Solved [Solved] Basic Routing

B

bsaxberg

I've taken an old tower and want to convert it to a firewall/router. I can't seem to figure out what I am doing wrong.

I am able to SSH to the box from 192.168.200.x side. I am able to give addresses on the 192.168.201.x side via DHCP but I can't hit the internet from a machine on 192.168.201.x


Here is my setup.

Code: 
root@firewall:/usr/home/brian # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:14:d1:25:32:95
        inet 192.168.201.1 netmask 0xffffff00 broadcast 192.168.201.255
        inet6 fe80::214:d1ff:fe25:3295%re0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
        ether 00:23:54:b9:c7:60
        inet 192.168.200.193 netmask 0xffffff00 broadcast 192.168.200.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Code: 
root@firewall:/usr/home/brian # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.200.254    UGS         0        0   nfe0
127.0.0.1          link#3             UH          0        0    lo0
192.168.200.0/24   link#2             U           1      430   nfe0
192.168.200.193    link#2             UHS         0        0    lo0
192.168.201.0/24   link#1             U           0       26    re0
192.168.201.1      link#1             UHS         0        0    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#3                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%re0/64                     link#1                        U           re0
fe80::214:d1ff:fe25:3295%re0      link#1                        UHS         lo0
fe80::%lo0/64                     link#3                        U           lo0
fe80::1%lo0                       link#3                        UHS         lo0
ff01::%re0/32                     fe80::214:d1ff:fe25:3295%re0  U           re0
ff01::%lo0/32                     ::1                           U           lo0
ff02::/16                         ::1                           UGRS        lo0
ff02::%re0/32                     fe80::214:d1ff:fe25:3295%re0  U           re0
ff02::%lo0/32                     ::1                           U           lo0

Code: 
root@firewall:/usr/home/brian # vi /etc/rc.conf
hostname="firewall"
gateway_enable="YES"
powerd_enable="YES"
sshd_enable="YES"
syslogd_flags="-l /var/db/dhcpd/var/run/log"
ifconfig_nfe0="DHCP"
ifconfig_re0="inet 192.168.201.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="re0"
pf_enable="NO"
pf_flag=""
pf_rules="/etc/pf.conf"
pflog_enable="NO"
pflog_logfile="/var/log/pf.log"
pflog_flags=""
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

Code: 
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "sheyennemfg.com";
option domain-name-servers 192.168.200.10, 192.168.200.4;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.201.0 netmask 255.255.255.0 {
  range 192.168.201.100 192.168.201.250;
  option routers 192.168.201.1;
}
 
Re: Basic Routing

NAT wont work without PF? I have PF disabled at the moment.

Here is the pf.conf as I currently have it. But like I said I thought I disabled it for now just to see if networking is working.
Code: 
root@firewall:/usr/home/brian # vi /etc/pf.conf
ext_if="nfe0"
int_if="re0"
localnet=$int_if:network
nat on $ext_if from $localnet to any -> ($ext_if)
block all
pass from { lo, $localnet } to any keep state
 
Re: Basic Routing

Well... something needs to be doing NAT. PF can do it, IPFW can do it, IPF can do it, there's even natd(8). PF seems like the easiest way.
 
Re: Basic Routing

I got it figured out....

block all was my problem. Firewall was doing exactly what I told it to do. So now its time to learn about rules.

Thank you!
Brian
 
You must log in or register to reply here.
Back
Top