Home network setup

I'm after some help setting up a home network with a FreeBSD server, serving multiple PCs running everything from openSUSE to Win8.

So far, I have 4 PCs, all of which will remain clients, and I have a wireless modem/router. So, I need to buy the server and the firewall/proxy systems. I was thinking something like this:

internet ---> modem/router ---> firewall/proxy (FreeBSD) ---> server (FreeBSD) ---> clients

Is that how it is supposed to go? And, what do I need to buy exactly? I was considering setting up FreeBSD on a Mac Mini, if it's possible. If not, what sort of hardware should I buy for the server and firewall? I'm a blank canvas, guys. Thanks!
 
Use a OpenWRT or dd-wrt wireless device for your firewall/proxy. Way cheaper, will use much less power and you'll really get a kick out of turning a $40-$60 device into a jacked-up box. The Router+ADSL devices have a way to go unfortunately, because very few ADSL chips have open-source code.
 
See if you can set your modem to bridge mode. Some DSL modem/routers support that. Then you can simply use DHCP on the FreeBSD firewall and get your external IP address on that interface. On the firewall use PF for example to firewall your network and provide NAT. Install a DHCP service and optionally DNS. That's how I've set things up at home.
 
Beeblebrox said:
Use a OpenWRT or dd-wrt wireless device for your firewall/proxy. Way cheaper, will use much less power and you'll really get a kick out of turning a $40-$60 device into a jacked-up box. The Router+ADSL devices have a way to go unfortunately, because very few ADSL chips have open-source code.

I've read over the first link; still not really sure what OpenWRT is though -- is it like a Raspberry Pi? Or, like improved software for purchasable routers? The second link I found easier to understand. It seems to be just that, improved software to install over existing firmware on retailed routers, to improve the configuration and operation of the hardware. So, if it is compatible with, say, this router, I can download the appropriate files to install to it, and reconfigure it? Alternatively, it looks like they provide DD-WRT ready devices. What should I buy from that shop though? It all looks so foreign to me! Or do you connect whatever you buy from that site to a PC and then use that as the router/firewall/proxy?

SirDice said:
See if you can set your modem to bridge mode. Some DSL modem/routers support that. Then you can simply use DHCP on the FreeBSD firewall and get your external IP address on that interface. On the firewall use PF for example to firewall your network and provide NAT. Install a DHCP service and optionally DNS. That's how I've set things up at home.

This is really strange, but for some reason I can no longer connect to my router (10.0.0.138)! Just last week I could. Now, it just keeps trying to connect and eventually tells me it can't. I think I've ruined something by trying to setup WAMP to host my own ownCloud, which I never got working! So, at the moment, I can't check if I can set it to bridge mode. But, I will be changing ISPs in the next month. No doubt they will give me a new modem and I will ask them for one that can be set to bridge mode.

In the event that I can set my modem to bridge mode, you suggest linking it to the FreeBSD box operating as a firewall, and run that as the proxy and router? That sounds pretty good. I wouldn't even know where to start though!
 
markbsd said:
In the event that I can set my modem to bridge mode, you suggest linking it to the FreeBSD box operating as a firewall, and run that as the proxy and router?
Yes, that's the idea.
 
www.zrouter.org - It's like openwrt, but uses FreeBSD as it's base instead.

Note: I've never used it, so I don't know how "feature complete" it is. I have been aware of its existence for quite some time, however.

break19
 
A router with OpenWRT firmware and a FreeBSD machine that runs a firewall/routing/proxy services are mutually exclusive because they both implement pretty much the same services. You have to decide early on which one you want.
 
SirDice said:
Yes, that's the idea.

Cool. Thanks, @SirDice.

break19 said:
www.zrouter.org - It's like openwrt, but uses FreeBSD as it's base instead.

note: I've never used it, so I don't know how "feature complete" it is. I have been aware of it's existence for quite some time, however.

break19

Really cool! If I can keep everything FreeBSD, that would be awesome.

kpa said:
A router with OpenWRT firmware and a FreeBSD machine that runs a firewall/routing/proxy services are mutually exclusive because they both implement pretty much the same services. You have to decide early on which one you want.

