Solved No internet access

Hi All,

I am building a FreeBSD firewall and access point on Raspberry Pi 2 and running in to the issue where I connect to the AP and cannot access the Internet.

Ethernet is my Internet connection and is set to DHCP to get IP from ISP
Wifi adapter is set as AP

On the RPi2 I am able to ping www.google.com and all the devices that are connected via Wifi to it.

From the laptop I connect to the RPi2 AP get the IP address, DNS and all. I am able to ping the wifi interface on RPi2 and my phone that is also connected to the network.

One thing that I noticed I am not able to ping 192.168.10.1. My lan network is 192.168.10.0/24

Any ideas on what could be the issue?
 
So LAN devices can ping LAN devices, and RPi2 can ping LAN devices and internet addresses? But LAN devices cannot reach/ping internet addresses? That could be a few items but first thing I would verify that you are using source-NAT. The source IP address (the LAN address) needs to be NATed to the public IP addresses. I'm guessing you are using a single public IP address, and thus this flavor of source NAT is called PAT. RPi2 also needs a default statement so that any packets destined for any network not directly attached to the RPi2, the RPi2 knows how to route. On a typical 'LinkSys' or 'Dlink' router this is usually automatic. In FreeBSD I don't know but I imaging you can find the answer with a little searching.

What specifically is 192.168.10.1? I would have thought that would be the IP address on the WiFi side, but you said you can ping that.

This discussion should be moved to the networking category.
 
Yes, LAN devices can ping LAN devices but not 192.168.10.1 which is a gateway for a LAN network 192.168.10.0/24, RPi2 can ping everything, even www.google.com resolves with no error. Yes, it can't reach internet nor the LAN gateway for some reason so I guess this would be the first problem that has to be figured out.

Here is my /etc/pf.conf:

Code:
ext_if = "ue0"
int_if = "wlan0"
localnet = "{ 192.168.0.0/16 }"
client_out = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, https, cvspserver, 2628, 5999, 8000, 8080 }"

nat on $ext_if from $localnet to any -> ($ext_if)

block in all

pass from { lo0, $localnet } to any keep state
pass inet proto tcp from $localnet to any port $client_out keep state
pass in inet proto tcp to $ext_if port ssh

Is this enough for NAT to work or something has to be declared in the rc.conf file as well? Besides the gateway_enable="YES"?

Also here is a part of /etc/rc.conf

Code:
# Ethernet interface configuration
ifconfig_ue0="up"
ifconfig_ue0="SYNCDHCP"

# Wireless interface configuration
wlans_run0="wlan0"
ifconfig_wlan0="up"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 192.168.10.10  netmask 255.255.255.0" #Should this be 192.168.10.1? or is it ok to leave it 10.10?
defaultrouter="192.168.10.1" #Is this necessary? 

hostapd_enable="YES"

dhcpd_enable="YES"
dhcpd_ifaces="wlan0"
dhcpd_flags="-q"

# Firewall configuration
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"

# Firewall logging configuration
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

# Packet forwarding between interfaces
gateway_enable="YES"


- RPi2 also needs a default statement so that any packets destined for any network not directly attached to the RPi2, the RPi2 knows how to route.

How do I do that?
route add -net 0.0.0.0/0 a.b.c.d #a.b.c.d being a public IP?

As the setup that I am trying to achieve would be that RPi2 would be two in one, my wireless router with firewall so ethernet port is connected to a modem at the moment and it picks up the IP from ISP.

How do I move this discussion to networking category? :)

Thanks for your time!
 
Code:
ifconfig_wlan0="inet 192.168.10.10  netmask 255.255.255.0" #Should this be 192.168.10.1? or is it ok to leave it 10.10?
defaultrouter="192.168.10.1" #Is this necessary?

The IP address on your interface should be 192.168.10.1. This is probably why you can't ping 10.1 from a client or get Internet access. I would remove the defaultrouter entry. This should be your upstream ISP and hopefully will be set by DHCP - If you can ping Google then it sounds like this it is being set correctly by DHCP. You can check by running netstat -rn and look for the default route.

NAT rule looks ok although I'm no pf expert. I don't see why you've got 192.168.0.0/16 as the local network when you LAN is 192.168.10.0/24 though.
 
I finally got it working! So to evaluate two things were wrong in my config:

1. Firewall was not being enabled because of the syntax error ( I did not catch it right away because I was rebooting the system instead of rebooting the firewall service so did not see the error ) that being said, no rules for NAT were being loaded that is why I was not being able to get out to the internet.

2. After playing around I changed RPi2 internal IP from 192.168.10.1 to 192.168.10.10, don't know why I did that :) So when I changed it back to 192.168.10.1 it started working.

Thank you guys again for pointing me to the right direction! I can finally start working on a security aspect of it and will probably have to get orange pi as it has 1GB Ethernet port and a better wifi adapter as the current setup is not sufficient enough for daily use :)
 
Back
Top