I've taken an old tower and want to convert it to a firewall/router. I can't seem to figure out what I am doing wrong.
I am able to SSH to the box from 192.168.200.x side. I am able to give addresses on the 192.168.201.x side via DHCP but I can't hit the internet from a machine on 192.168.201.x
Here is my setup.
I am able to SSH to the box from 192.168.200.x side. I am able to give addresses on the 192.168.201.x side via DHCP but I can't hit the internet from a machine on 192.168.201.x
Here is my setup.
Code:
root@firewall:/usr/home/brian # ifconfig
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 00:14:d1:25:32:95
inet 192.168.201.1 netmask 0xffffff00 broadcast 192.168.201.255
inet6 fe80::214:d1ff:fe25:3295%re0 prefixlen 64 scopeid 0x1
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82008<VLAN_MTU,WOL_MAGIC,LINKSTATE>
ether 00:23:54:b9:c7:60
inet 192.168.200.193 netmask 0xffffff00 broadcast 192.168.200.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Code:
root@firewall:/usr/home/brian # netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.200.254 UGS 0 0 nfe0
127.0.0.1 link#3 UH 0 0 lo0
192.168.200.0/24 link#2 U 1 430 nfe0
192.168.200.193 link#2 UHS 0 0 lo0
192.168.201.0/24 link#1 U 0 26 re0
192.168.201.1 link#1 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0
::1 link#3 UH lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
fe80::/10 ::1 UGRS lo0
fe80::%re0/64 link#1 U re0
fe80::214:d1ff:fe25:3295%re0 link#1 UHS lo0
fe80::%lo0/64 link#3 U lo0
fe80::1%lo0 link#3 UHS lo0
ff01::%re0/32 fe80::214:d1ff:fe25:3295%re0 U re0
ff01::%lo0/32 ::1 U lo0
ff02::/16 ::1 UGRS lo0
ff02::%re0/32 fe80::214:d1ff:fe25:3295%re0 U re0
ff02::%lo0/32 ::1 U lo0
Code:
root@firewall:/usr/home/brian # vi /etc/rc.conf
hostname="firewall"
gateway_enable="YES"
powerd_enable="YES"
sshd_enable="YES"
syslogd_flags="-l /var/db/dhcpd/var/run/log"
ifconfig_nfe0="DHCP"
ifconfig_re0="inet 192.168.201.1 netmask 255.255.255.0"
dhcpd_enable="YES"
dhcpd_ifaces="re0"
pf_enable="NO"
pf_flag=""
pf_rules="/etc/pf.conf"
pflog_enable="NO"
pflog_logfile="/var/log/pf.log"
pflog_flags=""
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
Code:
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "sheyennemfg.com";
option domain-name-servers 192.168.200.10, 192.168.200.4;
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
subnet 192.168.201.0 netmask 255.255.255.0 {
range 192.168.201.100 192.168.201.250;
option routers 192.168.201.1;
}