Wouldn't the FreeBSD box operating as a firewall/router/proxy service be infinitely more secure and configurable, not to mention upgradeable overtime?
 
Last edited by a moderator:
http://www.zrouter.org - It's like openwrt, but uses FreeBSD as it's base instead.
It's a great concept, but the supported hardware list makes it useless. There are 15 devices listed, of which half are indicated in red. By contrast, look through the supported hardware list of OpenWRT: http://wiki.openwrt.org/toh/start and most of them have detailed wiki pages.

@markbsd: The problem you are facing in home networks/small networks, is one of cost and ease of operation. For example, you could place a powerfull server and make all the service run from there, but that would obviously mean a large electric bill, sleeping to the sound of whirring fans in the background and having to constantly leave it on. You would have to start the server just to look up something on a tablet PC when you were on your way out of the door.

By contrast, the small devices consume very little power, can be on 24/7, are silent (fanless), a lot cheaper and more recently, have started to come with more hardware (USB jack, bigger RAM, etc). However, the problem those devices face is minimalism: Limited space to house (flashrom) and run (RAM) the software. This is where those O/S like the WRT variants come in. For home and small networks, I would not use a PC with fans etc as a server, because it is just too much of a hassle IMHO. Finally, you have the issue of wireless service to consider. That leaves you basically with these options:

1. OpenWRT-Wireless-router_IPFW-firewall_USB-pluggedHDD+Printer --> ADSL-Modem --> Interwebs
You have two pieces of hardware in this setup, and the ADSL Modem is just a dumb modem box.
2. FreeBSD-server --> ADSL-Modem_Wireless-router_IPFW-firewall --> Interwebs
This setup also has only two pieces of hardware, and it's OK if you use a Raspbery Pi like low power & low cost hardware. It's overkill if you use a regular PC. Plus, notice that the Firewall has to run on the wireless device so that your wireless clients can have firewall protection. If you place the wireless AP behind the FreeBSD box, then the number of devices (hence the amount of investment) has gone up to three units.

Wouldn't the FreeBSD box operating as a firewall/router/proxy service be infinitely more secure and configurable, not to mention upgradeable overtime?
Not necessarily, since you won't be providing services to the external network.
improved software to install over existing firmware on retailed routers, to improve the configuration and operation of the hardware... I can download the appropriate files to install to it, and reconfigure it?
Yes, that's the idea. You can even setup VPN, cups, file sharing & samba on such devices; as long as you make sure the device is listed as working in the "Supported Hardware" list.

@SirDice: Perhaps you could share the hardware list and connection order for what you have as your home network?

EDIT: Install VirtualBox on your system and download the OpenWRT-x86 image. Install and run it in VirtualBox to check out whether it's for you or not.
 
Last edited by a moderator:
tzoi516 said:
zrouter sounds like vaporware.

I agree. I'd either use DD-WRT or Tomato on consumer routers, or build my own with FreeBSD; bsdnow made a nice tutorial about how to get one running with OpenBSD (probably quite easy to translate to FreeBSD).

I'll probably end up following this tutorial with a cubietruck: I'll use the gigabit ethernet for LAN routing (for maximum internal transfers), a USB ethernet dongle for WAN, and perhaps a USB Wireless N dongle in AP mode for WiFi (or maybe just a consumer wireless N access point).

Anyway, I've used both DD-WRT and Tomato, and both are fantastic.
 
My network:

Internet => modem => FreeBSD Server => Switch => [Client Computers, WAP, Etc]

How is the firewall in DD-WRT anyhow? I've used a unix-based firewall since long before DD-WRT existed, so my WAP has always been inside the firewall.
 
