gateway & router: unable to access to the Web

K

kikicekela

Hello

Freebsd FreeBSD newbie, I installed a gateway/router between two networks:

LAN: 192.168.1.0/24

WAN: 62.161.172.32/28

freebsd FreeBSD gateway IPs are:

LAN: 192.168.1.21
WAN: 62.161.172.39
ISP gateway so as to go to the net is: 62.161.172.46

Everything is fine on the freebsd FreeBSD gateway, ping to both networks works fine. But from the LAN it is impossible to go to the Internet. A ping to the ISP router doesn't reply and it is impossible to surf from a LAN station. I also deactivated all the firewalls without success.

Does it miss a route?

/etc/rc.conf:

Code: 
defaultrouter="62.161.172.46"
gateway_enable="YES"
hostname="cdm.mife.belfort"
ifconfig_bge0="inet 192.168.1.21  netmask 255.255.255.0"
ifconfig_vr0="inet 62.161.172.39  netmask 255.255.255.240"
keymap="fr.iso.acc"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

netstat -nr:

Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            62.161.172.46      UGS         0      342    vr0
62.161.172.32/28   link#6             U           0       10    vr0
62.161.172.39      link#6             UHS         0        0    lo0
127.0.0.1          link#8             UH          0        0    lo0
192.168.1.0/24     link#5             U           0       14   bge0
192.168.1.21       link#5             UHS         0        0    lo0
Thanks in advance,

yves
 
Hello,

Here is my /etc/pf.conf:

Code: 
ext_if="vr0"	# replace with actual external interface name i.e., dc0
int_if="bge0"	# replace with actual internal interface name i.e., dc1
ext_ad="62.161.172.39"
int_ad="192.168.1.21"
mife_ad="192.168.1.0/24"

#Normalize packets
scrub in all
scrub out all

block in log on $ext_if all
block out log on $ext_if all
pass in on $int_if all
pass out on $int_if all

pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port 8080 flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if to any \
        port 443 \
        keep state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_ad to any port smtp \
        flags S/SA keep state
pass out quick on $ext_if \
	inet proto {tcp,udp} \
	from $ext_ad to any port ntp keep state
pass in quick on $ext_if \
	inet proto tcp \
	from any to $ext_ad port 80 flags S/SA keep state

So how can add a NAT rule in pf.conf?

Best regards

yves
 
Here is my new pf.conf:

Code: 
ext_if="vr0"	# replace with actual external interface name i.e., dc0
int_if="bge0"	# replace with actual internal interface name i.e., dc1
ext_ad="62.161.172.39"
int_ad="192.168.1.21"
mife_ad="192.168.1.0/24"

#Normalize packets
scrub in all
scrub out all

nat on $ext_if from any to any -> ($ext_if)

block in log on $ext_if all
block out log on $ext_if all
pass in on $int_if all
pass out on $int_if all

pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port 8080 flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if to any \
        port 443 \
        keep state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_ad to any port smtp \
        flags S/SA keep state
pass out quick on $ext_if \
	inet proto {tcp,udp} \
	from $ext_ad to any port ntp keep state
pass in quick on $ext_if \
	inet proto tcp \
	from any to $ext_ad port 80 flags S/SA keep state

So how can add a NAT rule in pf.conf?

I tried to ping 62.161.172.46 from several LAN stations but without success and the ping 62.161.172.46 from the freebsd FreeBSD gateway works fine.

yves
 
Looks like there's no traffic being allowed through the firewall, only from the firewall.
 
What SirDice is saying is:
Code: 
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
should most likely be
Code: 
pass out quick on $ext_if \
        inet proto tcp \
        from [B]any[/B] port > 1023 \
        to any port www flags S/SA modulate state
as otherwise only connections initiated from firewall itself are permited.

Also, better NAT rule is:
Code: 
nat on $ext_if from ! ($ext_if) to any -> ($ext_if:0)

As otherwise ports from firewall itself are translated, which is unnecessary.
 
kpa said:
Leave the flags out of your rules, pf(4) defaults to S/SA. What are you trying to accomplish with modulate state?
Click to expand...

There's no harm in 'modulate state', as it adds stronger ISN when doing 3-way TCP handshake. I'm not aware it does anything more than that.

Keep in mind two rules:

1. Traffic passed on one direction is automatically passed in other direction on same interface, unless coded not to.
2. Firewall inspects packets with rules on EACH individual interface.
 
Changes applied but it still doesn't work. Could you indicate to me what I have to write in the pf.conf so as to get a working freebsd FreeBSD gateway with my both networks?

I am ready to reinstall the gateway so I just ask for a minimal configuration so as to go to internet from my LAN. I give you again my configuration:

Internet <---> ISP router 62.161.172.46 <---> 62.161.172.39 freeBsd gateway 192.168.1.21 <--> LAN (192.168.1.0/24)

Thanks in advance,

yves
 
Code: 
ext_if="vr0"
int_if="bge0"

scrub on $ext_if all random-id max-mss 1452 reassemble tcp fragment reassemble

nat on $ext_if from ! ($ext_if) to any -> ($ext_if)

block log all
set skip on lo0

antispoof for $ext_if inet

pass     quick on $int_if
pass out quick on $ext_if modulate state
pass in  quick on $ext_if proto tcp to $ext_if port 80 modulate state
 
Hello,

Thanks a lot, it works fine now! I would like also to block: all incoming traffic, FTP and HTTP downloads from LAN. Basically, here are my needs: to create a private LAN which can only surf to the web and to close the non-required ports. As a second step, I will install the Squid and DansGuardian modules. How can I do that?

Best regards,

yves
 
I don't think people like to provide a complete solution to a problem without initial party actually trying it for themselves first. There's enough info to get you going, and people will help when you get stuck.

In any case, you say you want to block all incoming traffic from LAN, which is vague. If you want to let initial web traffic from LAN, change pass in rule for internal interface to allow access to ports 80,443, and others you need, and block rest.

Remember, initial connections require explicit pass in rules, whereas communication on same interface in different direction will be implicitly passed.
 
You must log in or register to reply here.
Back
Top