Can't get internet through my FreeBSD server 7.1

atheer

New Member


Messages: 11

Hi Guys,

I realy loved FreeBSD OS for many reasons that's why I come back to run my new server with FreeBSD v7.1 and need your help please.

I want to run Freebsd as firewall router for internet sharing + Squid Proxy Caching ( last year I built FreeBSD v6 and it was working fine, now with FreeBSD v7.1 I can't !)

FreeBSD server can get internet, but problem other PCs don't get any internet, only lan connection is available, PF firewall stoped.

my chart:

DSL= speedtuch router ( two ip tables on it 192.168.20.0/24 and 10.0.0.0/24)

[DSL]--[FreeBSD server/NAT/DHCP]--[switch]--[PCs]


**my ifconfig
Code:
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	ether 00:02:b3:b7:0a:10
	inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:18:05:92
	inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:08:74:da:bc:eb
	media: Ethernet autoselect
	status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000
**my rc.conf
Code:
gateway_enable="YES"
hostname="deir.atheer.net"
ifconfig_fxp0="inet 10.0.0.254  netmask 255.255.255.0"
ifconfig_em0="inet 192.168.20.1  netmask 255.255.255.0"
keymap="us.iso"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
defultrouter="10.0.0.138"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
webmin_enable="YES"
**my dhcp.conf
Code:
option domain-name "atheer.net";
option domain-name-servers 192.168.20.1, 213.244.72.31, 212.14.234.36;

default-lease-time 86400;
max-lease-time 86400;
authoritative;
ddns-update-style none;
log-facility local7;

subnet 192.168.20.0 netmask 255.255.255.0 {
  range 192.168.20.11 192.168.20.100;
  option routers 192.168.20.1;
  option subnet-mask 255.255.255.0;
}
> netstat -rn
Code:
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
10.0.0.0/24        link#1             UC          0        0   fxp0
127.0.0.1          127.0.0.1          UH          0       26    lo0
192.168.20.0/24    link#2             UC          0        0    em0
192.168.20.1       00:07:e9:18:05:92  UHLW        1       32    lo0
192.168.20.100     00:01:02:a1:e9:69  UHLW        1      532    em0   1017

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#7                        UHL         lo0
ff01:7::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
My Regards
atheer
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

Please use CODE tags around system output.

What are you using for NAT?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

By the way:

Code:
defultrouter="10.0.0.138"
Pretty problematic. You have no default route because of that ...
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,083
Messages: 31,689

You need to run a PPPoE or PPPoA connection depending on your provider. Or is the speedtouch taking care of the connection + NAT?

I have a similar situation and I configured my DSL speedtouch modem to use SIP spoofing. This will present your external internet IP address to the inside. Then I configured to use dhcp on the internet facing interface on the fbsd box. This was somewhat tricky as the default gateway is outside of the subnet. By clever use of the /etc/dhclient-enter-hooks script I was able to get it to work.

Code:
dice@maelcum:~>cat /etc/dhclient-enter-hooks

add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

add_new_routes() {
        route add -net 10.0.0.138 -iface $new_ip_address -cloning
        route add default 10.0.0.138
}
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

Thank you DutchDaemon & SirDice it's realy very fast reply which I don't expect !
first I'm still new to FreeBSD so you asked about my ADSL router aleady take care of the connection + NAT, also what's wrong about defultrouter=10.0.0.138 there is no need for it here ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,083
Messages: 31,689

atheer said:
also what's wrong about defultrouter=10.0.0.138 there is no need for it here ?
It's defaultrouter ;)
 
OP
OP
A

atheer

New Member


Messages: 11

Hi SirDice,

Ok, to be clear I got confused ! do I need to mention the deafultrouter in rc.conf or not ? because DutchDaemon said in his reply" Pretty problematic. You have no default route because of that ... "
if there is a need for defauktrouter what's the right one for my setting ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,083
Messages: 31,689

You don't have a default route because the entry in rc.conf contains a typo. Hence it's never set. And yes, you do need it.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

You typed about three different versions of it now, so please just paste this into your rc.conf!

Code:
defaultrouter="10.0.0.138"
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

OK, it's a typo mistake now here is my rc.conf:

Code:
gateway_enable="YES"
hostname="deir.atheer.net"
ifconfig_fxp0="inet 10.0.0.254  netmask 255.255.255.0"
ifconfig_em0="inet 192.168.20.1  netmask 255.255.255.0"
keymap="us.iso"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
defaultrouter="10.0.0.138"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
but still can't access to internet !
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

You can't access the Internet from the server itself, or from the network behind it?

Did you restart the network or server after adding the defaultrouter setting? What's the output of ifconfig and netstat -rn now?