Beeblebrox said:
@markbsd: The problem you are facing in home networks/small networks, is one of cost and ease of operation. For example, you could place a powerfull server and make all the service run from there, but that would obviously mean a large electric bill, sleeping to the sound of whirring fans in the background and having to constantly leave it on. You would have to start the server just to look up something on a tablet PC when you were on your way out of the door.

Does it have to be a "powerful server" though? I mean, there's a gap between that and a typical desktop PC or notebook even, right? The latter being capable of running as a server? That's sort of what I had in mind regarding the server; a typical run-of-the-mill desktop stripped down of what it doesn't need, a couple extra HDDs and as much RAM as can be crammed in.

By contrast, the small devices consume very little power, can be on 24/7, are silent (fanless), a lot cheaper and more recently, have started to come with more hardware (USB jack, bigger RAM, etc). However, the problem those devices face is minimalism: Limited space to house (flashrom) and run (RAM) the software.

I'm probably wrong, but I don't think the abovementioned desktop would drain that much energy from the grid? I also can't hear my current desktops running unless I'm seated at the desk trying to hear them. So, these cons you mention aren't really a negative for me.

This is where those O/S like the WRT variants come in. For home and small networks, I would not use a PC with fans etc as a server, because it is just too much of a hassle IMHO. Finally, you have the issue of wireless service to consider. That leaves you basically with these options:


1. OpenWRT-Wireless-router_IPFW-firewall_USB-pluggedHDD+Printer --> ADSL-Modem --> Interwebs
You have two pieces of hardware in this setup, and the ADSL Modem is just a dumb modem box.

I like the look of this.

2. FreeBSD-server --> ADSL-Modem_Wireless-router_IPFW-firewall --> Interwebs
This setup also has only two pieces of hardware, and it's OK if you use a Raspbery Pi like low power & low cost hardware. It's overkill if you use a regular PC. Plus, notice that the Firewall has to run on the wireless device so that your wireless clients can have firewall protection. If you place the wireless AP behind the FreeBSD box, then the number of devices (hence the amount of investment) has gone up to three units.

Why is this:

Code:
internet ---> modem in bridge mode ---> (public IP address)firewall/router/proxy-+--->server
                                                                                 |
                                                                                 |
                                                                                 v
                                                                              clients

not an option?

Not necessarily, since you won't be providing services to the external network.

Yes, that's the idea. You can even setup VPN, cups, file sharing & samba on such devices; as long as you make sure the device is listed as working in the "Supported Hardware" list.

Thanks, @Beeblebrox. It sounds like something I should definitely consider over the typical desktop server. They're certainly cheaper.

@SirDice: Perhaps you could share the hardware list and connection order for what you have as your home network?

I second this! Would be good to hear. Are there no network/systems administrators here? Surely, they would have the best insight to share. Though, Beeblebrox and kpa seem to know their stuff!

EDIT: Install VirtualBox on your system and download the OpenWRT-x86 image. Install and run it in VirtualBox to check out whether it's for you or not.

I'll do this. Thank you very much for all your advice. It's obvious I am a real novice (if that) with these topics, but you make it easy to understand.
 
Last edited by a moderator:
markbsd said:
Does it have to be a "powerful server" though? I mean, there's a gap between that and a typical desktop PC or notebook even, right? The latter being capable of running as a server? That's sort of what I had in mind regarding the server; a typical run-of-the-mill desktop stripped down of what it doesn't need, a couple extra HDDs and as much RAM as can be crammed in.

All a "server" needs is reliable hardware and enough resources to do the job. For a home server, a typical desktop is probably overkill. Although a mirror or some type of RAID for the drives is a good idea.

I'm probably wrong, but I don't think the abovementioned desktop would drain that much energy from the grid? I also can't hear my current desktops running unless I'm seated at the desk trying to hear them. So, these cons you mention aren't really a negative for me.

It depends. A small system running powerd(8) can take less than 50 watts. Add two dozen hard drives, 48G of RAM, the jet engines that real servers use for cooling, two or more redundant power supplies, a shed-sized UPS, and it can add up.
 
