# Can't get internet through my FreeBSD server 7.1



## atheer (Apr 2, 2009)

Hi Guys,

I realy loved FreeBSD OS for many reasons that's why I come back to run my new server with FreeBSD v7.1 and need your help please.

I want to run Freebsd as firewall router for internet sharing + Squid Proxy Caching ( last year I built FreeBSD v6 and it was working fine, now with FreeBSD v7.1 I can't !)

FreeBSD server can get internet, but problem other PCs  don't get any internet, only lan connection is available, PF firewall stoped.

my chart:

DSL= speedtuch router ( two ip tables on it 192.168.20.0/24 and 10.0.0.0/24)

[DSL]--[FreeBSD server/NAT/DHCP]--[switch]--[PCs]


**my ifconfig

```
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	ether 00:02:b3:b7:0a:10
	inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:18:05:92
	inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:08:74:da:bc:eb
	media: Ethernet autoselect
	status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000
```

**my rc.conf

```
gateway_enable="YES"
hostname="deir.atheer.net"
ifconfig_fxp0="inet 10.0.0.254  netmask 255.255.255.0"
ifconfig_em0="inet 192.168.20.1  netmask 255.255.255.0"
keymap="us.iso"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
defultrouter="10.0.0.138"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
webmin_enable="YES"
```
**my dhcp.conf

```
option domain-name "atheer.net";
option domain-name-servers 192.168.20.1, 213.244.72.31, 212.14.234.36;

default-lease-time 86400;
max-lease-time 86400;
authoritative;
ddns-update-style none;
log-facility local7;

subnet 192.168.20.0 netmask 255.255.255.0 {
  range 192.168.20.11 192.168.20.100;
  option routers 192.168.20.1;
  option subnet-mask 255.255.255.0;
}
```
> netstat -rn

```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
10.0.0.0/24        link#1             UC          0        0   fxp0
127.0.0.1          127.0.0.1          UH          0       26    lo0
192.168.20.0/24    link#2             UC          0        0    em0
192.168.20.1       00:07:e9:18:05:92  UHLW        1       32    lo0
192.168.20.100     00:01:02:a1:e9:69  UHLW        1      532    em0   1017

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#7                        UHL         lo0
ff01:7::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
```
My Regards
atheer


----------



## DutchDaemon (Apr 2, 2009)

Please use CODE tags around system output.

What are you using for NAT?


----------



## DutchDaemon (Apr 2, 2009)

By the way:


```
defultrouter="10.0.0.138"
```

Pretty problematic. You have no default route because of that ...


----------



## SirDice (Apr 2, 2009)

You need to run a PPPoE or PPPoA connection depending on your provider. Or is the speedtouch taking care of the connection + NAT?

I have a similar situation and I configured my DSL speedtouch modem to use SIP spoofing. This will present your _external_ internet IP address to the inside. Then I configured to use dhcp on the internet facing interface on the fbsd box. This was somewhat tricky as the default gateway is outside of the subnet. By clever use of the /etc/dhclient-enter-hooks script I was able to get it to work.


```
dice@maelcum:~>cat /etc/dhclient-enter-hooks

add_new_resolv_conf() {
        # We don't want /etc/resolv.conf changed
        # So this is an empty function
        return 0
}

add_new_routes() {
        route add -net 10.0.0.138 -iface $new_ip_address -cloning
        route add default 10.0.0.138
}
```


----------



## atheer (Apr 2, 2009)

Hi,

Thank you DutchDaemon & SirDice it's realy very fast reply which I don't expect !
first I'm still new to FreeBSD so you asked about my ADSL router aleady take care of the connection + NAT, also what's wrong about defultrouter=10.0.0.138 there is no need for it here ?


----------



## SirDice (Apr 2, 2009)

atheer said:
			
		

> also what's wrong about defultrouter=10.0.0.138 there is no need for it here ?


