Trying to connect networks and local servers through routing

sidetone · Saturday at 8:35 PM

I'm trying to connect LAN networks to servers. When I ran ftpd from the same IP range connecting it to a network for other devices, I could access them from these devices. But when, I put ftpd on a different range, I couldn't route them, despite following the instructions.

Installed net/dhcpd, and edited /usr/local/etc/dhcpd.conf

Code:

option subnet-mask 255.255.255.224;
default-lease-time 600;
max-lease-time 7200

subnet 172.16.1.3 netmask 255.255.255.254 {
    range 172.16.1.3 172.0.1.29;
    option broadcast-address 10.0.0.255;
}
# this is so my devices like phones can automatically connect

172.16.1.1 was left off, because this is the static IP address of the hostap on wlan0 connection. For some reason, 172.16.1.2 didn't work with dhcpd. IP's of 172.16.1.30 and 172.16.0.1 are also set as static in /etc/hosts and /etc/rc.conf.
I didn't add the IP's from my computer to my ISP router in dhcpd.conf, because that's taken care of. It seems that this is for devices which don't have DHCPd to the devices/phones.

For the wifi and ftp server/etc/rc.conf:

Code:

create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 172.16.0.x/8 ssid ..."
ifconfig_wlan0_alias="inet 172.16.1.1/12"
ftpd_enable="YES"
ftpd_flags="-A -D -l -a 172.16.1.1"

Tried adding a route from the ftp server at 172.16.0.1, to 172.16.1.3. /etc/rc.conf:

Code:

static_routes="ftp2devices"
route_ftp2devices="-net 172.16.0.1 172.16.1.3"

This, and varying combinations hasn't worked for me.

When I put the ftp server, wlan inet, and dhcp address on the same IP block, I can access ftp from my device. However, I need to learn how to route, by putting the ftp server on a different IP range. I'll need to route from behind by computer, to the Internet. I've done a bridge from FreeBSD allowing it to work as a wifi access point, using IP's from my ISP modem, though I haven't been able to bridge the ftp server to anything else. dhcpd allowed me to use my devices to access the ftp server on my computer without bridging, when before, I couldn't do that.

Other issues, which isn't as important, as functionality of the above is needed first. One is that I can't use what I set in /etc/hosts and /etc/networks from my phone to access the ftp server, when it is on the same IP range as the ftp server, however, it can be used from command-line. The other issue is, when I set the namespace of the IP range starting in 172 or anything else from /etc/networks, it doesn't show up in netstat -i4. It only works when I set in the first digits of the IP range starting in 10 to match the network.

In /etc/networks, the following don't work (dont' show up in netstat -i4):

Code:

private 172
private 172.16
private 172.16.0 # or any other number

Except only private 10, works for the 10.0.0.0 IP block. Though, no other combination seems to work, including private 10.0. For basic use from the computer, the naming in hosts works. Maybe, it depends on what I set my wlan0 to? Can I set multiple wlan's for multiple hostap access points?

As for DNS, I rather use hosts, and networks, with unbound that comes with the base system. I see how nsswitch.conf allows to choose between files and dns for setting names. If I have to fall back to DNS, I'll use dns/nsd with tools of dns/dnsutl.

I'm trying to set up a LAN behind my BSD computer, in a layout like:

ISP modem
- wifi connections
- possible wired connections
- FreeBSD computer
  - ftp server
  - hostap wifi dhcp connections to phones/devices

ondra_knezour · 2025-10-12T05:29:01+0100

sidetone said:
Code:

option subnet-mask 255.255.255.224; subnet 172.16.1.3 netmask 255.255.255.254 option broadcast-address 10.0.0.255;

For some reason, 172.16.1.2 didn't work with dhcpd.

sidetone said:
Code:

ifconfig_wlan0="inet 172.16.0.x/8 ssid ..." ifconfig_wlan0_alias="inet 172.16.1.1/12"

Try to understand how subneting work. I often used this tool to see which addresses are in given subnet. There are some tools in ports which helps calculate subnets, for example net_mgmt/cidr or net_mgmt/netmask.

sidetone · 2025-10-12T22:31:29+0100

ondra_knezour said:
There are some tools in ports which helps calculate subnets, for example net_mgmt/cidr or net_mgmt/netmask.