Does it have to be a "powerful server" though? I mean, there's a gap between that and a typical desktop PC or notebook even, right?

I was being facetious :p A "powerful server" is just as much overkill as a regular PC as far as I am concerned, on the condition that the server is tasked as gateway and firewall, DHCP, DNS and Web Cache, printer and file sharing. There are even some "plug-PC" devices that do all that plus VOIP and scheduled torrent downloading. Now if the server is to also serve up thin/diskless clients (to which I would give two thumbs up), then it's a different story.

Why is this not an option?
internet -> modem in bridge mode -> (public IP address)firewall/router/proxy-+->server + clients

The number of devices is now 3 instead of 2. Allocate a budget of $10,000 and watch the community build you one giant kick-ass home network! The point is to get the task done with minimal hardware investment and minimal operating costs.

How is the firewall in DD-WRT anyhow?

Both OpeWRT and DD-WRT use Netfilter iptables. You can also set up VPN services through the firewall. I think more than enough security in a home or small business setting (where there are not any services being provided from the internal or DMZ network).

I've used both DD-WRT and Tomato, and both are fantastic.

They are both solid software, but OpenWRT is ahead of the game. Support is better for one, but also they now have versions with working ADSL chipsets. Think of modem and WiFi router. Now think of the devices that have all threee combined into one box (your typical consumer-grade ADSL+router+WiFi box). OpenWRT has the ADSL part working for some of these boxes. Granted it is a very minimal sub-set (mostly limited to Lantiq chipsets), because a large part of the code is proprietary (Broadcom, Atheros, etc). I have DD-WRT working on a hardware-wise absolutely minimal USR-5451 (Flash Size 2MB, RAM Size 8MB), which OpenWRT does not support. So they both have their places.

A third option that I had mentioned, and which @beatgammit clarified, is to NOT use commercially ready router and WiFi boxes, but instead to build your own using a multitude of available low-power fanless (Cortex, Via, Intel Atom) CPU's and minimalistic motherboards. This is a truly viable alternative, and with the right specifications can probably carry the load of 3-4 diskless clients as well. pfSense, "BSD router project", and likes can easily run on such a device, but you will have to do your own FreeBSD setup for the box if you want to provide diskless hosting.

You have to understand what a hairy job it is to build a flashable firmware.bin targeted for the commercially provided devices. It's no easy task and has many pitfalls. Most of us would probably not be able to create a FreeBSD version of of *WRT releases, as it is a highly specialized branch of Linux. The last thing I can add, is that one has not truly lived on the edge until a badly flashed device is debricked with a "level shifting" serial cable connected to the pinouts on the device mainboard.
 
Last edited by a moderator:
Good post, @Beeblebrox. I haven't tried DD-WRT but do note that it runs on much more hardware, and in much less RAM than Tomato which I'm using now. Shibby AIO, to be exact. One thing which is nice about that is the graphic displays of bandwidth, even for individual IPs. I have no need for it, but the QOS is also quite extensive.

As for either router software, there are dirt cheap routers out there. I picked up a couple of WRT54Gs for 10 bucks each, despite them being very popular. I did feel a need for a Gigabit main router in my home LAN though, so am using a Netgear WNR3500Lv2, which has a very fast processor and a huge amount of RAM. It was under a hundred bucks and those are probably about half that now. They also have a USB port, available through FTP. I put a flash drive there with my hosts file and other miscellaneous stuff for household use. Putting the hosts file is really convenient, because it allows me to use simple names for all the computers and devices around the house without having to enter the info on each box.
 
Last edited by a moderator:
wblock@ said:
All a "server" needs is reliable hardware and enough resources to do the job. For a home server, a typical desktop is probably overkill. Although a mirror or some type of RAID for the drives is a good idea.

I just already have the spare desktop, so if I could make use of it I would prefer that.

It depends. A small system running powerd(8) can take less than 50 watts. Add two dozen hard drives, 48G of RAM, the jet engines that real servers use for cooling, two or more redundant power supplies, a shed-sized UPS, and it can add up.