It's defaultrouter


----------



## atheer (Apr 2, 2009)

Hi SirDice,

Ok, to be clear I got confused ! do I need to mention the deafultrouter in rc.conf or not ? because DutchDaemon said in his reply" Pretty problematic. You have no default route because of that ... "
if there is a need for defauktrouter what's the right one for my setting ?


----------



## SirDice (Apr 2, 2009)

You don't have a default route because the entry in rc.conf contains a typo. Hence it's never set. And yes, you do need it.


----------



## DutchDaemon (Apr 2, 2009)

You typed about three different versions of it now, so please just paste this into your rc.conf!


```
defaultrouter="10.0.0.138"
```


----------



## atheer (Apr 2, 2009)

Hi,

OK, it's a typo mistake now here is my rc.conf:


```
gateway_enable="YES"
hostname="deir.atheer.net"
ifconfig_fxp0="inet 10.0.0.254  netmask 255.255.255.0"
ifconfig_em0="inet 192.168.20.1  netmask 255.255.255.0"
keymap="us.iso"
linux_enable="YES"
moused_enable="NO"
moused_type="NO"
sshd_enable="YES"
defaultrouter="10.0.0.138"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
```
but still can't access to internet !


----------



## DutchDaemon (Apr 2, 2009)

You can't access the Internet from the server itself, or from the network behind it? 

Did you restart the network or server after adding the defaultrouter setting? What's the output of ifconfig and netstat -rn now? 

Please put system output between CODE tags this time.


----------



## atheer (Apr 3, 2009)

Hi,

First I'd like to thank you so much for your help & patients, it's working now, but only with PF firewall running if PF stopped no internet connection.

yes I did restart server after adding defaultrouter and here is system output now:


```
> ifconfig 
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=b<RXCSUM,TXCSUM,VLAN_MTU>
	ether 00:02:b3:b7:0a:10
	inet 10.0.0.254 netmask 0xffffff00 broadcast 10.0.0.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:07:e9:18:05:92
	inet 192.168.20.1 netmask 0xffffff00 broadcast 192.168.20.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:08:74:da:bc:eb
	media: Ethernet autoselect
	status: no carrier
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pfsync0: flags=0<> metric 0 mtu 1460
	syncpeer: 224.0.0.240 maxupd: 128
pflog0: flags=0<> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 

> netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.0.138         UGS         0      798   fxp0
10.0.0.0/24        link#1             UC          0        0   fxp0
10.0.0.138         00:0e:50:89:66:5a  UHLW        2        0   fxp0    894
127.0.0.1          127.0.0.1          UH          0       27    lo0
192.168.20.0/24    link#2             UC          0        0    em0
192.168.20.1       00:07:e9:18:05:92  UHLW        1       40    lo0
192.168.20.100     00:01:02:a1:e9:69  UHLW        1      510    em0    892

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#7                        UHL         lo0
ff01:7::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
```


----------



## DutchDaemon (Apr 3, 2009)

I'm guessing PF handles the em0 <-> fxp0 NAT then.


----------



## atheer (Apr 3, 2009)

Hi,

here is my pf.conf file, please give me your recommendation why badhosts in /etc/badhosts are not blocked ? 


```
# MACROS
ext_if="fxp0"
int_if="em0"
internal_net="192.168.20.0/24"
external_addr="10.0.0.254"

allowed_icmp_types="echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# TABLES
table <badhosts> persist file "/etc/badhosts"

# OPTIONS
set block-policy return
set skip on lo0

# TRAFFIC NORMALIZATION
scrub in all

# NETWORK ADDRESS TRANSLATION AND REDIRECTS
nat on $ext_if from $internal_net to any -> ($ext_if)

# FILTER RULES
block drop log all
block drop in quick on $ext_if from $priv_nets to any
block quick on $ext_if from <badhosts> to any

pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA modulate state
pass in quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state
pass out on $ext_if proto tcp all flags S/SA modulate state
pass out on $ext_if proto { udp, icmp } all keep state

pass in  on $int_if from $internal_net to any
pass out on $int_if from any to $internal_net

#ANTISPOOF
antispoof for $ext_if
antispoof for $int_if
```


----------



## DutchDaemon (Apr 3, 2009)

Is /etc/badhosts in the right format? What does *pfctl -t badhosts -T show* produce? Also add 'log' to that rule and run a tcpdump on pflog0.


