FreeBSD Router / Gateway trouble.

[stevejones]

Hello everyone,

My first post here and I hope I put it in the right section.

Last week my router kicked the bucket so instead of buying a new one I thought I would turn A PC I have here into a gateway / router running FreeBSD.

My knowledge with networking isn't as good as I would like. Tho I'm pretty comfortable with FreeBSD.

I have tried every step-by-step I could find but for some reason I can't get it to work.

My network would look like this:

Cable modem --> (re0) FreeBSD Box (vr0) --> Hub --> PC's

So far what I have done.

Standard install of FreeBSD


Added to rc.conf

gateway_enable="YES" 
ifconfig_re0="DHCP"
ifconfig_vr0="inet  192.168.1.1 netmask 255.255.255.0"
pf_enable="YES"
defaultrouter="x.x.134.1" (not sure if this is right. It's my ISP's gateway address. I've also tried 192.168.1.1)

Added to pf.conf

ext_if  = "re0"
int_if = "vr0"
nat on $ext_if from $int_net to any -> ($ext_if)

re0 when set to DHCP gets an IP of x.x.135.145, gateway of x.x.134.1, netmask of 255.255.254.0, DNS 64.71.255.198, hostname xxx.cpe.net.cable.rogers.com.

I've set the Windows XP PC with an IP of 192.168.1.100, netmask 255.255.255.0, default gateway 192.168.1.1, DNS 64.71.255.198


My LAN is completely dead, I can't ping anything. No connection at all. Not sure if it's vr0 not being set-up right or I need bind working. I'm lost !


Any help would be great !!

Thanks.

 

[SirDice]

defaultrouter="x.x.134.1" (not sure if this is right. It's my ISP's gateway address. I've also tried 192.168.1.1)

The DHCP on re0 will figure this one out. Just leave it out.

ext_if  = "re0"
int_if = "vr0"
nat on $ext_if from $int_net to any -> ($ext_if)

Looks ok but you forgot to set $int_net. Most likely this will be 192.168.1.0/24.

I've set the Windows XP PC with an IP of 192.168.1.100, netmask 255.255.255.0, default gateway 192.168.1.1, DNS 64.71.255.198

Should be ok, at least the IP addresses. Not sure about your DNS of course.

My LAN is completely dead, I can't ping anything. No connection at all. Not sure if it's vr0 not being set-up right or I need bind working. I'm lost !

Ok. Make sure the IP address you set above isn't used by another device/PC. Try to ping the default gateway (192.168.1.1).

 

[DutchDaemon]

Does the router itself have full connectivity? BTW, your DHCP stuff should take care of the default gateway, so the defaultrouter is probably superfluous.

Do you see any activity on vr0 with a tcpdump? If you have any log statements on block rules in pf.conf, does anything show up in a tcpdump of pflog0?

 

[DutchDaemon]

Looks ok but you forgot to set $int_net. Most likely this will be 192.168.1.0/24.

Probably just above the lines pasted here, because pfctl does not like undefined macros and is quite verbal about it

 

[stevejones]

Guys thank you so much, it works !!

It was $int_net it wasn't set.

just one little line caused me so much trouble.

I owe you guys big time...thanks again.

 

[SirDice]

In addition to this, you may want to configure BIND (DNS server) and/or add net/isc-dhcp3-server.

 

[mickey]

Looks ok but you forgot to set $int_net. Most likely this will be 192.168.1.0/24.

Or simply vr0:network, or perhaps more convenient $int_if:network

 

[stevejones]

What would BIND do ? (sorry not to good with this stuff)

Does anyone have any experience with pf and Xbox live ?

Trying to setup some rules to allow ports 3074 and 88 but to keep "static-port"

Is there some sort of rules that allows everything to pass with out changing the ports ?

I'm getting strict NAT.

This works ONLY when I comment out the first line (shown below) but then my network stops working.

ext_if = "re0"
int_if = "vr0"
int_net = "192.168.1.0/24"
xbox = "192.168.1.102"

#nat on $ext_if from $int_net to any -> ($ext_if)


nat on $ext_if from $xbox to any -> ($ext_if) static-port

rdr on $ext_if proto udp from any to $ext_if port 88 -> $xbox port 88
rdr on $ext_if proto udp from any to $ext_if port 3074 -> $xbox port 3074
rdr on $ext_if proto tcp from any to $ext_if port 3074 -> $xbox port 3074

pass in quick on $ext_if proto { tcp, udp } from any to $xbox port 3074 keep state

pass in quick on $ext_if proto udp from any to $xbox port 88 keep state

 

[SirDice]

What would BIND do ? (sorry not to good with this stuff)

It can handle DNS requests of your network.

Does anyone have any experience with pf and Xbox live ?

I think the easiest would be to set up net/miniupnpd. If I'm not mistaken the Xbox can do UPnP.

