TiN-MAN
06-25-2008, 08:24 PM
I was wondering if anyone can help me. I have been trying to configure an internet gateway with freebsd. I'm a unix newbie.
The system is up and running. Problem is i want to use PF and NAT to control my internet trough a gateway. But I cannot get it to work. And I have compiled PF support into my current kernel.
sis0 is my external network getting dynamic ip from isp.
rl0 is my internal network running dhcp.
ADSL Router
(10.0.0.1)
|
|
(10.0.0.2)
Freebsd server
(100.0.0.1)
|
-----------------
| |
(100.0.0.30) (100.0.0.31)
PC1 PC2
I want to be able to access telnet (SSH) from both sides of the server (both 10.0.0.2 and 100.0.0.1).
I want LAN computers to be able to access the internet but also services on the server (eg. samba shares).
ifconfig output:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1c:c0:49:c2:06
inet 10.0.0.5 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:11:6b:94:cc:f8
inet 100.0.0.1 netmask 0xffffff00 broadcast 100.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>))
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
My my pathetic attempt at creating a working pf.conf
if_ext = "sis0" # macro for interface facing int
if_int = "rl0" # macro for interface facing loc
localnet = $if_int:network
icmp_types = "{ echoreq, unreach }"
nonroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set block-policy return
scrub in all
nat on $if_ext from $localnet to any -> ($if_ext)
antispoof for $if_ext
antispoof for $if_int
block all
pass inet proto tcp from {lo0, $localnet } to any keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $if_ext proto { tcp, udp } from any to any port 3709 #telnet
block drop in quick on $if_ext from $nonroute to any
block drop out quick on $if_ext from any to $nonroute
any ideas where i fail? and how to fix it?
The system is up and running. Problem is i want to use PF and NAT to control my internet trough a gateway. But I cannot get it to work. And I have compiled PF support into my current kernel.
sis0 is my external network getting dynamic ip from isp.
rl0 is my internal network running dhcp.
ADSL Router
(10.0.0.1)
|
|
(10.0.0.2)
Freebsd server
(100.0.0.1)
|
-----------------
| |
(100.0.0.30) (100.0.0.31)
PC1 PC2
I want to be able to access telnet (SSH) from both sides of the server (both 10.0.0.2 and 100.0.0.1).
I want LAN computers to be able to access the internet but also services on the server (eg. samba shares).
ifconfig output:
sis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:1c:c0:49:c2:06
inet 10.0.0.5 netmask 0xffffff00 broadcast 10.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:11:6b:94:cc:f8
inet 100.0.0.1 netmask 0xffffff00 broadcast 100.0.0.255
media: Ethernet autoselect (100baseTX <full-duplex>))
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128
My my pathetic attempt at creating a working pf.conf
if_ext = "sis0" # macro for interface facing int
if_int = "rl0" # macro for interface facing loc
localnet = $if_int:network
icmp_types = "{ echoreq, unreach }"
nonroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
set block-policy return
scrub in all
nat on $if_ext from $localnet to any -> ($if_ext)
antispoof for $if_ext
antispoof for $if_int
block all
pass inet proto tcp from {lo0, $localnet } to any keep state
pass inet proto icmp all icmp-type $icmp_types keep state
pass in on $if_ext proto { tcp, udp } from any to any port 3709 #telnet
block drop in quick on $if_ext from $nonroute to any
block drop out quick on $if_ext from any to $nonroute
any ideas where i fail? and how to fix it?