Hi guys!
I've been a couple of days trying to set up a router in a virtual network using FreeBSD and I can't get it work I'm afraid.
A quick summary of what I have and what I want to achieve:
I have 2 interfaces: xn0, which is the external interface, and bridge0 which is internal.
The internal LAN is 192.168.1.0/24, but in the future, I will also add a third interface that connects to a VPN which is 192.168.0.0/24. At the moment I'm only using the .1.0/24 network
The router, which has an internal ip of 192.168.1.10 should NAT the internal network to the external interface, and port 22 should be forwarded to an internal machine.
This is the configuration I have at the moment:
With this configuration, the remote server (sachiel) can access the host, other IP's are blocked, and the router itself can access the network freely. So far so good.
However, the machines in int_lan can access the router, but they can't access the internet, so I guess NAT's not working or I'm filtering it without knowing it.
Also, port forwarding is not working, from the remote server I can ping the router, but if I ssh to it (which should forward the ssh port) it says "No route to host".
I'm sure I'm overlooking something, I've been reading the handbook and some other literature on PF but I'm a bit lost since I'm very used to iptables.
Could you guys point me where I messed up?
Thank you very much
I've been a couple of days trying to set up a router in a virtual network using FreeBSD and I can't get it work I'm afraid.
A quick summary of what I have and what I want to achieve:
I have 2 interfaces: xn0, which is the external interface, and bridge0 which is internal.
The internal LAN is 192.168.1.0/24, but in the future, I will also add a third interface that connects to a VPN which is 192.168.0.0/24. At the moment I'm only using the .1.0/24 network
The router, which has an internal ip of 192.168.1.10 should NAT the internal network to the external interface, and port 22 should be forwarded to an internal machine.
This is the configuration I have at the moment:
Code:
ext_if=xn0
int_if=bridge0
ext_ip=REDACTED
int_ip=192.168.1.10
int_lan="192.168.1.0/24"
tcp_services = "{ 22 }"
table <allowed_lans> { 192.168.0.0/24, 192.168.1.0/24 }
table <private> const { 192.168/16, 10/8 }
#sachiel is another external server that should have full access to this host
sachiel=REDACTED
set skip on lo0
set loginterface $ext_if
scrub in all
nat on $ext_if from $int_lan to ! <private> -> ($ext_if)
rdr pass inet proto tcp from any to $ext_ip port 22 -> 192.168.1.15 port 22
block all
pass out from <allowed_lans> to any
pass out from $ext_ip to any
pass in from <allowed_lans> to <allowed_lans>
pass from $sachiel to $ext_ip
pass in on $ext_if inet proto tcp from any to $ext_ip port $tcp_services flags S/SA keep stateWith this configuration, the remote server (sachiel) can access the host, other IP's are blocked, and the router itself can access the network freely. So far so good.
However, the machines in int_lan can access the router, but they can't access the internet, so I guess NAT's not working or I'm filtering it without knowing it.
Also, port forwarding is not working, from the remote server I can ping the router, but if I ssh to it (which should forward the ssh port) it says "No route to host".
I'm sure I'm overlooking something, I've been reading the handbook and some other literature on PF but I'm a bit lost since I'm very used to iptables.
Could you guys point me where I messed up?
Thank you very much