Trying to set up a Gateway

[Cramer]

Hi everyone,

I've been trying to set up a FreeBSD gateway from a step-by-step guide but I've run into a snag or two along the way (and found a few holes in my knowledge).

I can't ping out (ping: sendto: Operation not permitted) unless I disable the firewall.

I've been banging my head against the wall for a while now, looking at possible causes but I'm a total newbie and I'm finding it tricky to learn so many things at the same time. I think the netstat -r should give a clue to the problem but I'm finding it hard to make sense of it.

Could someone and take a look at the setup and let me know what I'm doing wrong please?

I have a Netgear DG834G and a static IP which goes into the FreeBSD machine <vr0> and out on <sk0> to the network.

external IP 97.97.109.70
internal IP 192.168.0.100
netgear IP 192.168.0.1

DNS Servers 97.97.97.01, 97.97.97.02

<vr0> is the external interfare
<sk0> is the internal interface

netstat -r

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.0.100      US         18     4376    sk0
97.97.108.0/22     link#3             U           0        0    vr0
97.97.109.70       link#3             UHS         0        0    lo0
localhost          link#6             UH          0       84    lo0
192.168.0.0        link#2             U           0      236    sk0
192.168.0.100      link#2             UHS         0      168    lo0

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UH          lo0
fexx::%lo0         link#6             U           lo0
fexx::1%lo0        link#6             UHS         lo0
ffxx:6::           fexx::1%lo0        U           lo0
ffxx::%lo0         fexx::1%lo0        U           lo0

rc.conf

hostname="myhost.mydomain"
keymap="uk.iso"
sshd_enable="YES"

ifconfig_vr0="97.97.109.70 netmask 255.255.252.0"

# route add default 192.168.0.1
defaultrouter="192.168.0.100"

# Internal NIC has a static IP
ifconfig_sk0="inet 192.168.0.100 netmask 255.255.255.0"

### Gateway, so we can forward traffic between the int. and ext. networks
gateway_enable="yes"

### PF
pf_enable="YES"                
pf_rules="/etc/pf.conf" # pf rules
pf_flags="" # pfctl flags
pflog_enable="YES" # start pflogd
pflog_logfile="/var/log/pflog" # pf logfile
pflog_flags="" # pflogd flags

### DHCP server
dhcpd_enable="yes"
dhcpd_ifaces="sk0" # enabled on int. interface

### DNS server - BIND
named_enable="YES"

### INETD - need to enable if we use the ftp-proxy
inetd_enable="YES"

pf.conf

### macros
# internal and external interfaces (run 'ifconfig' to find interfaces)
int_if = "sk0"
ext_if = "vr0"

# Ports we want to allow access to from the outside world on our local
# system (ext_if)
tcp_services = "{ 22, 80 }"

# ping requests
icmp_types = "echoreq"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

### options
set block-policy return
set loginterface $ext_if
set skip on lo0

### Scrub
# From the PF user's guide (http://www.openbsd.org/faq/pf/index.html):
# "Scrubbing" is the normalization of packets so there are no ambiguities in
# interpretation by the ultimate destination of the packet. The scrub directive
# also reassembles fragmented packets, protecting some operating systems from
# some forms of attack, and # drops TCP packets that have invalid flag
# combinations.
scrub in all

### nat/rdr
# NAT traffic from internal network to external network through external
# interface
nat on $ext_if from $int_if:network to any -> ($ext_if)

# redirect FTP traffic to FTP proxy on localhost:8021
# requires ftp-proxy to be enabled in /etc/inetd.conf
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

