Solved FreeBSD DHCP server/Internet gateway, clients can't reach outside LAN

[assholehoff]

I'm creating a home network spanning a few houses and a barn. For this I use an old hp ProLiant ML370 G5, an hp MSM760 Wi-Fi controller and 10 hp MSM422 access points. All this connected through ethernet LAN.

I've installed FreeBSD 12.0-RELEASE on the ML370 and managed to get the DHCP server working. The server has two built-in ethernet interfaces (bge0 and bge1) and a PCI network card with 4 interfaces (igb0-3). Internet is connected to igb0, and bge0 is the LAN. bge1 is connected to the Internet-port on the Wi-Fi controller. Computers and devices connected to the LAN all gets an IP as intended, but I can't get them to reach the Internet.
I can ssh to the server from my desktop, and the server can reach the Internet.
What am I doing wrong?

This is my /etc/rc.conf

hostname="heimdall"
ifconfig_igb0="DHCP"
ifconfig_bge0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_bge1="inet 192.168.1.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="bce0 bce1"
gateway_enabled="YES"
sshd_enable="YES"
pf_enable="YES"
pf_ruleset="/etc/pf.conf"
moused_enable="YES"
ntpd_enable="YES"
dumpdev="AUTO"
zfs_enable="YES"

And this is my /usr/local/etc/pf.conf

ext_if="igb0"
int_if="{ bge0, bge1 }"
int_networks="{ 192.168.0.0/24, 192.168.1.0/24 }"

nat on $ext_if from any to any -> ($ext_if)
pass in on $int_if from any to any keep state

 

[SirDice]

pf_ruleset="/usr/local/etc/pf.conf"

It's part of the base OS and commonly saved as /etc/pf.conf. That's actually the default location.

Computers and devices connected to the LAN all gets an IP as intended, but I can't get them to reach the Internet.

What addresses is your DHCP server serving? IP ranges, DNS settings and gateway address?

 

[yuripv]

gateway_enabled="YES"

This is the first thing to check/fix in rc.conf, it should be gateway_enable="YES", and not having that set correctly would prevent your gateway from acting as real gateway (it does set net.inet.ip.forwarding to 1).

 

[assholehoff]

It's part of the base OS and commonly saved as /etc/pf.conf. That's actually the default location.

Fixed. Thanks!

What addresses is your DHCP server serving? IP ranges, DNS settings and gateway address?

This is my /usr/local/etc/dhcpd.conf

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "mikromjuk.com";
option domain-name-servers 192.168.0.1;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
  range 192.168.0.10 192.168.0.254;
  option routers 192.168.0.1;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.254;
  option routers 192.168.1.1;
}

This is the first thing to check/fix in rc.conf, it should be gateway_enable="YES", and not having that set correctly would prevent your gateway from acting as real gateway (it does set net.inet.ip.forwarding to 1).

Fixed. Thanks! Kind of embarrassing. Still not working though.

 

[SirDice]

Do you have a (caching, recursive) DNS server running on 192.168.0.1?

The IP configuration looks good now, just try to ping the default gateway. If that works ping 8.8.8.8. I'm betting that works too. But because there's no DNS server there's nothing that can resolve 'www.google.com' to its IP address.

 

[assholehoff]

Do you have a (caching, recursive) DNS server running on 192.168.0.1?

I do not. I'll see about setting up one in the handbook.

The IP configuration looks good now, just try to ping the default gateway. If that works ping 8.8.8.8. I'm betting that works too. But because there's no DNS server there's nothing that can resolve 'www.google.com' to its IP address.

You are correct. I can now ping the outside as well.
However, not from the Wi-Fi, to which I can connect and get an IP lease, but not ping anything local, LAN or outside.

 

[SirDice]

I'll see about setting up one in the handbook.

The local-unbound(8) service should be good to use.

 

[assholehoff]

The local-unbound(8) service should be good to use.

I have added local_unbound_enable="YES" in my /etc/rc.conf, and started the service with service local_unbound start, as per 29.7.2 in the Handbook, but my other computers still can't resolve any domains.

Also, the handbook mentions that installing unbound from ports is preferable when using it "beyond the local machine", but it does not explain why. Should I build it from ports? Or install from pkg? And what is the difference between unbound(8) and local-unbound(8)?

 

[SirDice]

And what is the difference between unbound(8) and local-unbound(8)?

Nothing much. Port might be a bit newer and allows you to enable/disable options.

 

[rigoletto@]

Also, the handbook mentions that installing unbound from ports is preferable when using it "beyond the local machine", but it does not explain why. Should I build it from ports? Or install from pkg? And what is the difference between unbound(8) and local-unbound(8)?

The only real advantage is the ability turn ON the devel/libevent support, LIBEVENT, but this just really matter if you are going to serve a very high number of clients like for corporate level DNS resolver or a public available resolver.