----------



## atheer (Apr 3, 2009)

Hi,

this is the output I can make !

```
> pfctl -vnf /etc/pf.conf
no IP address found for localhost
/etc/pf.conf:42: file "/etc/badhosts" contains bad data

> pfctl -t badhosts -T show
pfctl: Table does not exist
```


----------



## DutchDaemon (Apr 3, 2009)

So, what's actually in /etc/badhosts? You need IP addresses or hostnames in there, one per line. IP addresses are preferred, because unresolvable hostnames will cause the table (re)loading to fail. I have no idea where that localhost error message comes from. I'm assuming you wouldn't put localhost in a badhosts table ..


----------



## atheer (Apr 4, 2009)

Hi,

thank you again, here is a beginning part of badhosts file:

```
::1			localhost localhost.atheer.net
127.0.0.1		localhost localhost.atheer.net
192.168.20.1		deir.atheer.net deir
192.168.20.1		deir.atheer.net.


#start of lines added by WinHelp2002
# [Misc A - Z]
127.0.0.1  ad.a8.net
127.0.0.1  asy.a8ww.net
127.0.0.1  www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1  www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1  abc-search.info
127.0.0.1  abloga.info #[Spamdexing]
127.0.0.1  www.abx4.com #[Adware.ABXToolbar]
127.0.0.1  www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1  phpadsnew.abac.com
127.0.0.1  a.abnad.net
127.0.0.1  b.abnad.net
```


----------



## DutchDaemon (Apr 4, 2009)

Dude, that is your */etc/hosts* file (a part of the base system, telling your system which IP points to what name)). It shouldn't be your */etc/badhosts* file. 

A PF table can only contain 1 entry of 1 field per line, like


```
123.123.123.123
234.234.234.234
123.123.0.0/16
234.234.234.0/24
some.awful.host
```

You're advised not to firewall *yourself*, by the way.


----------



## SirDice (Apr 6, 2009)

You don't need to NAT on the freebsd box. As long as you add a static route to the 192.168.20.0/24 network on your speedtouch.


----------



## atheer (Apr 10, 2009)

Hi,

OK, I see that it's /etc/hosts file but please what's the words behind # what it means ? 
example from hosts file:
ads.addynamix.com #[SpySweeper.Spy.Cookie]
abloga.info #[Spamdexing]
http://www.abx4.com #[Adware.ABXToolbar]
james.adbutler.de #[Tenebril.TrackingCookie]

does it mean that this is a bad host ?! what it cause if I block it ?

SirDice, if it matters which is better for doing NAT freeBSD or speedtouch router ?

with my regards


----------



## DutchDaemon (Apr 10, 2009)

Oh, I'm sure they're bad hosts, but how did they end up in /etc/hosts with a 127.0.0.1 entry? Make sure you take those lines out of /etc/hosts.


----------



## atheer (Apr 10, 2009)

Hi,

This is the file I have in /etc/ directory it's size 601KB I don't know maybe I did it by mistake, so what about the original one where it can be ?

attached some parts of my /etc/hosts file, please take a look I think it's got a missed data some good hosts & also bad hosts !!


----------



## DutchDaemon (Apr 10, 2009)

Ok, the practice of putting bad/untrusted/malware websites in /etc/hosts with a 127.0.0.1 entry is a bit of an old-fashioned way of making it impossible to connect to those hosts (because entries in /etc/hosts usually precede DNS-lookups, and thus 'win'). The fact that these sites were "added by WinHelp2002" show how old they probably are.

