FreeBSD Gateway

M

markfisher

Hi

Network design (internal IP block 192.168.1.0/26):
Code: 
                                                if0 IP: 192.168.1.1/30
                                                if1 IP: 192.168.1.5/30
FreeBSD Host_1 ---- [Port1] Switch [Trunk Port] ----[if0] Router [if1] ---- [int_if] FreeBSD Gateway [ext_if]
IP: 192.168.1.2/30
defaultrouter: 192.168.1.1

FreeBSD gateway (/etc/rc.conf):
10.0.0.254 is my modem gateway connected to ext_it

Code: 
gateway_enable="YES"
defaultrouter="10.0.0.254"
ifconfig_bge0="inet 192.168.1.6 netmask 255.255.255.252" # bge0 is int_if
ifconfig_bge1="inet 10.0.0.253 netmask 255.255.255.0"    # bge1 is ext_if

static_routes="internalnet"
route_internalnet="-net 192.168.1.0/26 192.168.1.6"

Ping Result(s):
  • FreeBSD Host_1 CAN ping 192.168.1.1
  • FreeBSD Host_1 CAN ping 192.168.1.5
  • FreeBSD Host_1 CAN ping 192.168.1.6
  • FreeBSD Host_1 CAN ping 10.0.0.253
  • FreeBSD Gateway CAN ping 192.168.1.2
  • FreeBSD Gateway CAN ping 10.0.0.254
  • FreeBSD Gateway CAN ping 74.125.224.211 # One of the Google IP(s)
Now the problem I have is FreeBSD Host_1 CANNOT ping 10.0.0.254 (modem bateway IP) and CANNOT ping any external IP(s) such as 74.125.224.211 (Google IP). Can someone please help me out on what do I need to add on my FreeBSD bateway in order for FreeBSD Host_1 can ping external IP addresses?

Thanks,

Mark
 
This is very confusing. If the FreeBSD_Gateway machine is supposed to be the network gateway, what is the router doing there? It would be the likely cause of your problems.
 
@wblock@, thanks for your reply.

In the future I'll make FreeBSD gateway to be a dedicated firewall. I tried to start very simple with no firewall and/or packet piltering. The router behind the FreeBSD gateway is just for practicing of setting up a router, I don't think the router causes the problem (I might be wrong) because from FreeBSD Host_1, I can ping bge0 and bge1 on the FreeBSD gateway.

On my router (Cisco), I have created a static route:
Code: 
ip route 0.0.0.0 0.0.0.0 192.168.1.6 # bge0 IP

What I don't understand is enabling gateway should make the packet to travel bge0 to bge1.

Also traceroute 10.0.0.254 shows the route all the way to 192.168.1.6 and then it gets stuck.
 
Last edited by a moderator:
@wblock@,

Just to make everything simple, I connect the FreeBSD gateway (bge0) directly to my laptop using a crossover cable and add a static IP address to my laptop NIC card.

Here is the design:
Code: 
                         IP: 192.168.1.6/30       IP: 10.0.0.253/24
Laptop ----------------- [bge0] FreeBSD Gateway [bge1] ---------- [Port 1] My ISP Modem
IP: 192.168.1.5/30              defaultrouter=10.0.0.254
Gateway: 192.168.1.6            static_routes="internalnet"
                                route_internalnet="-net 192.168.1.0/26 192.168.1.6"
                                ifconfig_bge0="inet 192.168.1.6 netmask 255.255.255.252"
                                ifconfig_bge1="inet 10.0.0.253 netmask 255.255.255.0"
                                gateway_enable="YES"

Ping Result(s):
Laptop CAN ping 192.168.1.6
Laptop CAN ping 10.0.0.253
Laptop CANNOT ping 10.0.0.254 # Same as before.

I hope this makes everything a bit simpler to debug. Please let me know if I need to do anything else to simplify more.

Thanks
 
Last edited by a moderator:
@@markfisher

Everything could be more easy, if you could put your modem into bridge mode. So instead of the modem, bge1 of the gateway machine would get the external IP address by the way of dhclient from your provider.

On your gateway you would need to set up NAT.
 
Last edited by a moderator:
@rolfheinrich,

Thanks for your reply. The box that the ISP gave me doesn't support bridge mode unless I purchase a modem that is for a business plan.

Thanks
 
Last edited by a moderator:
@wblock@,

Thanks for the help. NAT with PF solved my problem.

My PF rules (for testing I'm only allowing DNS traffic to go out):
Code: 
ext_if = "bge1"
int_if = "bge0"
intnetowrk = "192.168.1.0/26"

set skip on lo0

# ---- NAT Rule
# Change Source Address/Port to $ext_if IP address/Random Port.
nat on $ext_if inet from $intnetwork to any -> ($ext_if)

# ---- Packet Filtering
block all # Default to block

pass inet proto {tcp, udp} from $intnetwork to any port domain keep state

# Allow the DNS traffic to go out to ISP Modem
pass out on $ext_if inet proto {tcp, udp} from ($ext_if) to any port domain keep state

Just one more question, from the link you posted here, the rule (modified a bit)
Code: 
pass inet proto {tcp, udp} from $intnetwork to any port domain keep state
is required. Does this rule makes the packet to travel from $int_if to $ext_if?

Thanks again for the help.

Mark
 
Last edited by a moderator:
NAT is sending the packets from internal to external interfaces. The firewall rule just allows them to go through.
 
You must log in or register to reply here.
Back
Top