Hi,
I've just finished setting up my FreeBSD router and it's been a very fun project! I've learned a lot about DHCP, NTP, DNS and specially pf! There's just a couple of rules that I can't understand why they aren't working:
When I hardcode 8.8.8.8 on my desktop for example, and run a test via https://www.dnsleaktest.com/, I get that I'm using Google
For anyone that's interested in setting up a router for your home, here's my full pf.conf
It's nothing fancy, but I'm running a local NTP server, Unbound, dhcpd, and a simple script for dynamic dns to help me maintain remote access to my SSH service, and it's using ssh-key only auth.
But back to topic, if anyone could please help me with those two redirect rules it would be great!
Thanks in advance for any help!
I've just finished setting up my FreeBSD router and it's been a very fun project! I've learned a lot about DHCP, NTP, DNS and specially pf! There's just a couple of rules that I can't understand why they aren't working:
Code:
# redirect dns
rdr pass log on $int_if proto { udp, tcp } from any to ! 192.168.1.1 port domain -> 192.168.1.1 port domain
Code:
# redirect ntp
rdr pass log on $int_if proto udp from any to ! 192.168.1.1 port ntp -> 192.168.1.1 port ntp
When I hardcode 8.8.8.8 on my desktop for example, and run a test via https://www.dnsleaktest.com/, I get that I'm using Google
For anyone that's interested in setting up a router for your home, here's my full pf.conf
Code:
# read the log file: tcpdump -n -e -ttt -r /var/log/pflog
# real-time logging: tcpdump -neq -ttt -i pflog0
# tcpdump -nettti pflog0 action drop
#### macros
ext_if = "ng0"
int_if = "igb1"
localnet = $int_if:network
icmp_types = "{ echoreq unreach }"
#### tables
table <rfc6890> { 0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.0.0/29 192.0.2.0/24 192.88.99.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 \
240.0.0.0/4 255.255.255.255/32 }
#### options
set block-policy drop
set skip on lo
#### normalization
scrub in log all fragment reassemble no-df max-mss 1440
#### queueing
#### translation
nat on $ext_if from $localnet to any -> ($ext_if)
# redirect ssh
rdr pass log on $ext_if proto tcp from any to any port 4242 -> 192.168.1.1 port ssh
# redirect dns
rdr pass log on $int_if proto { udp, tcp } from any to ! 192.168.1.1 port domain -> 192.168.1.1 port domain
# redirect ntp
rdr pass log on $int_if proto udp from any to ! 192.168.1.1 port ntp -> 192.168.1.1 port ntp
#### packet filtering
# anti spoofing
antispoof log quick for $ext_if
antispoof log quick for $int_if
# block rfc6890
block in log quick on $ext_if from <rfc6890>
block return out log quick on egress to <rfc6890>
# block all the rest
block log all
# allow traffic to internet
pass out quick inet
# allow internal LAN traffic
pass in on $int_if inet
#### packet filtering overrides
# allow ICMP and traceroute
pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
It's nothing fancy, but I'm running a local NTP server, Unbound, dhcpd, and a simple script for dynamic dns to help me maintain remote access to my SSH service, and it's using ssh-key only auth.
But back to topic, if anyone could please help me with those two redirect rules it would be great!
Thanks in advance for any help!