# gateway & router: unable to access to the Web



## kikicekela (Apr 23, 2012)

Hello

Freebsd FreeBSD newbie, *I* installed a gateway/router between two networks:

LAN: 192.168.1.0/24

WAN: 62.161.172.32/28

freebsd FreeBSD gateway IPs are:

LAN: 192.168.1.21
WAN: 62.161.172.39
ISP gateway so as to go to the net is: 62.161.172.46

*E*verything is fine on the freebsd FreeBSD gateway, ping to both networks works fine. But from the LAN it is impossible to go to the Internet. A ping to the ISP router doesn't reply and it is  impossible to surf from a LAN station. I also deactivated all the firewalls without success.

Does it miss a route?

/etc/rc.conf:


```
defaultrouter="62.161.172.46"
gateway_enable="YES"
hostname="cdm.mife.belfort"
ifconfig_bge0="inet 192.168.1.21  netmask 255.255.255.0"
ifconfig_vr0="inet 62.161.172.39  netmask 255.255.255.240"
keymap="fr.iso.acc"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
```

*netstat -nr*:


```
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            62.161.172.46      UGS         0      342    vr0
62.161.172.32/28   link#6             U           0       10    vr0
62.161.172.39      link#6             UHS         0        0    lo0
127.0.0.1          link#8             UH          0        0    lo0
192.168.1.0/24     link#5             U           0       14   bge0
192.168.1.21       link#5             UHS         0        0    lo0
```
*T*hanks in advance,

yves


----------



## SirDice (Apr 23, 2012)

You need to configure NAT. Post your /etc/pf.conf.


----------



## kikicekela (Apr 23, 2012)

*H*ello,

*H*ere is my /etc/pf.conf:


```
ext_if="vr0"	# replace with actual external interface name i.e., dc0
int_if="bge0"	# replace with actual internal interface name i.e., dc1
ext_ad="62.161.172.39"
int_ad="192.168.1.21"
mife_ad="192.168.1.0/24"

#Normalize packets
scrub in all
scrub out all

block in log on $ext_if all
block out log on $ext_if all
pass in on $int_if all
pass out on $int_if all

pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port 8080 flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if to any \
        port 443 \
        keep state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_ad to any port smtp \
        flags S/SA keep state
pass out quick on $ext_if \
	inet proto {tcp,udp} \
	from $ext_ad to any port ntp keep state
pass in quick on $ext_if \
	inet proto tcp \
	from any to $ext_ad port 80 flags S/SA keep state
```

So how can add a NAT rule in pf.conf?

Best regards

yves


----------



## SirDice (Apr 23, 2012)

```
nat on $ext_if from any to any -> ($ext_if)
```


----------



## kikicekela (Apr 23, 2012)

*H*ere is my new pf.conf:


```
ext_if="vr0"	# replace with actual external interface name i.e., dc0
int_if="bge0"	# replace with actual internal interface name i.e., dc1
ext_ad="62.161.172.39"
int_ad="192.168.1.21"
mife_ad="192.168.1.0/24"

#Normalize packets
scrub in all
scrub out all

nat on $ext_if from any to any -> ($ext_if)

block in log on $ext_if all
block out log on $ext_if all
pass in on $int_if all
pass out on $int_if all

pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port 8080 flags S/SA modulate state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if to any \
        port 443 \
        keep state
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_ad to any port smtp \
        flags S/SA keep state
pass out quick on $ext_if \
	inet proto {tcp,udp} \
	from $ext_ad to any port ntp keep state
pass in quick on $ext_if \
	inet proto tcp \
	from any to $ext_ad port 80 flags S/SA keep state
```

So how can add a NAT rule in pf.conf?

I tried to ping 62.161.172.46 from several LAN stations but without success and the ping 62.161.172.46 from the freebsd FreeBSD gateway works fine.

yves


----------



## SirDice (Apr 23, 2012)

Looks like there's no traffic being allowed _through_ the firewall, only _from_ the firewall.


----------



## bbzz (Apr 23, 2012)

What SirDice is saying is:

```
pass out quick on $ext_if \
        inet proto tcp \
        from $ext_if  port > 1023 \
        to any port www flags S/SA modulate state
```
should most likely be

```
pass out quick on $ext_if \
        inet proto tcp \
        from [B]any[/B] port > 1023 \
        to any port www flags S/SA modulate state
```
as otherwise only connections initiated from firewall itself are permited.

Also, better NAT rule is:

```
nat on $ext_if from ! ($ext_if) to any -> ($ext_if:0)
```

As otherwise ports from firewall itself are translated, which is unnecessary.


----------



## kpa (Apr 23, 2012)

Leave the flags out of your rules, pf(4) defaults to S/SA. What are you trying to accomplish with modulate state?


----------



## bbzz (Apr 23, 2012)

kpa said:
			
		

> Leave the flags out of your rules, pf(4) defaults to S/SA. What are you trying to accomplish with modulate state?



There's no harm in 'modulate state', as it adds stronger ISN when doing 3-way TCP handshake. I'm not aware it does anything more than that.

Keep in mind two rules:

1. Traffic passed on one direction is automatically passed in other direction on same interface, unless coded not to.
2. Firewall inspects packets with rules on EACH individual interface.


----------



## kikicekela (Apr 23, 2012)

Changes applied but it still doesn't work. *C*ould you indicate to me what I have to write in the pf.conf so as to get a working freebsd FreeBSD gateway with my both networks?

I am ready to reinstall the gateway so I just ask for a minimal configuration so as to go to internet from my LAN. I give you again my configuration:

Internet <---> ISP router 62.161.172.46 <---> 62.161.172.39 freeBsd gateway 192.168.1.21 <--> LAN (192.168.1.0/24)

*T*hanks in advance,

yves


----------



## DutchDaemon (Apr 23, 2012)

kikicekela, read your PMs and act on them, thanks.


----------



## bbzz (Apr 23, 2012)

```
ext_if="vr0"
int_if="bge0"

scrub on $ext_if all random-id max-mss 1452 reassemble tcp fragment reassemble

nat on $ext_if from ! ($ext_if) to any -> ($ext_if)

block log all
set skip on lo0

antispoof for $ext_if inet

pass     quick on $int_if
pass out quick on $ext_if modulate state
pass in  quick on $ext_if proto tcp to $ext_if port 80 modulate state
```


----------



## kikicekela (Apr 24, 2012)

Hello,

Thanks a lot, it works fine now! I would like also to block: all incoming traffic, FTP and HTTP downloads from LAN. Basically, here are my needs: to create a private LAN which can only surf to the web and to close the non-required ports. As a second step, I will install the Squid and DansGuardian modules. How can I do that?

*B*est regards,

yves


----------



## bbzz (Apr 24, 2012)

I don't think people like to provide a complete solution to a problem without initial party actually trying it for themselves first. There's enough info to get you going, and people will help when you get stuck.

In any case, you say you want to block all incoming traffic from LAN, which is vague. If you want to let initial web traffic from LAN, change pass in rule for internal interface to allow access to ports 80,443, and others you need, and block rest. 

Remember, initial connections require explicit pass in rules, whereas communication on same interface in different direction will be implicitly passed.


----------