### filter rules
block all

# block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any

# block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets

# allow access to tcp_services on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

# allow in FTP control port
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state

# allow in ping replies
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all traffic from internal network to internal interface
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

dhcpd.conf

### dhcpd.conf
# option definitions common to all supported networks...
# name server is running on this host
option domain-name-servers 192.168.0.100;
default-lease-time 600;
max-lease-time 7200;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# ad-hoc DNS update scheme - set to "none" to disable dynamic DNS updates.
ddns-update-style none;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.2 192.168.0.255;
        option routers 192.168.0.100;
        option subnet-mask 255.255.255.0;
}
### end dhcpd.conf

named.conf

options {
	// All file and path names are relative to the chroot directory,
	// if any, and should be fully qualified.
	directory	"/etc/namedb";
	pid-file	"/var/run/named/pid";
	dump-file	"/var/dump/named_dump.db";
	statistics-file	"/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.

listen-on { 97.97.109.70; 192.168.0.100; 127.0.0.1; };

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
      forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.


forwarders { 97.97.97.01; 97.97.97.02; };

};

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
type hint;
file "named.root";

resolv.conf

nameserver 127.0.0.1
nameserver 97.97.109.70
nameserver 97.97.97.01
nameserver 97.97.97.02

Sorry if this is a long post, but any help will be greatly appreciated.

 

[DutchDaemon]

Just off the top of my head: your default gateway appears to be an IP address on your own machine. So traffic will never leave your system.

# route add default 192.168.0.1
defaultrouter="[B]192.168.0.100[/B]"

# Internal NIC has a static IP
ifconfig_sk0="inet [B]192.168.0.100[/B] netmask 255.255.255.0"

 

[Cramer]

Thanks for the fast reply.

I've changed it to the IP address of the router (192.168.0.1) and still get the same result.

Not sure why I changed it to that in the first place, maybe out of frustration.

 

[bbzz]

Your Netgear ADSL is acting only as modem, and your FreeBSD gateway is connected directly to internet, and to local LAN on other interface? (sorry I wasn't sure how it looks like).

If so then your default route on FreeBSD needs to point to next-hop on internet, not internal network (192.168.0.0/24). You said that your external IP assigned to you is 97.97.109.70 255.255.255.252?
That mean your default route on FreeBSD points to 97.97.109.69.

To change:
# route delete default && route add default 97.97.109.69

Your:
# netstat -rfinet
should say

default  97.97.109.69 U[B]G[/B]S

 

[Cramer]

Hmm, you bring up an issue that I've found it hard to find online, how to setup the netgear router.

There's an option "Device Mode" where I can set to "Rounter and Modem" or "Modem only".

I've left this as "Router and modem" and set a DMZ that points to the FreeBSD machine.

Is this right? I found it hard to track down this information so I made a best guess.

 

[bbzz]

There's no real reason to have two intermediate routers from LAN to internet. Set up your Netgear device only as modem and let FreeBSD machine do all the work. Or you can leave Netgear as router, but then your FreeBSD shouldn't do any NATing - only routing between two internal LANs. Plus you need to tell your Netgear router how to reach network behind FreeBSD machine.

 

[Anonymous]

... Or you can leave Netgear as router, but then your FreeBSD shouldn't do any NATing - only routing between two internal LANs ...

I fully aggree to what bbzz have written in his previous post. I only would like to add one point for the case of keeping Netgear as a router. If you don't got two internal LAN's but only one, then you even don't need to route anything on your FreeBSD server, i.e. you would drop out or deactivate one of the two NICs, and connect the whole network directly to the router.

Best regards

Rolf

 

[Cramer]

Thanks for the help everyone.

I set the netgear box to modem only and managed to get it to connect to the internet. After that, life was much easier. I now have the gateway up and running with all the computers on the network working fine.

I was having some terminology problems working through this problem.

My netgear is a router, my FreeBSD box is/wants to be the router.
My netgear is the gateway, FreeBSD box wants to be the network gateway, but the gateway IP is given to me from my ISP (and is not the single static IP I am allocated).

Anyway thanks again, I'm off to get some glue for the clumps of my hair lying on the floor.


Cramer.

 

[SirDice]

Most of these home routers, including your netgear, are actually a modem, a router and a switch, all in one neat package.