FreeBSD router

[quicktrick]

I use vanilla FreeBSD on a MiniITX box to serve Internet over 802.11n Wi-Fi and wired LAN and it works great...

Hello, nslay! Could you please give some examples of configuration files for a FreeBSD router? Honestly, I'm quite new to FreeBSD (and Linux too), though I managed to set up my own mini-server on openSUSE with Nextcloud, mail server (Postfix + Dovecot + Roundcube), Samba server and some other stuff.

Recently I bought a chinese mini PC with 4 Ethernet ports to try to set up a router on it, because my ASUS RT-N66U with Asuswrt-Merlin firmware works at its limit. Besides usual tasks, there are two OpenVPN clients working on it (TCP and UDP) and it gives the router very high load.

I tried pfSense on my new mini PC, but I encountered some problems it couldn't solve (because of bugs, I discussed them on pfSense forums). Besides I don't like solutions I can't control thoroughly. So I decided to try to configure router on FreeBSD myself. But, frankly speaking, I don't know where to start. Could you please give me a hand?

Now I have FreeBSD 11.1 working on my mini PC. I'm not going to use it as a Wi-Fi router because it had very weak Wi-Fi module and so I removed it at all. After configuring my FreeBSD router, I will use my current Asus Wi-Fi router as an access point. I've tried it as such already with pfSense, and it works fine.

I also need OpenVPN TCP and UDP clients to work on my router, so I can configure the router in such a way that some hosts in my local network get the internet strictly via OpenVPN and no other way.

I also need port forwarding for 80, 443, 25, 587, 993 ports to my openSUSE server.

And I need Samba (smb, nmb) to work properly in my local network.

 

[wolffnx]

Hello, nslay! Could you please give some examples of configuration files for a FreeBSD router? Honestly, I'm quite new to FreeBSD (and Linux too), though I managed to set up my own mini-server on openSUSE with Nextcloud, mail server (Postfix + Dovecot + Roundcube), Samba server and some other stuff.

Recently I bought a chinese mini PC with 4 Ethernet ports to try to set up a router on it, because my ASUS RT-N66U with Asuswrt-Merlin firmware works at its limit. Besides usual tasks, there are two OpenVPN clients working on it (TCP and UDP) and it gives the router very high load.

I tried pfSense on my new mini PC, but I encountered some problems it couldn't solve (because of bugs, I discussed them on pfSense forums). Besides I don't like solutions I can't control thoroughly. So I decided to try to configure router on FreeBSD myself. But, frankly speaking, I don't know where to start. Could you please give me a hand?

Now I have FreeBSD 11.1 working on my mini PC. I'm not going to use it as a Wi-Fi router because it had very weak Wi-Fi module and so I removed it at all. After configuring my FreeBSD router, I will use my current Asus Wi-Fi router as an access point. I've tried it as such already with pfSense, and it works fine.

I also need OpenVPN TCP and UDP clients to work on my router, so I can configure the router in such a way that some hosts in my local network get the internet strictly via OpenVPN and no other way.

I also need port forwarding for 80, 443, 25, 587, 993 ports to my openSUSE server.


And I need Samba (smb, nmb) to work properly in my local network.

this is (basic) all you need to start, PF script

ext_if="bce0"
int_if="bce1"

in_bce0="{80,443,25,587,993}"
out_bce0="{80,443,25,587,993}"
out_bce0_udp="{53}"

out_bce1="{80,443,25,587,993}"
in_bce1="{80,443,25,587,993}"

set skip on lo0
scrub in all

nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
nat on $int_if inet from ! ($int_if) to any -> ($int_if)


#external->internal
rdr pass on $ext_if  proto tcp from any to $ext_if port 80 -> xxx.xxx.xxx.xxx port 80

block all


pass out on $int_if inet proto tcp from any to any port $out_bce1 keep state
pass in   on $int_if inet proto tcp from any to any  port $in_bce1 keep state

pass in  on   $ext_if inet proto tcp from any to any port $in_bce0 keep state
pass out on  $ext_if inet proto tcp from any to any port $out_bce0

#allow icmp
pass out on $int_if proto icmp

antispoof for $ext_if

 

[SirDice]

Posts split off into its own thread (question had nothing to do with the original thread).

 

[quicktrick]

Hello juan9182 ! Thanks for your reply!