In the above, I've made a mistake, I meant to put the netmask of /12 as that's what's in /etc/hosts. netmask(1), gives me /32 for everything I've typed yet. I haven't gotten a hang of cidr. Though, either way, any netmask I had above was incorrect.

That helped with progress. With that, the netmask and IP address had to match across hosts, network, and the set alias in rc.conf. 172.16 has a different netmask than 172, and the private range starts from 172.16. The website helps with proper netmasks. It helps, that these can be set in the alias in rc.conf, hosts and networks for testing, without connecting a server to them. With netstat -ir4, the proper namespace domain name shows up.

To be clear, the netmask of 172.16.0.0 is /16, which is a different netmask than that of 172.0.0.0. In private networks, this is represented as 172.16. The netmask of 10.0.0.0 is /8. In networks, this is represented as 10. These netmasks and IP's must match the alias, names and ranges in rc.conf and hosts.

dhcpd
With dhcpd turned on, dhclient must be turned off in rc.conf, otherwise, it will give a fatal error. dhcpd isn't supposed to manage the uplink to the ISP modem. It will say, "Can't listen on", which is ok for the link to the ISP modem, managed by that modem.

In the above example, I made a mistake in /usr/local/etc/dhcpd.conf, for net/dhcpd. It should be:

Code:

option subnet-mask 255.255.255.224;
default-lease-time 600;
max-lease-time 7200

subnet 172.16.1.3 netmask 255.255.255.254 {
   range 172.16.1.3 172.16.1.29;
   option broadcast-address 10.0.0.255;}

Correction:
option broadcast-address 172.16.0.254;}
This range is so my devices like phones can automatically connect: this range doesn't include static IP's.

DNS naming
Now, I understand why my devices don't pick up what I have in networks and in hosts. It's because, when I had my ftp server between my computer and ISP modem, the modem set the namespace with DNS records, plus the computer's hostname and alias. With my ftp server behind my FreeBSD computer this time, I didn't set it with DNS (instead with hosts and networks), so it works from the command line, but not from my DHCP connected devices. So, from my DHCP connected devices, I must use the IP address.

/etc/nsswitch.conf sets the priority whether to use files or DNS for hosts and networks. dns/dnsutl is a tool to make a zone file out of hosts and networks. If I use DNS, I'll go with dns/nsd.

It's ok for unbound(8) to be on.

Firewall
I must allow services to pass through, until I determine the names of those devices to allow through the firewall.

to routing
I'll simplify my setup, and put the alias with ftp server, wlan connection and dynamic IP range on the same block. Static IP's in alias and the main wlan connection aren't included in /usr/local/etc/dhcpd.conf.

Though, whatever I've put for a route in rc.conf, I haven't gotten a route. From online, it looks like, to add a route to make the FreeBSD computer allow connections from both sides of the computer.

I'll keep trying to see if putting in the proper route is the answer. I've gotten a bridge to successfully work from my DHCP devices to the ISP router, though it issues the IP's of the ISP router. I've never gotten a bridge to work from the alias IP which the ftp server to the DHCP connected devices, but I don't know if that's possible to do.

ondra_knezour · 2025-10-13T01:46:52+0100

Not sure if I ever touched net/dhcpd, but I am quite sure, that this combination is absolute nonsense

Code:

option subnet-mask 255.255.255.224;
subnet 172.16.1.3 netmask 255.255.255.254 {
    option broadcast-address 10.0.0.255;
}

Removed lines may be correct.

There are no netmasks in /etc/hosts and you can ignore /etc/networks.

This may nudge you in the right direction https://forums.freebsd.org/threads/freebsd-subnetting-help.79194/#post-498068

sidetone · 2025-10-13T02:26:36+0100

I made a mistake in the example I posted. The broadcast should be of the same subnet to be correct.

I meant for what related to hosts and networks, the alias prefix mask from rc.conf has to match. Though, adding it correctly to networks, makes the network name show up with netstat -ir4. The arguments in networks aren't needed, but are nice to have.

I need to figure out routing, or allowing devices behind my FreeBSD computer to use the Internet now. As now, they're able to access my ftp server, but that's all.