You could try putting these bad websites in /etc/badhosts (one per line) and feeding it as a table to pf, but there's a real danger to that: if one of those sites does not resolve, PF will refuse to load the entire table, defeating its purpose.

My advice would be to take them all out of /etc/hosts, which should contain no more than:


```
::1			localhost localhost.my.domain
127.0.0.1		localhost localhost.my.domain
```

in most basic set-ups. 

Using AdBlockPlus and NoScript in Firefox is probably a much saner and more workable idea.


----------



## atheer (Apr 11, 2009)

Hi,

Thank you so much our moderator, I'll go with your advice.

my regards


----------



## mbr661 (Apr 30, 2009)

I have a similar problem getting the internet through my FreeBSD server and into my network.  My setup is as follows starting from the internet on top and ending with the network at the bottom.  I hope this is clear.

Internet
    |
2Wire DSL modem in DMZ mode so it lets public IP pass unchanged, unfw'd
    |
      Ext_if=69.208.86.101
Linksys Router
      Int_if=192.168.2.1
    |
      Ext_if=192.168.2.100
FBSD Gateway
      Int_if=192.168.75.150
    |
Network 192.168.75.

The problems I'm having are:
1) No internet access from the network 192.168.75. The gateway has access to the internet

2) I cannot ping linksys router (Int_if or Ext_if) from the network, even though I can ping both interfaces on the gateway.  From linksys router I can also ping both interfaces on the gateway, but nothing on the network 192.168.75.

PF firewall is running on the gateway, but with pf.conf all commented out to get the firewall out of the way.

My rc.conf is as follows:

```
pf_enable="YES"
pflog_enable="YES"

gateway_enable="YES"

# -- sysinstall generated deltas -- # Tue Apr 28 12:35:45 2009
ifconfig_rl0="inet 192.168.2.100  netmask 255.255.255.0"
ifconfig_rl1="inet 192.168.75.150  netmask 255.255.255.0"
defaultrouter="192.168.2.1"
hostname="linux.beltrandelrio.net"
```

And my netstat -rn is as follows:


```
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.2.1        UGS         0     2345    rl0
127.0.0.1          127.0.0.1          UH          0        4    lo0
192.168.2.0/24     link#1             UC          0        0    rl0
192.168.2.101      00:03:25:22:7c:44  UHLW        1       38    rl0   1030
192.168.2.102      00:1c:bf:05:3a:2c  UHLW        1        6    rl0   1017
192.168.75.0/24    link#4             UC          0        0    rl1
192.168.75.101     00:19:d1:22:95:e6  UHLW        1       20    rl1   1077
192.168.75.102     00:03:ff:29:f8:49  UHLW        1        0    rl1   1150
192.168.75.122     00:03:25:4e:21:1c  UHLW        1        0    rl1    280
192.168.75.124     00:19:d1:0b:e9:7c  UHLW        1        1    rl1    771
192.168.75.255     ff:ff:ff:ff:ff:ff  UHLWb       1      172    rl1

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UHL         lo0
fe80::%lo0/64                     fe80::1%lo0                   U           lo0
fe80::1%lo0                       link#7                        UHL         lo0
ff01:7::/32                       fe80::1%lo0                   UC          lo0
ff02::%lo0/32                     fe80::1%lo0                   UC          lo0
```

I hope someone can point me in the right direction.


----------



## DutchDaemon (May 1, 2009)

Did you just name your FreeBSD server "linux"? This is a surefire case of code revenge, I think.


----------



## mbr661 (May 1, 2009)

That's how new I am to FreeBSD, until a few weeks ago.  I thought FBSD was another linux variety....BUT I know better now.  And I love this product by the way, it works great every time, unlike linux.


----------



## DutchDaemon (May 1, 2009)

Try setting a static route from the LinkSys to the 192.168.75 network. It has no information on where to find that network.


----------