Shouldn't I first assign interfaces for my router in /etc/rc.conf ? Now my FreeBSD router is connected to my local network router and I have a line in rc.conf

ifconfig_igb0="DHCP"

I guess I have to change it some way and add there some more lines like:

# WAN connection
ifconfig_igb0="DHCP"

# I also need to substitute my interface's MAC address with my current router's MAC address,
# because of my provider's requirement.
# How to do that?

# LAN connection
ifconfig_igb1="inet 192.168.1.1 netmask 255.255.255.0"

# Default gateway
defaultrouter="x.x.x.x" # Set the gateway (what gateway should it be?)

# Enable ip forward
gateway_enable="YES"

Please, correct me where I'm wrong.

 

[SirDice]

Shouldn't I first assign interfaces for my router in /etc/rc.conf?

Order is irrelevant in rc.conf.

# Default gateway defaultrouter="x.x.x.x" # Set the gateway (what gateway should it be?)

You get a (default) gateway address from DHCP. There's no need to change it.

 

[wolffnx]

Posts split off into its own thread (question had nothing to do with the original thread).

sorry!

 

[quicktrick]

How can I substitute my external MAC address with the one of my old router? Where should I specify it?

And where can I specify internal DHCP map "MAC -> IP" for local hosts to assign them something like static IPs?

 

[SirDice]

How can I substitute my external MAC address with the one of my old router? Where should I specify it?

You set this with ifconfig(8), so for rc.conf it will be something like this:

ifconfig_igb0="DHCP ether de:ad:be:ef:f0:0d"

 

[quicktrick]

There is an error in pf.conf:

root@libra:/# pfctl -vnf /etc/pf.conf
ext_if = "bce0"
int_if = "bce1"
in_bce0 = "{80,443,25,587,993}"
out_bce0 = "{80,443,25,587,993}"
out_bce0_udp = "{53}"
out_bce1 = "{80,443,25,587,993}"
in_bce1 = "{80,443,25,587,993}"
set skip on { lo0 }
no IP address found for bce0
/etc/pf.conf:19: could not parse host specification

/etc/pf.conf

      1 ext_if="bce0"
      2 int_if="bce1"
      3
      4 in_bce0="{80,443,25,587,993}"
      5 out_bce0="{80,443,25,587,993}"
      6 out_bce0_udp="{53}"
      7
      8 out_bce1="{80,443,25,587,993}"
      9 in_bce1="{80,443,25,587,993}"
     10
     11 set skip on lo0
     12 scrub in all
     13
     14 nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
     15 nat on $int_if inet from ! ($int_if) to any -> ($int_if)
     16
     17
     18 #external->internal
     19 rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> 192.168.1.10 port 80
     20
     21 block all
     22
     23
     24 pass out on $int_if inet proto tcp from any to any port $out_bce1 keep state
     25 pass in   on $int_if inet proto tcp from any to any  port $in_bce1 keep state
     26
     27 pass in  on   $ext_if inet proto tcp from any to any port $in_bce0 keep state
     28 pass out on  $ext_if inet proto tcp from any to any port $out_bce0
     29
     30 #allow icmp
     31 pass out on $int_if proto icmp
     32
     33 antispoof for $ext_if

And yet I need to allow SSH access for local network addresses (192.168.1.0/24)

Edit:
My mistake. I had to change the interfaces to my own:

ext_if="igb0"
int_if="igb1"

After that the test passes fine.

 

[wolffnx]

There is an error in pf.conf:

root@libra:/# pfctl -vnf /etc/pf.conf
ext_if = "bce0"
int_if = "bce1"
in_bce0 = "{80,443,25,587,993}"
out_bce0 = "{80,443,25,587,993}"
out_bce0_udp = "{53}"
out_bce1 = "{80,443,25,587,993}"
in_bce1 = "{80,443,25,587,993}"
set skip on { lo0 }
no IP address found for bce0
/etc/pf.conf:19: could not parse host specification

