3 NICS, 2 DHCP public IP and FreeBSD 11.1 + pf + kea + Ubiquiti

I

isy00001

I need advise from the community for best approach. My setup is that my ISP's modem is bridged to my FreeBSD 11.1 and I have 3 NIC ports on it.

  • em0 is LAN
  • em1 is the primary gateway (bridged with modem)
  • re0 is also bridged (another port of the modem)
both em1 and re0 gets DHCP public IP on a different subnet.

  • pf as firewall and NAT
  • kea as DHCP server
  • Cisco managed SG-2000-26 switch (with support VLAN tagging)
  • Ubiquiti Unifi access point that supports guest network, VLAN, captive portal.. and Unifi5 controller on the same FreeBSD

so far, the problem too, is that if I ping -S (ip from the other nic) from inside FreeBSD server
Code: 
ping -S 50.65.214.35 8.8.8.8
it wont go anywhere. and I suspect that's because the default GW is through em1

What I wanted to achieve is to separate the guest SSID to its own. To use 192.168.2.0/24 and gateway to the re0 interface. All on the same physical resource and FreeBSD server.

Overall - I actually do not know where to start. anyone that can bootstrap me is greatly appreciated. thank you.

relevant configs include

/etc/rc.conf

Code: 
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_program="/sbin/pfctl"

# LAN gateway
ifconfig_em0_alias0="inet 192.168.0.10 netmask 255.255.255.0

# NAT interface
ifconfig_em1="UP"
ifconfig_em1="DHCP"

ifconfig_re0="UP"
ifconfig_re0="DHCP"

kea_enable="YES"
named_enable="YES"
named_program="/usr/local/sbin/named"
named_confdir="/etc/namedb/"
named_uid="bind"
unifi_enable="YES"


netstat
Code: 
Destination        Gateway            Flags     Netif Expire
default            50.65.196.1        UGS         em1
50.65.196.0/22     link#2             U           em1
50.65.198.252      link#2             UHS         lo0
50.65.212.0/22     link#3             U           re0
50.65.214.35       link#3             UHS         lo0
127.0.0.1          link#4             UH          lo0
192.168.0.0/24     link#1             U           em0
192.168.0.10       link#1             UHS         lo0
 
/etc/pf.conf

Code: 
int_if="em0"
ext_if="em1"
sec_if="re0"

set skip on {lo0, $int_if}
scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)

block in log on {$ext_if, $sec_if}
block return log

block in quick from urpf-failed
antispoof log for {$ext_if, $sec_if}

pass out log quick all keep state

ifconfig

Code: 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:26:55:d9:74:42
        hwaddr 00:26:55:d9:74:42
        inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO>
        ether 00:26:55:d9:74:43
        hwaddr 00:26:55:d9:74:43
        inet6 fe80::226:55ff:fed9:7443%em1 prefixlen 64 scopeid 0x2
        inet 50.65.198.252 netmask 0xfffffc00 broadcast 255.255.255.255
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 38:d5:47:79:52:70
        hwaddr 38:d5:47:79:52:70
        inet 50.65.214.35 netmask 0xfffffc00 broadcast 255.255.255.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
 
You must log in or register to reply here.
Back
Top