 

[assholehoff]

But I can’t figure out why nothing resolves on my LAN connected computers. Do I need to do anything specific with /etc/resolv.conf?

Also the Wi-Fi connected devices can’t reach anything at all, but I think that is something with the MSM760, not the ProLiant, so I’m not overly concerned about that at the moment.

Update: The Wi-Fi controller is configured correctly now and the Wi-Fi connected units can reach the LAN.
Still no progress on the DNS-front however. All units can reach the Internet without problems if I enter external DNS-servers manually, but I'd really prefer not to have to do so.

 

[`Orum]

You have no "option domain-name-servers" in your dhcpd.conf, so clients have no idea where to go to resolve names.

Edit: Oh whoops, you have that in global config. Not sure if that actually works, but check what the clients say their DNS server is. You should see it in /etc/resolv.conf on FreeBSD clients, or with ipconfig on Windows boxes. Make sure unbound is listening on the wildcard address (0/0) or the IP, and that it's permitting clients from your subnet(s).

Also, IIRC the "local-unbound" DNS server is not suitable for serving anything other than localhost. I forget the exact reason, but it's a very customized version of unbound that lacks certain features. It might have been support for stub zones, or it refused to listen on certain interfaces... something weird like that. All I know for sure was when FreeBSD finally switched off BIND I was going to stop building the dns/unbound port and switch over to unbound in base. Then I got immediately bitten by something in the base version and went back to the port, and haven't looked back. I no longer even build the unbound in base.

 

[rigoletto@]

Please, post your unbound.conf too.

 

[assholehoff]

This is my /etc/unbound/unbound.conf:

# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf

This is my /etc/resolv.conf:

# Generated by resolvconf
nameserver 192.168.2.1

nameserver 127.0.0.1
options edns0

192.168.2.1 is my modem.

 

[`Orum]

This is my /etc/resolv.conf

I assume you mean on your gateway, not clients on your subnet.

192.168.2.1 is my modem.

Is your modem running a DNS server? Honestly, even if it is, I would ignore it, or whatever your ISP gives you, and run your own recursive server. ISPs love to screw around with DNS to redirect you to their "user friendly search engines" which means more ad revenue for them.

So here's what I would do on your gateway:

• Don't try to use the unbound in base (i.e. local-unbound). It's going to cause you more trouble than it's worth, so just install dns/unbound from ports/packages.
• Make sure you configure unbound from ports using the correct file, which is /usr/local/etc/unbound/unbound.conf. man unbound(8) and unbound.conf(5) will help you.
• Don't forget to install /usr/local/etc/unbound/named.cache. This can be downloaded with fetch ftp://FTP.INTERNIC.NET/domain/named.cache. The port may come with this file now, but it's been a very long time since I've done a fresh install of unbound, and IIRC it wasn't there when I originally installed it. It's required to let unbound know where the root servers are on the internet.
• It looks like you're getting your DNS servers on the gateway from your ISP. You don't want this. Instead configure your gateway's DHCP client to use localhost by editing /etc/dhclient.conf like so:

interface "igb0" {
        supersede domain-name-servers 127.0.0.1;
}

• Ensure your clients are getting the correct address of the DNS server running on your gateway.

If all of the above is correct, you should have no issues with DNS.

 

[assholehoff]

Everything is working as intended now. I want to express my warmest gratitude to you all.

I assume you mean on your gateway, not clients on your subnet.

That is correct.

Is your modem running a DNS server? Honestly, even if it is, I would ignore it, or whatever your ISP gives you, and run your own recursive server. ISPs love to screw around with DNS to redirect you to their "user friendly search engines" which means more ad revenue for them.

So here's what I would do on your gateway:

• Don't try to use the unbound in base (i.e. local-unbound). It's going to cause you more trouble than it's worth, so just install dns/unbound from ports/packages.
• Make sure you configure unbound from ports using the correct file, which is /usr/local/etc/unbound/unbound.conf. man unbound(8) and unbound.conf(5) will help you.
• Don't forget to install /usr/local/etc/unbound/named.cache. This can be downloaded with fetch ftp://FTP.INTERNIC.NET/domain/named.cache. The port may come with this file now, but it's been a very long time since I've done a fresh install of unbound, and IIRC it wasn't there when I originally installed it. It's required to let unbound know where the root servers are on the internet.
• It looks like you're getting your DNS servers on the gateway from your ISP. You don't want this. Instead configure your gateway's DHCP client to use localhost by editing /etc/dhclient.conf like so:

interface "igb0" {
        supersede domain-name-servers 127.0.0.1;
}

• Ensure your clients are getting the correct address of the DNS server running on your gateway.

If all of the above is correct, you should have no issues with DNS.

You have made excellent points and everything resolves now.