FreeBSD Router with PF

ryuusoultaker

ryuusoultaker

I'm trying to set up a router with FreeBSD at my lab. I have configured the kernel so I could use PF and ALTQ. The topology of my lab is like

Code: 
internet == router == FreeBSD

and I want to place a WRT54GL AP under my PC so I can use WiFi for client, so it will be

Code: 
internet == router == FreeBSD == AP

my PC has a static IP address 192.168.1.2 from the router.

I already installed isc-dhcp and the dhcpd.conf on /usr/local/etc/dhcpd.conf is like this
Code: 
option domain-name-servers 203.6.149.145;
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;
authoritative;
log-facility local7;

subnet 192.168.2.0 netmask 255.255.255.0 {
  range 192.168.2.1 192.168.2.254;
  option domain-name-servers 203.6.149.145;
  option routers 192.168.2.1;
  option broadcast-address 192.168.2.255;
}

and I use PF to forward it. My pf configuration in /usr/local/etc/pf.conf is like
Code: 
ext_if="em0"
int_if="re0"
internal_net="192.168.2.0/24"
external_addr="192.168.1.2"
localnet = $int_if:network

tcp_services = "{ 20, 21, 22, 23, 25, 53, 80, 110, 113, 143, 161, 162, 220, 443,1680, 1870, 3000, 3001}"
port_2   = "{ 80, 81, 143, 220, 554, 993, 995, 3128, 3000, 3001, 8080, 8181 }"
sshport = "{ 22, 2222, 1870 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

#table <spamd-white> persist

#set skip on lo
set block-policy drop
set loginterface $ext_if
set skip on lo0

#scrub in
scrub in all

nat on $ext_if proto {tcp, udp, icmp} from $int_if:network to any -> $ext_if
nat on $ext_if from any to any -> ($ext_if)

#block all
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets

pass out quick on $ext_if proto tcp from any port $tcp_services to any keep state
pass in quick on $ext_if proto tcp from any to any port $tcp_services keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass out on $ext_if from 192.168.1.2 to $ext_if keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if from $localnet to $ext_if keep state
pass out on $int_if from $localnet to $int_if keep state
pass in on $ext_if from $localnet to $ext_if keep state
pass in on $int_if from $localnet to $int_if keep state

and this is my rc.conf:
Code: 
pf_enable="YES"
pf_logd="YES"
pf_conf="/usr/local/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
gateway_enable="YES"

ifconfig_em0="inet 192.168.1.2  netmask 255.255.255.0"
ifconfig_re0="inet 192.168.2.1 netmask 255.255.255.0"
defaultrouter="192.168.1.1"
hostname="127.0.0.1"

dhcpd_enable="YES"
dhcpd_ifaces="re0"
dhcpd_flags=""
dhcpd_conf="/usr/local/etc/dhcpd.conf"

and my sysctl.conf is
Code: 
net.inet.ip.forwarding=1
When I try to connect into the WRT54GL that I have configured as AP (I disabled the dhcp function so IP will come from the PC), I can get IP address 192.168.2.100 but I cannot ping into 192.168.2.1 and I cannot connect to internet. Can anybody tell me what I got wrong?

Best regards

Ryuu
 
Make sure your AP has disabled firewall, NAT, and all other services as well.
Does your router connected to internet knows how to reach 192.168.2.0/24 ?

Finally, you have too many unnecessary pass in/out options in pf. Remember that traffic passed to one direction is automatically returned in other direction on same interface.
 
bbzz said:
Make sure your AP has disabled firewall, NAT, and all other services as well.
Click to expand...
I have disabled the firewall and other services from the AP.

bbzz said:
Does your router connected to internet knows how to reach 192.168.2.0/24 ?
Click to expand...
OK, I don't know what you mean by whis, can you explain more? Or thing thatIi should do to check that?

bbzz said:
Finally, you have too many unnecessary pass in/out options in pf. Remember that traffic passed to one direction is automatically returned in other direction on same interface.
Click to expand...
I just simply do things with try and error so I really don't know what do I do with it. Is that have a serious matter to the firewall?
 
So, you made things quite complicated?
Code: 
internet == router == [del]freebsd[/del] FreeBSD router == AP router

Some suggestions about pf.conf

Code: 
ext_if="em0"
int_if="re0"
internal_net="192.168.2.0/24"
external_addr="192.168.1.2"
localnet = $int_if:network

tcp_services = "{ 20, 21, 22, 23, 25, 53, 80, 110, 113, 143, 161, 162, 220, 443,1680, 1870, 3000, 3001}"
port_2   = "{ 80, 81, 143, 220, 554, 993, 995, 3128, 3000, 3001, 8080, 8181 }"
sshport = "{ 22, 2222, 1870 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

#table <spamd-white> persist

#set skip on lo
set block-policy drop -->> set block-policy reject
set loginterface $ext_if
set skip on lo0

#scrub in
scrub in all -->> temporary disable this


#### NAT rule
nat on $ext_if from ! $ext_if to any -> $ext_if

#### disable NAT rules below
nat on $ext_if proto {tcp, udp, icmp} from $int_if:network to any ->  $ext_if
nat on $ext_if from any to any -> ($ext_if)

#block all
#block drop in quick on $ext_if from $priv_nets to any
#block drop out quick on $ext_if from any to $priv_nets

#### alow all traffic and log
pass log all keep state

#### disable all rules below
pass out quick on $ext_if proto tcp from any port $tcp_services to any keep state
pass in quick on $ext_if proto tcp from any to any port $tcp_services keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

pass out on $ext_if from 192.168.1.2 to $ext_if keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if from $localnet to $ext_if keep state
pass out on $int_if from $localnet to $int_if keep state
pass in on $ext_if from $localnet to $ext_if keep state
pass in on $int_if from $localnet to $int_if keep state

Check pf log; if pf sees and allows traffic, then routing may be your problem.
 
Abriel said:
Paste ipconfig/all from your Notebook/PC after connecting.
Click to expand...

Code: 
Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 802.11g Network Adapter
   Physical Address. . . . . . . . . : C4-17-FE-53-F9-CF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.2.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 08 Januari 2012 6:16:17
   Lease Expires . . . . . . . . . . : 09 Januari 2012 6:44:43
   Default Gateway . . . . . . . . . : 192.168.2.1
   DHCP Server . . . . . . . . . . . : 192.168.2.1
   DNS Servers . . . . . . . . . . . : 203.6.149.145
   NetBIOS over Tcpip. . . . . . . . : Enabled

that's my ipconfig when I connected to the AP
 
CoTones said:
So, you made things quite complicated?
Code: 
internet == router == [del]freebsd[/del] FreeBSD router == AP router
Click to expand...

sadly I have to put FreeBSD PC under the router, and yeah I made things complicated..


CoTones said:
Check pf log; if pf sees and allows traffic, then routing may be your problem.
Click to expand...

I have check pflog through tcpdump and this is what I got..
Code: 
00:00:08.257894 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:01:59.671837 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:00:06.696741 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:01:59.159558 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:01.190801 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:02:05.594292 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:04.834375 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:01:59.496939 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:00:01.611115 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:02:06.363965 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:00:03.972687 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:02:00.150619 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:00:00.650447 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:02:10.233041 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:02.271552 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:02:02.488548 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:00.230184 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:02:04.131826 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:01.551017 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250
00:02:02.345343 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 224.0.0.2: igmp v2 report 224.0.0.2
00:00:07.194895 rule 4294967295/8(ip-option): pass in on em0: 192.168.1.1 > 239.255.255.250: igmp v2 report 239.255.255.250

so what it means?
 
You must log in or register to reply here.
Back
Top