Hi guys,
I have a home router/firewall/DHCP-server/DNS-forwarder set up at home that is giving me some grief and since I'm not a networking expert I'll pose the questions to the good people here in hopes that they can find some peace of mind for me
This is what my setup looks like;
The cable modem (Cisco DCP3825 in bridged mode) connected to nfe0 on the FreeBSD server. The cable modem gets a DHCP public IP from ISP and also (sadly) turns on a local DHCP server that gives out IPs in the 192.168.100.x range. The FreeBSD server then has a NIC em0 that is connected to a LAN switch, to which my LAN clients are also connected. Some of my LAN clients are static and others "should" get their IP from the FreeBSD DHCP server in the 10.0.0.x range. I'm using PF as firewall/NAT and have set up rules as described below. I'm running the latest/updated FreeBSD 9.1-RELEASE-p3.
Problem 1: Sometimes my LAN clients (especially when they're "reconnected") get DHCP assigned IP address from my cable modem! Instead of my FreeBSD server. i.e. they get address in 192.168.100.x range instead of 10.0.0.x range. This has happened to Mac, Windows and Linux clients, all the same. How do I "block" my cable modem's DHCP offering or broadcast from being passed through the FreeBSD server? Maybe it has something to do with my PF rules?
Problem 2: It's not really a problem, rather a question; As you can see from the rules below, I have bridge0 set up as internal NIC to which my PF rules apply. Reason for this is that for now I only have LAN clients connected to em0 (only member of bridge0) but later on I'll be adding a wifi card as AP (once I find a compatible card, hopefully soon) to the bridge so both my LAN and WiFi clients can get DHCP addresses. However, I want to assign addresses in different IP space for both types of clients. e.g. LAN clients coming off the LAN switch to em0 should get DHCP IPs in range 10.0.0.x ..and.. WiFi clients coming from wlan0 get DHCP IPs in the range 192.168.1.x - Both these NICs are members of bridge0. Is this doable? If yes, how? Is that something I have to set up on the DHCP server itself? Based on MAC addresses of bridge0 members (em0, wlan0) MAC addresses? This is just my guess.
Here are my PF rules:
Thank you for reading.
Hoping to get some answers
N00B.
I have a home router/firewall/DHCP-server/DNS-forwarder set up at home that is giving me some grief and since I'm not a networking expert I'll pose the questions to the good people here in hopes that they can find some peace of mind for me
This is what my setup looks like;
The cable modem (Cisco DCP3825 in bridged mode) connected to nfe0 on the FreeBSD server. The cable modem gets a DHCP public IP from ISP and also (sadly) turns on a local DHCP server that gives out IPs in the 192.168.100.x range. The FreeBSD server then has a NIC em0 that is connected to a LAN switch, to which my LAN clients are also connected. Some of my LAN clients are static and others "should" get their IP from the FreeBSD DHCP server in the 10.0.0.x range. I'm using PF as firewall/NAT and have set up rules as described below. I'm running the latest/updated FreeBSD 9.1-RELEASE-p3.
Problem 1: Sometimes my LAN clients (especially when they're "reconnected") get DHCP assigned IP address from my cable modem! Instead of my FreeBSD server. i.e. they get address in 192.168.100.x range instead of 10.0.0.x range. This has happened to Mac, Windows and Linux clients, all the same. How do I "block" my cable modem's DHCP offering or broadcast from being passed through the FreeBSD server? Maybe it has something to do with my PF rules?
Problem 2: It's not really a problem, rather a question; As you can see from the rules below, I have bridge0 set up as internal NIC to which my PF rules apply. Reason for this is that for now I only have LAN clients connected to em0 (only member of bridge0) but later on I'll be adding a wifi card as AP (once I find a compatible card, hopefully soon) to the bridge so both my LAN and WiFi clients can get DHCP addresses. However, I want to assign addresses in different IP space for both types of clients. e.g. LAN clients coming off the LAN switch to em0 should get DHCP IPs in range 10.0.0.x ..and.. WiFi clients coming from wlan0 get DHCP IPs in the range 192.168.1.x - Both these NICs are members of bridge0. Is this doable? If yes, how? Is that something I have to set up on the DHCP server itself? Based on MAC addresses of bridge0 members (em0, wlan0) MAC addresses? This is just my guess.
Here are my PF rules:
Code:
ext_if="nfe0"
int_if="bridge0"
tcp_services="{ 22 }"
icmp_types="echoreq"
mynix="10.0.0.10"
set block-policy return
set loginterface $ext_if
set skip on lo
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
block in
pass out
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $int_if inet proto tcp from any to $int_if port $tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass quick on $int_if no state
Hoping to get some answers
N00B.