Please put system output between CODE tags this time.
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

First I'd like to thank you so much for your help & patients, it's working now, but only with PF firewall running if PF stopped no internet connection.

yes I did restart server after adding defaultrouter and here is system output now:

Code:
> ifconfig 
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	ether 00:02:b3:b7:0a:10
	inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:18:05:92
	inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:08:74:da:bc:eb
	media: Ethernet autoselect
	status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 

> netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.0.138         UGS         0      798   fxp0
10.0.0.0/24        link#1             UC          0        0   fxp0
10.0.0.138         00:0e:50:89:66:5a  UHLW        2        0   fxp0    894
127.0.0.1          127.0.0.1          UH          0       27    lo0
192.168.20.0/24    link#2             UC          0        0    em0
192.168.20.1       00:07:e9:18:05:92  UHLW        1       40    lo0
192.168.20.100     00:01:02:a1:e9:69  UHLW        1      510    em0    892

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#7                        UHL         lo0
ff01:7::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

I'm guessing PF handles the em0 <-> fxp0 NAT then.
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

here is my pf.conf file, please give me your recommendation why badhosts in /etc/badhosts are not blocked ?

Code:
# MACROS
ext_if="fxp0"
int_if="em0"
internal_net="192.168.20.0/24"
external_addr="10.0.0.254"

allowed_icmp_types="echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# TABLES
table <badhosts> persist file "/etc/badhosts"

# OPTIONS
set block-policy return
set skip on lo0

# TRAFFIC NORMALIZATION
scrub in all

# NETWORK ADDRESS TRANSLATION AND REDIRECTS
nat on $ext_if from $internal_net to any -> ($ext_if)

# FILTER RULES
block drop log all
block drop in quick on $ext_if from $priv_nets to any
block quick on $ext_if from <badhosts> to any

pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA modulate state
pass in quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state
pass out on $ext_if proto tcp all flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } all keep state

pass in  on $int_if from $internal_net to any
pass out on $int_if from any to $internal_net

#ANTISPOOF
antispoof for $ext_if
antispoof for $int_if
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

Is /etc/badhosts in the right format? What does pfctl -t badhosts -T show produce? Also add 'log' to that rule and run a tcpdump on pflog0.
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

this is the output I can make !
Code:
> pfctl -vnf /etc/pf.conf
no IP address found for localhost
/etc/pf.conf:42: file "/etc/badhosts" contains bad data

> pfctl -t badhosts -T show
pfctl: Table does not exist
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

So, what's actually in /etc/badhosts? You need IP addresses or hostnames in there, one per line. IP addresses are preferred, because unresolvable hostnames will cause the table (re)loading to fail. I have no idea where that localhost error message comes from. I'm assuming you wouldn't put localhost in a badhosts table ..
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

thank you again, here is a beginning part of badhosts file:
Code:
::1			localhost localhost.atheer.net
127.0.0.1		localhost localhost.atheer.net
192.168.20.1		deir.atheer.net deir
192.168.20.1		deir.atheer.net.


#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1  www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1  abc-search.info
127.0.0.1  abloga.info #[Spamdexing]
127.0.0.1  www.abx4.com #[Adware.ABXToolbar]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

Dude, that is your /etc/hosts file (a part of the base system, telling your system which IP points to what name)). It shouldn't be your /etc/badhosts file.

A PF table can only contain 1 entry of 1 field per line, like

Code:
123.123.123.123
234.234.234.234
123.123.0.0/16
234.234.234.0/24
some.awful.host
You're advised not to firewall yourself, by the way.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,083
Messages: 31,689

You don't need to NAT on the freebsd box. As long as you add a static route to the 192.168.20.0/24 network on your speedtouch.
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

OK, I see that it's /etc/hosts file but please what's the words behind # what it means ?
example from hosts file:
ads.addynamix.com #[SpySweeper.Spy.Cookie]
abloga.info #[Spamdexing]
http://www.abx4.com #[Adware.ABXToolbar]
james.adbutler.de #[Tenebril.TrackingCookie]

does it mean that this is a bad host ?! what it cause if I block it ?

SirDice, if it matters which is better for doing NAT freeBSD or speedtouch router ?

with my regards
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

Oh, I'm sure they're bad hosts, but how did they end up in /etc/hosts with a 127.0.0.1 entry? Make sure you take those lines out of /etc/hosts.
 
OP
OP
A

atheer

New Member


Messages: 11

Hi,

This is the file I have in /etc/ directory it's size 601KB I don't know maybe I did it by mistake, so what about the original one where it can be ?

attached some parts of my /etc/hosts file, please take a look I think it's got a missed data some good hosts & also bad hosts !!
 

Attachments

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,842
Messages: 11,319

Ok, the practice of putting bad/untrusted/malware websites in /etc/hosts with a 127.0.0.1 entry is a bit of an old-fashioned way of making it impossible to connect to those hosts (because entries in /etc/hosts usually precede DNS-lookups, and thus 'win'). The fact that these sites were "added by WinHelp2002" show how old they probably are.

You could try putting these bad websites in /etc/badhosts (one per line) and feeding it as a table to pf, but there's a real danger to that: if one of those sites does not resolve, PF will refuse to load the entire table, defeating its purpose.

My advice would be to take them all out of /etc/hosts, which should contain no more than:

Code:
::1			localhost localhost.my.domain
127.0.0.1		localhost localhost.my.domain
in most basic set-ups.

Using AdBlockPlus and NoScript in Firefox is probably a much saner and more workable idea.
 
Top