# Moved from SUSE to FreeBSD - Networking woes



## nonsequitur (Mar 20, 2013)

I'm sorry to be asking such a noob question.  I have this setup...


```
FreeBSD 9.1
Client1 (172.17.3.10/24)---> [ 172.17.3.1 (Nic1) ---> 83.141.70.11/26 (Nic2) ]
Client2 (172.17.3.50/24)
```

From client 1 and 2 I can ping the NIC1 and NIC2.  From the *Free*BSD box I can ping 83.141.70.1 but I can't ping this address from either client 1 or 2.

My internet access is provided through a fixed wireless antenna that uses a bridge, so basically NIC2 in the *Free*BSD box is a public address on the internet.

When I set up my laptop with these details it has a network connection and I'm good.

Am I missing something stupid (let me rephrase that, I'm missing something stupid! :e)


----------



## SirDice (Mar 20, 2013)

nonsequitur said:
			
		

> From client 1 and 2 I can ping the Nic1 and Nic2.  From the FreeBSD box I can ping 83.141.70.1 but I can't ping this address from either client 1 or 2.


Contradictio in terminis.

But I'm guessing you didn't enable routing and you haven't set up any NAT.


----------



## nonsequitur (Mar 20, 2013)

In my rc.conf I do have 
	
	



```
gateway_enable="YES"
defaultroute="83.141.70.1"
```

I'm not using NAT.


----------



## SirDice (Mar 20, 2013)

Please explain again what works and what not. What you wrote before contradicts.


----------



## kpa (Mar 20, 2013)

You must use NAT in that kind of set up, 172.17.* addresses are private addresses and not routable on the internet.


----------



## DutchDaemon (Mar 21, 2013)

Note that it is defaultroute*r*.


----------



## nonsequitur (Mar 21, 2013)

Thanks all. Got over that hurdle, appreciate the help.

The server I've set up in running IMAPS, Postfix and web server. It's also providing DHCP and DNS services for the LAN, so I've tried to setup the firewall appropriately.  If I remove my own script, I can access the internet just fine from any of the clients on the LAN.  However, when I use my rules, I lose access to the internet.  I can however SSH in to the machine from a remote machine on a different network entirely.  I'm new to ipfw coming from openSUSE.  My config is simple enough...

rc.conf

```
defaultrouter="xx.xx.xx.xx"
   gateway_enable="YES"
   natd_enable="YES"
   natd_interface="em0"      <---public facing nic
   firewall_enable="YES"
   firewall_script="/etc/ipfw.rules"
```
    ...

ipfw.rules contains 


```
fwcmd="ipfw add"

# Set these to your outside interface network and netmask and ip.
oif="em0"
onet="xx.xx.xx.0"
omask="255.255.255.192"
oip="xx.xx.xx.31"

# Set these to your inside interface network and netmask and ip.
iif="re0"
inet="172.17.3.0"
imask="255.255.255.0"
iip="172.17.3.1"

# Flush all rules
ipfw -q flush

# Stop spoofing.
${fwcmd} deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} deny all from ${onet}:${omask} to any in via ${iif}

# Setup the NAT
${fwcmd} divert natd all from any to any via ${oif}

# Stop RFC1918 nets on the outside interface.
${fwcmd} deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} deny all from any to 192.168.0.0/16 via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface.
${fwcmd} deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} deny all from any to 240.0.0.0/4 via ${oif}

# Special early rules for protocols handled on the gateway machine,
# so that these packets don't have to go through natd which is slow.
${fwcmd} allow tcp from any to ${oip} 22 in via ${oif}      # ssh
${fwcmd} allow tcp from ${oip} 22 to any out via ${oif}
${fwcmd} allow tcp from ${oip} 22 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 25 in via ${oif}      # smtp
${fwcmd} allow tcp from ${oip} 25 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 53 in via ${oif}      # tcpdns
${fwcmd} allow tcp from ${oip} 53 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 80 in via ${oif}      # http
${fwcmd} allow tcp from ${oip} 80 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 443 in via ${oif}     # https
${fwcmd} allow tcp from ${oip} 443 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 993 in via ${oif}     # imaps
${fwcmd} allow tcp from ${oip} 993 to any out via ${oif}
${fwcmd} allow tcp from any to ${oip} 25565 in via ${oif}   # minecraft

# Stop RFC1918 nets on the outside interface.
${fwcmd} deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} deny all from 192.168.0.0/16 to any via ${oif}

# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
# on the outside interface.
${fwcmd} deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} deny all from 240.0.0.0/4 to any via ${oif}

# Allow anything on the internal net.
${fwcmd} allow all from any to any via ${iif}

# Allow anything outbound from this net.
${fwcmd} allow all from ${onet}:${omask} to any out via ${oif}

# Deny anything outbound from other nets.
${fwcmd} deny log all from any to any out via ${oif}

# Allow TCP through if setup succeeded.
${fwcmd} allow tcp from any to any established
```



Can anyone help me understand what has gone wrong?    I've googled relentlessly and tried numerous configurations, but all to no avail.


----------



## nonsequitur (Mar 21, 2013)

Ooops, my bad, I saw that there's a separate place for firewall questions. Sorry about the noise!


----------



## nonsequitur (Mar 21, 2013)

Dumb question again (I'm on a run here!).  Can I move this post to another list?


----------



## wblock@ (Mar 22, 2013)

Best to start a new thread in Firewalls.  Use a descriptive subject line to get the attention of people who know about the subject.


----------