 

[jbarton]

I hope I am not out of line with this. I cannot find out how to start a new thread. There simply is no button or link marked in such a way that says "Push me" to create a new thread. The Posting Rules say I can, at the bottom of every thread I have read so far - and yet ...

 

[DutchDaemon]

I hope I am not out of line with this. I cannot find out how to start a new thread. There simply is no button or link marked in such a way that says "Push me" to create a new thread. The Posting Rules say I can, at the bottom of every thread I have read so far - and yet ...

At the top and at the bottom of each subforum is this:

 

[jbarton]

Not on my browser (IE7).

 

[jbarton]

Well, I'm posting to this thread because this it the same problem I am having. I am using FreeBSD 8.0 in a fresh install. I have built a custom kernel with IPDIVERT, IPFIREWALL, IPFIREWALL_DEFAULT_TO_ACCEPT and IPFIREWALL_VERBOSE added as options.

My configuration is for a DHCP server with NAT, My ISP supplies me with 5 static IP's two of shich are being redirect to local 192.xxx.xxx.xxx IP's. The rest of the local range on xl0 is up for grabs. As far as I can tell, the DHCP server is working correctly. It does infact issue the correct information to any DHCP client. Also, I am able to ping the internet from bge0 (the public interface). However, I cannot access the internet from a DHCP client. I am not using PF, I am using IPFW. It appeared in the documentation where as PF did not. I am definately new to freeBSD. I suppose I could post my config files if that would be of help.

 

[DutchDaemon]

Do you have gateway_enable="YES" in /etc/rc.conf?

 

[jbarton]

Sure! I read everything I could find on the topic and that was part of it . Here's what happened this morning:

I was thinking about why the output of ipfw -a l was different on my machine than it was in the docs. There it is presented like this:

	# ipfw -a l
	00050 1566423  901667271 divert 8668 ip from any to any via xl0
	00100  116714   10731910 allow ip from any to any via lo0
	00200       0          0 deny ip from any to 127.0.0.0/8
	65000 3342945 1813053300 allow ip from any to any
	65535       0          0 deny ip from any to any

Line 50 shows the use of port 8668 in the mix. When I ran it on my machine it said:

	# ipfw -a l
	00050 1566423  901667271 divert any ip from any to any via xl0
	00100  116714   10731910 allow ip from any to any via lo0
	00200       0          0 deny ip from any to 127.0.0.0/8
	65000 3342945 1813053300 allow ip from any to any
	65535       0          0 deny ip from any to any

Now line 50 here is not a direct quote but the absence of port 8668 is. I kept wondering why that was. I was using a natd.conf in /etc and had interface bge0 in it. I moved the interface option back into rc.conf and guess what happened next! It started working! The 8668 returned to the output of ipfw -a l and I am now able to access the internet via dhcp clients. Outstanding! Thanks for your replies to my posts. Replies mean a lot to people who post questions on forums. They post questions because they are usually at their wits' end. Your responses are a ray of hope in an otherwise "hopeless" situation. Enjoy!

 

[jbarton]

Oops! Looks like I spoke too soon. While a dhcp client can indeed use the freeBSD box as a gateway successfully, my two statically assigned computers cannot access the internet. DHCP correctly assigns the addresses I placed in the /usr/local/etc/dhcpd.conf as hardware ethernet fixed-address entries. However, any machine so designated will not access the internet. I was using the rediret option in natd.conf referenced by natd_flags in rc.conf. I moved the redirect by putting the -redirect_address option in rc.conf. No help.

I have been working with a 3Com OfficeConnect 25 for years. It has DHCP server with NAT and this is what I am used to using. My thinking is therefore geared in that direction. With that, I simply defined an address pool for regular dhcp client distribution and left the staic assignments out of the range. Then I designated the public ip range to be nat'd specifying the first address in the range for local and public and the range length. In my case the length was 4 as the first IP I have is used as the public IP. I am trying to apply this same thinking to my configuration of freeBSD not knowing if this is viable or not. I cannot find where to enter all these parameters but I have found most of them. In DHCPD.conf I have entered: (the names have been changed to protect the innocent)

option domain-name "the name";
option domain-name-servers server1 server2 server3;
option subnet-mask 255.255.255.0;

default-lease-time 7200;
max-lease-time 86400;

ddns-update-style none;

authoritative;

#According to the sample config this is needed for the DHCP server to 
#understand the network typology.
subnet 10.152.187.0 255.255.255.0 {
}

subnet 192.168.1.0 255.255.255.0 {
  range 192.168.1.150 192.168.1.199;
  option routers 192.168.1.253;        #local gateway
}

#Lastly are 3 (1 for tests) entries in the following format:
host static_host {
  hardware ethernet 00:11:22:33:44:55;
  fixed-address 192.168.1.205;
{

Nothing else in DHCPD.conf is uncommented.