It's not so dichotomous though. There is a vast spectrum between a "small system running powerd" and "two dozen hard drives, 48G of RAM, the jet engines that real servers use for cooling, two or more redundant power supplies, [and] a shed-sized UPS". Such as, a typical desktop with 4-8 GB RAM and 4 HDD.


Beeblebrox said:
I was being facetious :p A "powerful server" is just as much overkill as a regular PC as far as I am concerned, on the condition that the server is tasked as gateway and firewall, DHCP, DNS and Web Cache, printer and file sharing. There are even some "plug-PC" devices that do all that plus VOIP and scheduled torrent downloading. Now if the server is to also serve up thin/diskless clients (to which I would give two thumbs up), then it's a different story.

I don't know what half of that stuff is! I already have the spare desktop though, but if I'm better off buying a "plug-PC" device, I will.

The number of devices is now 3 instead of 2. Allocate a budget of $10,000 and watch the community build you one giant kick-ass home network! The point is to get the task done with minimal hardware investment and minimal operating costs.

I'm not too concerned with being that minimal. I just want an easy to setup, use and maintain home network. Remember, I'm a rank novice here :)

For example, I bought a new domain name, but don't even know how to use it for my home network! I registered with freedns.afraid.org, changed my domain name's nameservers, but still couldn't get my WAMP server on my Win7 box to work with my new domain name. I just want to stand up a website with FreeBSD guides and links for new users, and host the site on one of my own rigs. But can't even figure it out :(
 
markbsd said:
I'm not too concerned with being that minimal. I just want an easy to setup, use and maintain home network. Remember, I'm a rank novice here :)

For example, I bought a new domain name, but don't even know how to use it for my home network! I registered with freedns.afraid.org, changed my domain name's nameservers, but still couldn't get my WAMP server on my Win7 box to work with my new domain name. I just want to stand up a website with FreeBSD guides and links for new users, and host the site on one of my own rigs. But can't even figure it out :(

Here's a series of questions then:

  • Is your domain resolving to your home network? ( host your-domain, check against your router's WAN IP)
  • Can you get to your WAMP server using it's internal address (probably 192.168.1.X)?
  • Do you have forwarding rules configured on your router? (e.g. port 80 -> Win7 port 80)
  • If yes to the above, does it work when you're not at home? (i.e. at work)
 
I have an old Asus eee 900a that originally came with Linux. It has an Ethernet adapter, three USB ports and a wireless card that can be put into host mode. You can probably pick one of these up for next to nothing these days on Ebay. It is small and minimal power consumption, fast enough and enough RAM to run a home setup. And I get the freedom of running FreeBSD on it and tinkering with every aspect of the setup. The little thing also comes with a SD/MMC slot so I put in a 16 GB card for whatever space needs I may have. Behind this box is a second little box that runs all sorts of network analysis things I am interested in :)

I used to run ddwrt on a little router and if I remember correctly there are versions of ddwrt that will not let you run a bunch of stuff on the underlying hardware due to memory constraints. I may be wrong though.
 
Re:

beatgammit said:
markbsd said:
I'm not too concerned with being that minimal. I just want an easy to setup, use and maintain home network. Remember, I'm a rank novice here :)

For example, I bought a new domain name, but don't even know how to use it for my home network! I registered with freedns.afraid.org, changed my domain name's nameservers, but still couldn't get my WAMP server on my Win7 box to work with my new domain name. I just want to stand up a website with FreeBSD guides and links for new users, and host the site on one of my own rigs. But can't even figure it out :(

Here's a series of questions then:

  • Is your domain resolving to your home network? ( host your-domain, check against your router's WAN IP)
  • Can you get to your WAMP server using it's internal address (probably 192.168.1.X)?
  • Do you have forwarding rules configured on your router? (e.g. port 80 -> Win7 port 80)
  • If yes to the above, does it work when you're not at home? (i.e. at work)

  • It is now: bsdbox.co resolves to my router's external IP.
  • I managed to get WAMP working on Windows 7; however, I've now set up AMP on an old notebook running FreeBSD 9.2-RELEASE and it is functional.
  • I do, and I have some questions you might be able to help with.
  • It's irrelevant now, but yes. And thank you very much for your help, @beatgammit.

