Solved Putting together a cut down version of pfSense

Sometimes investing in a book, especially early on, saves you money/time/effort in the long run. Not always, but some, especially in tech work do.
How many here have a copy of Stevens TCP/IP Illustrated on their shelf? :)
 
You need FreeBSD, plus the following things from ports / packages
- a DHCP server
- a firewall
-a NAT "thing" (if not built into the firewall)
configure will be command-line and (text) file based
There are a few "nice to have" things as well:
- a DNS server, to offload traffic from your clients (and to server your local dns zone, if you have that)
- traffic stats (I use net-mgmt/darkstat)
- web server configured as a proxy for your internally hosted web sites (I use www/nginx)
 
tingo said:
You need FreeBSD, plus the following things from ports / packages
- a DHCP server
- a firewall
-a NAT "thing" (if not built into the firewall)
configure will be command-line and (text) file based
There are a few "nice to have" things as well:
- a DNS server, to offload traffic from your clients (and to server your local dns zone, if you have that)
- traffic stats (I use net-mgmt/darkstat)
- web server configured as a proxy for your internally hosted web sites (I use www/nginx)
Click to expand...
Just to break things down into small manageable without the possibility of screwing things up through too many options, my first goal is to be able to
ping 8.8.8.8 from anywhere on my LAN, where all the hosts have static IP addresses, at least initially, so I don't thing I need a DHCP server initially.
I guess NAT is a must have.

Do I need a firewall just to make it work in the first instance?

I'm looking for a step by step approach to getting things working. I've always relied on pfSense up until now to hide me from what goes on under the bonnet.
 
FreeBSD manpage has a an example:

docs.freebsd.org

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them
docs.freebsd.org docs.freebsd.org
Section 33.3.2.1

Code: 
ext_if = "xl0"    # macro for external interface - use tun0 for PPPoE
int_if = "xl1"    # macro for internal interface
localnet = $int_if:network
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo0, $localnet } to any keep state

No protection offered. Just PF NAT.
 
balanga said:
Just to break things down into small manageable without the possibility of screwing things up through too many options, my first goal is to be able to
ping 8.8.8.8 from anywhere on my LAN, where all the hosts have static IP addresses, at least initially, so I don't thing I need a DHCP server initially.
I guess NAT is a must have.

Do I need a firewall just to make it work in the first instance?

I'm looking for a step by step approach to getting things working. I've always relied on pfSense up until now to hide me from what goes on under the bonnet.
Click to expand...
Phishfry gave a good reply. This example should work from the box. However you will still need a dhcpd setup, which is quite simple, look it up dhcpd(8). Boils down to specifying subnet and also configuring interface in /etc/rc.conf with this subnet

Code: 
# /usr/local/etc/dhcpd.conf


# Subnet config
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.5 192.168.31.254;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}
 
balanga said:
To be honest I've never configured NAT, I'll give it a go after reading this FreeBSD guide.
Click to expand...
  1. Define NAT rules: Add the following lines to the file to configure NAT. Replace em0 with the name of your external network interface and 192.168.1.0/24 with the subnet of your local network:

    # Enable NAT
    nat on em0 from 192.168.1.0/24 to any -> (em0)


    This rule translates the private IP addresses of devices on the 192.168.1.0/24 network to the public IP address of the em0 interface when accessing the internet.

This comes from the above guide. Is it syntactically correct, because I get a syntax error when running service netif restart.
 
balanga said:
  1. Define NAT rules: Add the following lines to the file to configure NAT. Replace em0 with the name of your external network interface and 192.168.1.0/24 with the subnet of your local network:

    # Enable NAT
    nat on em0 from 192.168.1.0/24 to any -> (em0)


    This rule translates the private IP addresses of devices on the 192.168.1.0/24 network to the public IP address of the em0 interface when accessing the internet.

This comes from the above guide. Is it syntactically correct, because I get a syntax error when running service netif restart.
Click to expand...
Oops - I see this should be in pf.conf and I'd added it to rc.conf.
 
Here is the /etc/rc.conf of my gateway system which uses a USB tethered connection to the Internet using ue
hostname="W520"
#ifconfig_em0="DHCP"
ifconfig_em0="inet 192.168.1.5/24"
pf_enable="YES"
gateway_enable="YES"
dbus_enable="YES"
moused_enable="YES"
sshd_enable="YES"
nfs_server_enable="YES"
sendmail_enable="NONE"
kld_list="i915kms fusefs"
pflog_enable="yes"
Click to expand...

ping 8.8.8.8 works fine


Contents pf.conf:-
r[root@W520 ~/.config]#
cd /etc [root@W520 /etc]#
cat pf.conf
nat on em0 from 192.168.1.0/24 to any -> (em0)
[root@W520 /etc]#
Click to expand...


ping 8.8.8.8 does not work from other hosts. and I can't ping the gateway from any of the hosts.

After some experimenting it looks like I can't ping the gateway when pf is running so there must be something wrong with my configuration.
 
Oops. That's quite embarassing for me :). That's what happens when you follow a guide without understanding what is going on.

Many thanks for pointing this out, I have it working now.
 
Please be aware that you are running NAKED down the street.

You have no protection at all. Your SSH ports will be probed in no time. Hunker down.
 
You must log in or register to reply here.
Back
Top