FreeBSD router

dpetka2001 · Mar 10, 2011

Hello there.

I would like to set up my FreeBSD box as a router for my internal network. The box has 2 NICs on it and there will be 2 networks (192.168.1.x and 192.168.2.x). The first will be my internal network and the second will be the one that connects to the router of my ISP. I would like to know how I should do the configuration in order for the two networks to be able to see each other. Should I make an alias on one nic with an ip from the other network (if that is possible or maybe I didn't understand correct)? Or should I add static routes to rc.conf? If the latter what am I supposed to write in rc.conf?

Thanks in advance.

SirDice · Mar 10, 2011

dpetka2001 said:
I would like to know how I should do the configuration in order for the 2 networks to be able to see each other.

Add to /etc/rc.conf:

Code:

gateway_enable="YES"

And you're done.

Alt · Mar 10, 2011

I think he must setup NAT too or second machine won't work (isp will not add routes to second machine).

SirDice · Mar 10, 2011

Alt said:
I think he must setup NAT too or 2nd machine wont work (isp will not add routes to 2nd machine)

Not needed as long as routing is set up properly. You should avoid using NAT when possible. It'll only make things more complicated.

Alt · Mar 10, 2011

dpetka2001 said:
the second will be the one that connects to the router of my isp.

If you want internet on network behind server:
If router do NAT, you must add a route to 192.168.1.x trough you FreeBSD server.
If he does not, you should setup NAT on FreeBSD.

SirDice, if he wants internet via his ISP, he cannot avoid NAT unless he buy additional IP, you agree? =)

SirDice · Mar 10, 2011

Alt said:
SirDice, if he wants internet via his ISP, he cannot avoid NAT unless he buy additional IP, you agree? =)

He's using RFC1918 addresses, he's most likely already behind a router that does the NAT for him. No need to NAT again.

gkontos · Mar 10, 2011

The first will be my internal network and the second will be the one that connects to the router of my isp.

Like SirDice said you shouldn't use NAT on the FreeBSD box but on your external router. What I don't understand is why you want to use a router behind another router ?

dpetka2001 · Mar 11, 2011

Well I already have nat on my isp's router so I guess I only need to translate the internal lan to external correct? Then no port redirection is needed? Only a static route in isp's router which is on 192.168.2.x network to internal lan (192.168.1.x) through 192.168.2.2 (FreeBSD ip on the interface that connects with isp's router)?

dpetka2001 · Mar 11, 2011

gkontos said:
What I don't understand is why you want to use a router behind another router ?

Well I would like to do some traffic shaping on my internal lan because there are two other pcs on internal lan and I would like to avoid bandwidth congestion and apply some limits.

Alt · Mar 11, 2011

dpetka2001 said:
Then no port redirection is needed? Only a static route in isp's router which is on 192.168.2.x network to internal lan (192.168.1.x) through 192.168.2.2 (FreeBSD ip on the interface that connects with isp's router)?

Yes

gkontos · Mar 11, 2011

dpetka2001 said:
Well I would like to do some traffic shaping on my internal lan because there are two other pcs on internal lan and I would like to avoid bandwidth congestion and apply some limits.

Then you might consider to use that box as a firewall with Packet Queueing and Prioritization. Depending on the horse power of your external router you could use it for routing + NAT or if its a cheap dsl modem/router then you could have it as a bridging modem and do all the routing and NAT on your FreeBSD box.

dpetka2001 · Mar 11, 2011

gkontos said:
Then you might consider to use that box as a firewall with Packet Queueing and Prioritization. Depending on the horse power of your external router you could use it for routing + NAT or if its a cheap dsl modem/router then you could have it as a bridging modem and do all the routing and NAT on your FreeBSD box.

Yes, I'm going to try and do this as well. However I think I'll leave the NAT to my isp's router.

rtwingfield · Mar 13, 2011

You might also consider installing another piece of equipment like an external mission-specific router box. I use a NetGear FVX538VPN router between the ISP's bridged DSL router and multiple servers on the LAN. I have two FreeBSD boxes (v4.8 and v7.2), an IBM AS/400, and a D-Link SP-301P+ parallel port print server, all running on addresses such as 192.168.1.nnn. I let the NetGear box route to and from the WAN, and a most useful feature is the VPN for tunneling through the ISP's disdain for reverse DNS and mail forwarding, etc. Services and firewall rules, port forwarding, NAT, (RIP currently disabled), etc., are setup in the NetGear box . . .compartmentalized, leaving you to focus on the esoterics of your applications running on your FreeBSD boxes, such as eMail, DNS, http, CUPS, jabber, etc., all of which are enough to make you crazy without the grief of having to deal with routing.