Basically, I don't know why it wasn't working on Windows 7, and I still don't know what I specifically changed that caused it to work on Windows 7. It's inconsequential now as I have it all pointing to where I ultimately wanted it -- ye olde BSDbox.

As I said, bsdbox.co now points to a notebook on my network running 9.2-RELEASE. I've set up AMP (apache24, mysql56-server, php5, php5-extensions, and phpmyadmin) all inside the same jail to serve up ownCloud and Wordpress and use SSL (HTTPS)). Everything is running fine. Two irrelevant points for you, but one of which might be worthy of notifying a port maintainer:
  1. Despite only installing phpmyadmin from ports yesterday, only 4.0.9 was installed -- 4.0.10 has been available for four days.
  2. phpMyAdmin 4.0.9 is incompatible with php55. I initially compiled php55 and phpmyadmin kept failing the build -- it requires php5
I'd just like some input from the community as to whether this is normal before erroneously advising the maintainer.

Anyway, some relevant intel before my questions:
  • Router external IP: 110.146.148.136
  • Router internal IP: 10.0.0.138
  • FreeBSD host external IP: 10.0.0.48
  • FreeBSD jail running AMP external IP: 10.0.0.110

Questions:

  1. When I created the jail with the IP alias 10.0.1.110 and 10.0.1.255 subnet, there was no internet connectivity within the jail -- why?
    N.b. my router's DHCP pool is 10.0.0.1 to 10.0.0.136. I had no success creating an additional DHCP pool.
  2. My router's configuration now shows the host OS (FreeBSD) as having the jail's IP (10.0.0.110) -- is this normal?
  3. When I create another jail to serve, say a Tor relay, what happens? I.e., I'm assuming the router will then display the new jail's IP for the host IP -- will my AMP server inside jail #1 still be accessible?
  4. How does this affect port forwarding (NAT)? I.e., if the router only sees one IP (the latest one created by the looks of it), do I need to do additional port forwarding with PF to the appropriate jail(s)?
  5. I want to run my own MTA, so I can host all mail for bsdbox.co on this server. Should I:
    • set it up inside the same jail as AMP?
    • use sendmail and imap-uw, or postfix and dovecot, or qmail?
    • do I need to run my own nameserver (DNS) in order to run my own MTA, or can I keep everything with FreeDNS?
      N.b. I don't need anything fancy, just IMAP and SSL; however, I would like the setup process to be simple, and, if possible, keep my DNS with FreeDNS. Unless it is easy enough to set up my own DNS, I would like to do this eventually anyway.
  6. How do I enforce HTTPS? As it is now, you must type "https://bsdbox.co". However, "cloud" and "press" (.bsdbox.co) does go to the HTTPS version as I've (a) selected the force https option in ownCloud, and (b) added forwards on my FreeDNS subdomain configuration with:
    Code:
    	->press.bsdbox.co (G)	URL	https://bsdbox.co/wordpress
    	->cloud.bsdbox.co (G)	URL	https://bsdbox.co/owncloud
  7. Finally, I still can't get my head around some basic networking nomenclature: my notebooks all have an Ethernet and a WiFi card. They all connect to the router via WiFi (no Ethernet cable plugged in). All the PF and IPFW documentation I read talks about external interfaces ($ext_if) and internal interfaces ($int_if). What exactly is this in reference to? For example, I realize my router's external (WAN) IP is the one my domain name points to, and what the internet sees (110.146.148.136). I know its internal (LAN) IP is what my network points to and what I enter to access the router (10.0.0.138). So, I understand it has an external and internal IP (or interface). However, my computers on the network, despite having two NICs, only have one IP, which I assume, despite being a LAN address, is its external interface (10.0.0.xxx) as it is this that connects to the Internet via the gateway/router. So, why does all the documentation refer to two (external and internal) interfaces? And, considering I have two NICs (Ethernet and WifI) in my notebooks, how do I go about creating another interface IP? I imagine, to use this FreeBSD notebook as a firewall and router it will need both of these interfaces.