/etc/pf.conf

      1 ext_if="bce0"
      2 int_if="bce1"
      3
      4 in_bce0="{80,443,25,587,993}"
      5 out_bce0="{80,443,25,587,993}"
      6 out_bce0_udp="{53}"
      7
      8 out_bce1="{80,443,25,587,993}"
      9 in_bce1="{80,443,25,587,993}"
     10
     11 set skip on lo0
     12 scrub in all
     13
     14 nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
     15 nat on $int_if inet from ! ($int_if) to any -> ($int_if)
     16
     17
     18 #external->internal
     19 rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> 192.168.1.10 port 80
     20
     21 block all
     22
     23
     24 pass out on $int_if inet proto tcp from any to any port $out_bce1 keep state
     25 pass in   on $int_if inet proto tcp from any to any  port $in_bce1 keep state
     26
     27 pass in  on   $ext_if inet proto tcp from any to any port $in_bce0 keep state
     28 pass out on  $ext_if inet proto tcp from any to any port $out_bce0
     29
     30 #allow icmp
     31 pass out on $int_if proto icmp
     32
     33 antispoof for $ext_if

And yet I need to allow SSH access for local network addresses (192.168.1.0/24)

Edit:
My mistake. I had to change the interfaces to my own:

ext_if="igb0"
int_if="igb1"

After that the test passes fine.

glad to hear that

 

[Phishfry]

Here is a sample /usr/local/etc/dnsmasq.conf if you descide to use dns/dnsmasq for a dns server.

domain-needed
server=8.8.8.8
server=8.8.4.4
dhcp-range=set:wlan0,192.168.200.10,192.168.200.25,255.255.255.0,24h
dhcp-range=set:em1,192.168.201.10,192.168.201.25,255.255.255.0,24h
dhcp-range=set:em2,192.168.202.10,192.168.202.25,255.255.255.0,24h
dhcp-range=set:em3,192.168.203.10,192.168.203.25,255.255.255.0,24h
dhcp-option=wlan0,option:router,192.168.200.1
dhcp-option=em1,option:router,192.168.201.1
dhcp-option=em2,option:router,192.168.202.1
dhcp-option=em3,option:router,192.168.203.1
log-facility=/var/log/dnsmasq.log
log-dhcp
log-async

So this provides dhcp server to 3 ethernet ports and one wifi interface.
This is a subnet off my main network range of 192.168.1.1

Here are my /etc/rc.conf settings for my router:

ifconfig_em0="DHCP"
ifconfig_em1="inet 192.168.201.1 netmask 255.255.255.0"
ifconfig_em2="inet 192.168.202.1 netmask 255.255.255.0"
ifconfig_em3="inet 192.168.203.1 netmask 255.255.255.0"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap ssid Checkpoint channel 157"
hostapd_enable="YES"
ifconfig_wlan0="inet 192.168.200.1 netmask 255.255.255.0"
dnsmasq_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog
defaultrouter="192.168.1.1"

 

[balanga]

Just wondered if it was possible to turn a normal router such as a D-Link or Linksys router into a FreeBSD router...

 

[ondra_knezour]

Yes, it is, at least for some of them.
https://github.com/freebsd/freebsd-wifi-build/wiki/Supported-Boards
https://github.com/freebsd/crochet/wiki/Supported-Platforms

 

[balanga]

Yes, it is, at least for some of them.
https://github.com/freebsd/freebsd-wifi-build/wiki/Supported-Boards

Thanks, I wasn't aware of this....

Any idea which of the following would be the best candidate for a FreeBSD router?

TP-Link

• TL-WR1043ND
• TL-WR1043ND v2
• TL-WDR3600 (1.5)
• TL-MR3020

D-Link

• DIR-655 rev A1
• DIR-825 B1
• DIR-825 C1

I'm inclined to try the TP-Link TL-WDR3600...

 

[SirDice]

It's the hardware that actually makes it useful that's going to be problem. Most of these devices are MIPS based and support for MIPS is Tier 2. But even if you get FreeBSD to boot there's still the hardware drivers to content with. Like wireless, switching hardware, etc.

 

[Phishfry]

Here is top on my ancient Checkpoint U-5 shelf-mount Wireless Access Point that I used for a sample config.
I have 32bit FreeBSD 11.1 running on 1 Gig RAM and a 4GB Industirial SD Card. 600Mhz CeleronM embedded. Circa 2006 box.



FreeBSD is amazing. Almost zero load on the old girl. I am adding an SSD for backup NFS server task.

 

[quicktrick]

OpenBSD 4.5 PF FAQ, if anybody needs one (see the attachment).