FreeBSD router with only one Ethernet port

[JazzSinatra]

I have somewhat limited understanding about networking and I was wondering, that could I use my FreeBSD server as a router with a network switch, because the machine has only one Ethernet port. I would connect the FreeBSD router to the network switch and the network switch directly to the out-port which leads to the internet. I made picture about the layout of my network plan.

• Could I still have a router firewall to protect my network even if my router wouldn't be directly connected to the internet?
• Could my FreeBSD router block other machines to access internet?
• Would all packets (in going and out going) go through my router?

Why I'm thinking about this? My current ASUS router can't port forward anymore after a firmware update. I don't know why.

 

[phoenix]

If you have a managed switch that understands vlans, then yes, this is doable.

1. Configure port 1 on the switch with untagged vlan 2 (set PVID to 2 as well, if it supports that). Plug that into the router. This is your "WAN".
2. Configure port 2 on the switch with tagged vlans 1 and 2. Plug that into the FreeBSD box.
3. Leave the rest of the ports set to untagged vlan 1 (DEFAULT_VLAN). Plug your other devices into these ports. This is your "LAN".

Then, configure your NIC in FreeBSD with 2 vlan pseudo-interfaces (em0.1 and em0.2 for example if using em(4) device, or vlan1 and vlan2, depending how you configure things). When configuring your firewall, the em0.2 or vlan2 interface is your WAN/Internet NIC; and em0.1 or vlan1 interface is your LAN/local NIC.

/etc/defaults/rc.conf has information on configuring vlan interfaces in /etc/rc.conf.

 

[JazzSinatra]

If you have a managed switch that understands vlans, then yes, this is doable.

1. Configure port 1 on the switch with untagged vlan 2 (set PVID to 2 as well, if it supports that). Plug that into the router. This is your "WAN".
2. Configure port 2 on the switch with tagged vlans 1 and 2. Plug that into the FreeBSD box.
3. Leave the rest of the ports set to untagged vlan 1 (DEFAULT_VLAN). Plug your other devices into these ports. This is your "LAN".

Then, configure your NIC in FreeBSD with 2 vlan pseudo-interfaces (em0.1 and em0.2 for example if using em(4) device, or vlan1 and vlan2, depending how you configure things). When configuring your firewall, the em0.2 or vlan2 interface is your WAN/Internet NIC; and em0.1 or vlan1 interface is your LAN/local NIC.

/etc/defaults/rc.conf has information on configuring vlan interfaces in /etc/rc.conf.

Could I get same result if I would buy a second NIC for my server and an unmanaged switch? Could I then connect the first NIC to the out-put ethernet port and the second NIC to the unmanaged switch and after that create a bridge between these two NICs? That would be cheaper if any NIC would do it.

 

[Eric A. Borisch]

Could I get same result if I would buy a second NIC for my server and an unmanaged switch? Could I then connect the first NIC to the out-put ethernet port and the second NIC to the unmanaged switch and after that create a bridge between these two NICs? That would be cheaper if any NIC would do it.

Using two NICs is definitely the easier route. You can even get a cheap USB one if you're out of slots.

 

[SirDice]

Could I then connect the first NIC to the out-put ethernet port and the second NIC to the unmanaged switch and after that create a bridge between these two NICs?

Yes and no. Yes, with 2 NICs and an unmanaged switch you can set up FreeBSD as a border/gateway/firewall type device. And no, you don't want to bridge(4) those two interfaces as that would essentially just link both sides into one network.

If it's at all possible try and set your internet modem/router in "modem mode". This bypasses the internal router, anything you connect to the modem will get your internet IP address directly. Then you can do the NAT and firewalling on the FreeBSD host. This is how I've set things up at home. My cable modem is set to "modem mode" (normally it's in "router mode"), the modem is connected to NIC1 on a FreeBSD host. NIC2 of that host is connected to the switch. The rest of my home network is tied to that switch too. On the FreeBSD host I have PF set up for NAT/firewalling, it's also running a DHCP and DNS server. DHCP provides the internal addresses for phones, tablets, workstations, etc.

 

[JazzSinatra]

Yes and no. Yes, with 2 NICs and an unmanaged switch you can set up FreeBSD as a border/gateway/firewall type device. And no, you don't want to bridge(4) those two interfaces as that would essentially just link both sides into one network.

If it's at all possible try and set your internet modem/router in "modem mode". This bypasses the internal router, anything you connect to the modem will get your internet IP address directly. Then you can do the NAT and firewalling on the FreeBSD host. This is how I've set things up at home. My cable modem is set to "modem mode" (normally it's in "router mode"), the modem is connected to NIC1 on a FreeBSD host. NIC2 of that host is connected to the switch. The rest of my home network is tied to that switch too. On the FreeBSD host I have PF set up for NAT/firewalling, it's also running a DHCP and DNS server. DHCP provides the internal addresses for phones, tablets, workstations, etc.

I actually live in an apartment building which have some kind of central modem. My flat only has one out-put ethernet port to the internet. My internet ip 84.xx.xx.xx leads to that ethernet port.

 

[adri]

Using 2 NICs is the best option in your situation.
When you really have only 1 NIC, you'll need to plug a managed switch into the central ethernet port and configure VLANs.

 

[phoenix]

Could I get same result if I would buy a second NIC for my server and an unmanaged switch? Could I then connect the first NIC to the out-put ethernet port and the second NIC to the unmanaged switch and after that create a bridge between these two NICs? That would be cheaper if any NIC would do it.

If you have 2 NICs, then you plug 1 into the modem/router (that's the Internet link) and the other one into the switch (that's the LAN). It essentially becomes the router at that point, as only traffic that you allow through from one NIC to the other is allowed. This is the "normal" firewall setup.

 

[SirDice]

I actually live in an apartment building which have some kind of central modem. My flat only has one out-put ethernet port to the internet. My internet ip 84.xx.xx.xx leads to that ethernet port.

That's good. That will actually make it easier as you're able to get your internet IP address directly on an interface. That means you don't have to fiddle with a modem/router to get it into 'modem' mode or have to deal with a double NAT (NAT on the modem/router and NAT on the FreeBSD host).

As phoenix said, plug that cable into one of the interfaces and use the other interface to connect to the LAN.

 

[FreeBSD Questions]

################ Single Interface Router/NAT

       hostname="ratrouter"
       gateway_enable="YES"            # Set to YES if this host will be a gateway.
       cloned_interfaces="bridge0"
       ifconfig_awg0="inet 192.168.69.1 netmask 0xffffff00"
       ifconfig_bridge0="inet 10.10.10.10 netmask 0xffffff00 addm awg0"

       firewall_enable="YES"           # Set to YES to enable firewall functionality
       firewall_type="open"            # Firewall type (see /etc/rc.firewall)
       firewall_nat_enable="YES"       # Enable kernel NAT (if firewall_enable == YES)
       firewall_nat_interface="bridge0"    # Public interface or IPaddress to use

       #dhcpntpdate_enable="yes" # Optional DHCP hack

       ####Works fine if your WAN or NAT network is 10.10.10.10 or you assign the IP manually
       ####If you want DHCP assigned wan the only thing I could figure out was an ugly hack
       ####file called dhcpntpdate in /usr/local/etc/rc.d....
       ####you would have to also add any post network rc.conf services here as well.

       # PROVIDE: dhcpntpdate
       # REQUIRE: NETWORKING syslogd
       #!/bin/sh
       echo "Starting DHCP ntpdate"
       /sbin/ifconfig bridge0 10.10.10.10 delete
       /sbin/dhclient bridge0
       /usr/sbin/ntpdate tick.usno.navy.mil tock.usno.navy.mil