I ask these questions after having read:
  • https://sites.google.com/site/ghidit/how-to-2/freebsd-9-mail-server-setup-postfix-dovecot-2-virtual-users-mysql-sasl-postfixadmin-and-others
  • http://www.freebsdonline.com/content/view/571/506/
  • http://www.informationweek.com/how-to-build-a-cheap-reliable-mail-server-using-freebsd/d/d-id/1043907?page_number=3
  • http://www.purplehat.org/?page_id=5
  • http://www.freebsd.org/doc/handbook/mail-using.html
  • http://www.freebsd.org/doc/handbook/network-dns.html
and the two most appealing guides:
  • http://servers.hostik.com/instructions/freebsd-mailserver.htm
  • http://www.puresimplicity.net/~hemi/freebsd/sendmail.html

with the last one being the most likely candidate that I will proceed with, pending further advice. I say this because, firstly, I think it might be simpler and more stable running with sendmail as it's the default UNIX MTA and is used for system processes, which will require further system configuration if disabled. Secondly, it seems like the most detailed and straight-forward tutorial. Finally, it is the most recent/up-to-date tutorial and doesn't have conflicting guides from elsewhere (as many of the others do).

In spite of everything I've read, I'm still unclear on the questions I've put forth regarding running/hosting/serving my own mail, but this is the next step I would really like to take. If you have any links to a tried-and-tested HOWTO/guide/tutorial to set up a mail server on FreeBSD 9.2-RELEASE I would love to have them. I also would really appreciate any answers and advice you can provide.

N.b. This notebook has two NICs (Ethernet and WiFi), eventually I want to buy another one and use this notebook as the router/gateway. So it will go: inet > modem > notebook (firewall/router/gateway) > clients. I am not sure if this is wise, but for some reason I want to use a PC as a router/firewall. I installed pfSense into a VM on Windows 7, bridged the host external IP to a virtual NIC in VirtualBox (pfSense), then bridged another pfSense virtual NIC to the host (Windows 7) loopback adapter and disabled TCP/IP on the host so it only connected to the internet through its virtual guest. But, then I thought, why not just use FreeBSD and PF to do the same thing?

Anyway, long post. If you've come this far, thanks for reading, and I appreciate anything you (or anybody else) have (has) to offer :)

tl;dr: I know I've asked a lot; really, what I most need is MTA advice for now. I want to run my own mail server and don't know which applications to use or how to set it all up.
 
Last edited by a moderator:
paxvobiscum said:
I have an old Asus eee 900a that originally came with Linux. It has an ethernet adapter, 3 USB ports and a wireless card that can be put into host mode. You can probably pick one of these up for next to nothing these days on Ebay. It is small and minimal power consumption, fast enough and enough RAM to run a home setup. And I get the freedom of running FreeBSD on it and tinkering with every aspect of the setup. The little thing also comes with a SD/MMC slot so I put in a 16GB card for whatever space needs I may have. Behind this box is a second little box that runs all sorts of network analysis things I am interested in :)

I used to run ddwrt on a little router and if I remember correctly there are versions of ddwrt that will not let you run a bunch of stuff on the underlying hardware due to memory constraints. I may be wrong though.

It sounds like this old Toshiba I am using, and, if I understand correctly, you're doing with it what I want to do with mine: use it as a gateway/firewall/router and server?