There are other similar if not functionally equivalent choices from other manufacturers . . .Ci$co comes to mind, but for my needs, the NG FVX538VPN provides an eight-port switch (including one DMZ), accommodates two WANs, plus a gigabit port. You can manage a lot of Office Space with this thing. (I also have a red Swingline stapler

)

dpetka2001 · Mar 13, 2011

Thank you for your proposal but I intend to use it for home use, so I don't intend to spend any money since I already have a pc on standby.

dpetka2001 · Mar 20, 2011

Another question popped to mind although I haven't implemented anything of the above yet. How are the 2 nics which are on different subnets going to communicate with each other? The static route on my isp's router is for the router to be able to route the packets to the internal lan. Should I make an alias on one nic so that it will be on the same subnet as the second nic?

Thank you for your time and sorry for any trouble.

gkontos · Mar 20, 2011

dpetka2001 said:
Another question popped to mind although I haven't implemented anything of the above yet. How are the 2 nics which are on different subnets going to communicate with each other? The static route on my isp's router is for the router to be able to route the packets to the internal lan. Should I make an alias on one nic so that it will be on the same subnet as the second nic?

Thank you for your time and sorry for any trouble.

Let's try to take it from the beginning. One nic and your router are on the same subnet, so there is no need to adjust the routing table. You wouldn't even need to have a default gateway declared in that FreeBSD box in order for the two devices to communicate. But since you want to get to the internet, one hop after your router, you specify your router IP as the default gateway.

When a packet leaves your box with a destination IP of xxx.xxx.xxx.xxx it is being forwarded to your router and then to another and so on. A reply to that packet arrives at your router and since your router and your box are on the same subnet, your router "knows" how to route it.

Case 2. You add another nic with obviously a different subnet. Imagine know a packet leaving from that network to the same destination IP, it travels to your box and then gets routed to your default gateway, your router. Your router will forward it to its default gateway, another router and so on again. However, when the reply comes back your router will have no idea that this packet is destined for your internal network and it will reject it.

So, basically what you really need to do is "teach" your router the existence of your new network and how it can find it. How?
Depending on the model you will have to declare that your new network say, 192.168.1.0/24 is reachable by the IP of your FreeBSD nic. On a cisco it would look like this:

[CMD=""]route 192.168.1.0 0.0.0.255 192.168.0.1[/CMD]
Assuming that 192.168.1.0/24 is your new network and 192.168.0.1 is the nic of your box which is on the same network with your router.

Besides all that good stuff regarding routing, we didn't take into account NAT and state full packet filtering. Therefore, and depending again on the device that you use as a router/firewall you may have to specify that you want to perform NAT on the new network as well. Some ADSL modem/routers do it automatically.

Sorry for the long post

dpetka2001 · Mar 23, 2011

Thank you for your help and the time you took to explain those things to me.

So if I teach my router to know where to forward the packets coming from my internal lan there won't be any problems? I thought that even though teaching the router where to forward the packets the two nics wouldn't be able to communicate since they are on different subnets. That is why I thought that maybe I needed to assign a second ip on one of the two nics in order to be on the same subnet.

gkontos · Mar 23, 2011

dpetka2001 said:
Thank you for your help and the time you took to explain those things to me.

So if I teach my router to know where to forward the packets coming from my internal lan there won't be any problems? I thought that even though teaching the router where to forward the packets the two nics wouldn't be able to communicate since they are on different subnets. That is why I thought that maybe I needed to assign a second ip on one of the two nics in order to be on the same subnet.

You have to think like a kernel

You might be a PC or a server, a Cisco router or whatever device running some kind of OS. Someone decides to attach 2 or more NICs to you and assign IP addresses. If you know their IP addresses and if you can communicate with them, then your routing table needs no more information. If you are a FreeBSD kernel all you want is for someone to add to your rc.conf that:

Code:

gateway_enable="YES"

That way you know that you have an additional job to forward the packets.

Regards,
George

FreeBSD router

dpetka2001

SirDice

Administrator

Alt

SirDice

Administrator

Alt

SirDice

Administrator

gkontos

dpetka2001

dpetka2001

Alt

gkontos

dpetka2001

rtwingfield

dpetka2001

dpetka2001

gkontos

dpetka2001

gkontos