rc.conf looks like this:

defaultrouter="xx.xx.xx.201"   #ISP issued gateway address
gateway="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_interface="bge0"          #connects to my cable modem
natd_flags="-redirect_address 192.168.1.205 xx.xx.xx.205"
hostname="hostname"            #:-) No not really.
ifconfig_bge0="inet xx.xx.xx.206 netmask 255.255.255.248"  #Public IP
ifconfig_xl0="inet 192.168.1.253 netmask 255.255.255.0"    #Local gateway
dhcpd_enable="YES"
dhcpd_ifaces="xl0"

-= End of File =-

I have not edited or created any other config files that I can recall but my memory seriously sucks so there may be something. So, with this configuration, I can use a common pool dhcp client and access the internet very well. However, the static_host computers cannot access the internet. The computers are configured as dhcp clients which are always assigned the same IP outside the range of the common pool. This is the same way I have been doing it for years with my 3Com firewall.

By the way, the 3Com firewall is only 10 base-T which is why I need to stop using it. My cable service is now 25/2 but I am only able to see 3/2 through the 3Com.

 

[DutchDaemon]

Use

 tags, please!

 

[aragon]

my two statically assigned computers cannot access the internet.

Try this:

group {
  option routers 192.168.1.253;
  host static_host {
    hardware ethernet 00:11:22:33:44:55;
    fixed-address 192.168.1.205;
  }
}

 

[jbarton]

An interesting thought and thanks; but the results were the same - no internet. I've noticed what I consider to be a discrepancy in the system. When my dhcp client is targeted for a lease as a staic host, obtaining a new lease does not make an entry in /var/db/dhcpd/dhcpd.leases as it does when the same computer is targeted as a common pool client. In fact, I can't find any record in /var/db/ or /var/db/dhcpd/ reflecting that static host lease. It should be somewhere but I don't know where. I also don't know if it is possible to search files by content in freeBSD. If I knew how to do that I might be abe to find the entry. I am definately a novice to freeBSD.

I have also noticed that when I have obtained a lease as a common pool client and subsequently obtain a lease as a static host client the system will complain about a duplicate lease for the client computer. I clear this complaint by empting the lease information from /var/db/dhcpd/dhcpd.leases and I also have to reboot as the information is appearantly kept in memory (judging from the continuous complaining from time to time). However, when I have a static host lease and release it then reconfigure for common pool leases, reboot (I don't know how to make DHCP work with these changes without rebooting here), and then obtain the new common pool lease, the system does not complain about a duplicate lease for this computer (all this testing is being done on my laptop). I would say - something is missing with regard to the static host lease - otherwise there would be consistency in the system's complaining.

 

[jbarton]

Does anyone have any thoughts about what might further need to be done to get these static host clients to work? Is it possible to use DHCP and NAT together in this manner in freeBSD?

 

[aragon]

I also don't know if it is possible to search files by content in freeBSD.

Try:

find /var -type f -exec grep -H "192.168.1" {} \;

Does anyone have any thoughts about what might further need to be done to get these static host clients to work? Is it possible to use DHCP and NAT together in this manner in freeBSD?

It is very possible and pretty straight forward. What you need to do is check the static clients for what configuration they are missing. Are they setting the correct default route? Are they configuring DNS? Are they even getting the right IP address? Once you find out what they're missing you can start figuring out why they're missing it and how to solve that.

 

[jbarton]

They aren't missing anything. All assignments are made and they are all correct. The static IP I designated is assigned, domain, gateway, DNS - it's all there and it's all correct - always was. Except for the IP, the assignments are identical to the assignments they receive when the client is targeted for a common pool lease (in which case internet access is present).

Thanks for the find statement - I never would have figured that one out. I think the /var means to search the /var directory and sub-folders. I modified the command line to use / only but it would only find the entry in /use/local/etc/dhcpd.conf. It would not find the one in /etc/natd.conf unless I specified /etc. I assume I did it wrong and was asking too much of it. It never completes the command when using / as well - doesn't come back to the command prompt. It just sits there on the next line looking at me like I'm stupid. LOL Well, Ctrl-C solves that little problem.

Anyway, I am still not getting any internet access for a static host. Does anyone have that working?

 

[jbarton]

Post #16 above shows my dhcpd.conf and rc.conf contents. I've reduced my quest for a solution to this:

In rc.conf, if I change the natd_flags to:

natd_flags=""

then DHCP correctly configures the client machine to 192.168.1.205 and I am able to access the internet. If, on the other hand, I change that same rc.conf line to look like this:

natd_flags="-redirect_address 192.168.1.205 xx.xx.xx.205"

although the windows client's ipconfig information is still exactly the same, I am no longer able to access the internet from the client.

Does anyone have any idea why this might be? Please help me guys. This is my last plea for assistance on this matter.

 

[aragon]

Are you sure xx.xx.xx.205 is a publicly routable IP address that is allocated to you?

If yes, use tcpdump(1) to see what's going on.