I'm not sure what its CPU is, but it has a 50 GB HDD, 2 GB RAM, two NICS (Ethernet and WiFi), four USB slots, and a DVR. I have a 500 GB Seagate external USB HDD that I plan to connect to it when I need more room. I'm not sure how to go about this though. The extra space will be needed for my cloud service, but I haven't figured out how to (a) point the jail to it, and (b) config ownCloud to use it.

She's running really well for what she has. I haven't installed any DKE so there's plenty of resources available for what I want it to do. I have put X.Org on it as I think I will run Wireshark and maybe some other X-dependent applications.
 
I made some progress: Postfix and Dovecot installed and running. I can receive email, but can't send. I've narrowed down the problem, but don't know what to do about it. Hopefully someone can help.

Trying to send mail results in this error:
Code:
Sending of message failed.
An error occurred sending mail: Unable to establish a secure link with SMTP server mail.bsdbox.co using STARTTLS since it doesn't advertise that feature. Switch off STARTTLS for that server or contact your service provider.

Which results in this email to postmaster:
Code:
Transcript of session follows.

 Out: 220 mail.bsdbox.co ESMTP Postfix
 In:  EHLO [10.0.0.66]
 Out: 250-mail.bsdbox.co
 Out: 250-PIPELINING
 Out: 250-SIZE 10240000
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-STARTTLS
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
[highlight] In:  STARTTLS
 Out: 454 4.7.0 TLS not available due to local problem[/highlight]
 In:  QUIT
 Out: 221 2.0.0 Bye

I looked at /var/log/maillog:
Code:
Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: [highlight]cannot get RSA certificate f
rom file /etc/ssl/cert/dovecot.pem: disabling TLS support
Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
rror:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib
/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen('/etc/ssl/cer
t/dovecot.pem','r'):[/highlight]
Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
rror:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/..
/../../crypto/openssl/crypto/bio/bss_file.c:358:
Dec 10 11:36:03 mail postfix/smtpd[57120]: warning: TLS library problem: 57120:e
rror:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/sr
c/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:722:

I thought I might have to generate another certificate, maybe it had to be different to what Dovecot was using. So:
Code:
# openssl ca -policy policy_anything -days 3650 -out server.crt -infiles server.csr
Using configuration from /etc/ssl/openssl.cnf
[highlight]Error opening CA private key ./demoCA/private/cakey.pem
57089:error:02001002:system library:fopen:No such file or directory:/usr/src/sec
ure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen('./dem
oCA/private/cakey.pem','r')[/highlight]
57089:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcr
ypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:
unable to load CA private key

That looks like missing libraries or something. Google hasn't revealed much: a few sites in Russian or something I can't understand.

Here's both my /postfix/main.cf and /dovecot/dovecot.conf:
Code:
# postconf -n
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_
directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = bsdbox.co
myhostname = mail.bsdbox.co
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/cert/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
unknown_local_recipient_reject_code = 550

# dovecot -n
# 2.2.9: /usr/local/etc/dovecot/dovecot.conf
# OS: FreeBSD 9.2-RELEASE i386
disable_plaintext_auth = no
listen = *
mail_location = maildir:~/Maildir:LAYOUT=fs
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0666
    user = postfix
  }
}
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
userdb {
  driver = passwd
}
root@mail:/var/spool/postfix #

Does anyone have any ideas? Thanks.

ETA: Let me know if any extra intel is needed. I'm connecting using STARTTLS protocol on ports 143 and 587 for IMAP and SMTP respectively (plain login). It's just really weird that I can connect and accept the same certificate that is the cause of this error.

ETA: Screenshot of a telnet connection to the server on IMAP port 143: https://bsdbox.co/cloud/public.php?serv ... 8dc3bf59dc
 
@nanotek: The subject of this thread is the original question, which was:
internet ---> modem/router ---> firewall/proxy (FreeBSD) ---> server (FreeBSD) ---> clients
Is that how it is supposed to go? And, what do I need to buy exactly?
I realize that the OP hasn't been around for a while, but it would probably be more useful to you if you started another thread. It would certainly be less confusing to me. :)
 
Last edited by a moderator:
Back
Top