[balanga]

Well, it did work, but after a reboot I can no longer access the internet from my LAN even though I can ping the gateway (192.168.1.5) from each host, and each has this gateway setup as the defaultrouter

I'm not aware of having made any changes.

Where should I start to look to get an idea of what is going on?

 

[ondra_knezour]

Probably pf not running (pf_enable in /etc/rc.conf) or not loading configuration or something wrong in configuration.

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them

docs.freebsd.org

Is pf running? -> service pf status
What is current configuration? -> pfctl -s nat and pfctl -s rules

Useful commands
Enable pf -> pfctl -e
Flush all rules and reload configuration -> pfctl -F all -f /etc/pf.conf

 

[SirDice]

Currently all the hosts have defaultrouter pointing at the gateway. Not sure if dhcp takes care of this.

Yes, the primary job of the DHCP service is to provide the clients on your LAN an IP address, subnet mask and gateway address. That's the bare minimum. It's also advisable to provide one or more DNS servers for your clients to use so they can actually resolve something. You typically put a DNS server on the gateway host too, doesn't need to be anything fancy, something like unbound that only forwards and caches requests will do. If you want something that integrates both DHCP and DNS, you might want to have a look at net/dnsmasq, that's quite easy to set up.

 

[balanga]

Yes, the primary job of the DHCP service is to provide the clients on your LAN an IP address, subnet mask and gateway address. That's the bare minimum. It's also advisable to provide one or more DNS servers for your clients to use so they can actually resolve something. You typically put a DNS server on the gateway host too, doesn't need to be anything fancy, something like unbound that only forwards and caches requests will do. If you want something that integrates both DHCP and DNS, you might want to have a look at net/dnsmasq, that's quite easy to set up.

Unfortunately, I'm stuck at this point, because my routing to the Internet has stopped working. I thought it was all too easy when I set it up, but as a result I managed to update two systems from 13.2 to 14.3,
but for some, as yet, unknown reason my gateway is no longer providing a path to the Internet for the LAN although all the hosts can ping each other.

 

[balanga]

Does the gateway machine create a log of attempts by other hosts on the LAN to access the Internet?

Having just looked. I can see that I have a /var/log/pf.log but it's indeciferable.

How do I get meaningful info out of it?

 

[Phishfry]

sysutils/pftop will show you alot of useful information about your firewalls states.

An Introduction to Packet Filter (PF) | FreeBSD Foundation

Packet Filter, also known as PF or pf, is a BSD-licensed stateful packet filter used to filter TCP/IP traffic and perform Network Address Translation (NAT.) Originally created by OpenBSD, PF has been ported to FreeBSD since 5.3-RELEASE. PF can identify where a packet should be directed or if it...

freebsdfoundation.org