Hello,
Hope this is in the right section. My wireless router just died so I'm trying to set up my FreeBSD gateway as an access point but also keeping my wired connection.
I think I've set everything up correct except my rules. Wireless clients can join the access point but can't get out to the web. I have the access point on a different subnet 192.168.2.1
the wired is 192.168.1.1.
Here is my rc.conf:
And my pc.conf:
Here is
Here is
The wireless client is 192.168.2.5.
Hope this is in the right section. My wireless router just died so I'm trying to set up my FreeBSD gateway as an access point but also keeping my wired connection.
I think I've set everything up correct except my rules. Wireless clients can join the access point but can't get out to the web. I have the access point on a different subnet 192.168.2.1
the wired is 192.168.1.1.
Here is my rc.conf:
Code:
gateway_enable="YES"
keymap="us.iso"
sshd_enable="YES"
ifconfig_re0="DHCP"
ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0"
pf_enable="YES"
pflog_enable="YES"
syslogd_flags="-ss"
hostapd_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 192.168.2.1 netmask 255.255.255.0 ssid freebsd mode 11g channel 1"
And my pc.conf:
Code:
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if = "re0"
int_if = "vr0"
#air_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
Xbox360 = "192.168.1.105"
webserver = "192.168.1.100"
shoutcast = "192.168.1.100"
laptop = "192.168.1.117"
#ports
#Xlive_udp = "{ 1:65535 }"
#Xlive_tcp = "{ 1:65535 }"
Xlive_udp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
Xlive_tcp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
#Xlive_tcp = "{ 3074, 53 }"
#Xlive_udp = "{ 3074, 53, 88 }"
#ssh_port = "{ 1970 }"
webserver_port = "{ 80 }"
shoutcast_ports = "{ 8000, 8001, 8010 }"
laptop_port = "{ 26000 }"
#nets
lan_net = "{ 192.168.1.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set optimization conservative
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub in all
#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port $webserver_port -> $webserver
#rdr on $ext_if proto tcp from any to ($ext_if) port $ssh_port -> $ssh
rdr on $ext_if proto tcp from any to ($ext_if) port $laptop_port -> $laptop
rdr on $ext_if proto tcp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if proto udp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
#nat on $ext_if from $air_if:network to any -> (ext_if) static-port
no nat on $int_if proto tcp from $int_if to $lan_net
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
pass out keep state
block drop in log on $ext_if from $priv_nets to any
block drop out log on $ext_if from any to $priv_nets
# anti spoofing
antispoof for { $int_if, $ext_if }
pass proto tcp from any to $laptop port $laptop_port
pass proto tcp from any to $webserver port $webserver_port
#pass log proto tcp from any to $ssh port $ssh_port
pass proto udp from any to $shoutcast port $shoutcast_ports
pass proto tcp from any to $shoutcast port $shoutcast_ports
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state
#pass in on $air_if from $air_if:network to any keep state
#pass out on $air_if from any to $air_if:network keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state
pass in from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
Here is
ifconfig
:
Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether c8:60:00:df:fb:f1
inet 72.39.11.123 netmask 0xffffe000 broadcast 255.255.255.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
ether 00:50:ba:68:e2:cf
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:baff:fe68:e2cf%vr0 prefixlen 64 scopeid 0x7
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 1c:7e:e5:23:6e:11
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 1c:7e:e5:23:6e:11
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::1e7e:e5ff:fe23:6e11%wlan0 prefixlen 64 scopeid 0xb
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
ssid freebsd channel 1 (2412 MHz 11g) bssid 1c:7e:e5:23:6e:11
regdomain FCC indoor ecm authmode WPA privacy MIXED deftxkey 2
TKIP 2:128-bit TKIP 3:128-bit txpower 27 scanvalid 60 protmode CTS wme
burst dtimperiod 1 -dfs
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
nd6 options=9<PERFORMNUD,IFDISABLED>
Here is
tcpdump -n -e -ttt -v -i pflog0
.The wireless client is 192.168.2.5.
Code:
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 80..16777216/0(match): pass in on wlan0: (tos 0x0, ttl 1, id 22924, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
192.168.2.5 > 224.0.0.2: igmp leave 224.0.0.251
00:00:00.000008 rule 80..16777216/8(ip-option): pass in on wlan0: (tos 0x0, ttl 1, id 22924, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
192.168.2.5 > 224.0.0.2: igmp leave 224.0.0.251
00:00:00.000318 rule 80..16777216/0(match): pass in on wlan0: (tos 0x0, ttl 1, id 65070, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
192.168.2.5 > 224.0.0.251: igmp v2 report 224.0.0.251
00:00:00.000005 rule 80..16777216/8(ip-option): pass in on wlan0: (tos 0x0, ttl 1, id 65070, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
192.168.2.5 > 224.0.0.251: igmp v2 report 224.0.0.251