# Turn your BSD into a router



## TomHsiung (Aug 17, 2018)

Hello, guys

I plan to buy the motherboard of Gigabyte H370N WiFi as my server's component. It has three network cards, one wireless and two ethernets. This feature makes me think if I could connect my server directly to the WAN and my LAN via the second ethernet card.

Both ethernet cards are 10/100/1000 Mbps. So it looks like I might need to turn the server into a router. Is there any software that could achieve this goal?


----------



## ShelLuser (Aug 17, 2018)

Adding gateway_enable="YES" in /etc/rc.conf or perhaps `# sysctl inet.net.ip.forwarding=1`. That's about all you need. Apart from a solid routing table of course


----------



## alexseitsinger (Aug 17, 2018)

FreeBSD makes a great router. That's what I use. You can set up a network firewall easily with PF.


----------



## diizzy (Aug 17, 2018)

https://home.nuug.no/~peter/pf/en/
https://forums.freebsd.org/threads/generic-nat-firewall-pf-config-template.60144
That should give you an idea


----------



## kpa (Aug 17, 2018)

Get an external AP for wireless, that's the general trend anyway if you want good quality wireless nowadays. Consumer level wireless NICs are fine for wireless clients but are 2nd rate solutions as access points.


----------



## Eric A. Borisch (Aug 18, 2018)

kpa said:


> Get an external AP for wireless, that's the general trend anyway if you want good quality wireless nowadays. Consumer level wireless NICs are fine for wireless clients but are 2nd rate solutions as access points.



This. I fought for a long time (and did finally get it working!) with my FreeBSD router to provide a working AP using a wireless NIC, but I just couldn't get it to be as fast or as stable as using a dedicated AP, not to mention much less of a headache to set up.


----------



## diizzy (Aug 18, 2018)

Instead of getting APs which can be quite expensive, you can turn quite cheap routers into real APs by using OpenWrt even with 11ac support


----------



## TomHsiung (Aug 18, 2018)

Phishfry said:


> Hi Tom,
> I looked at this:
> https://www.gigabyte.com/Motherboard/H370N-WIFI-rev-10#kf
> This is what is worrying:
> ...


This motherboard has three network cards, one WiFi and two Ethernets.


----------



## TomHsiung (Aug 18, 2018)

Phishfry said:


> Most people would want to add a dhcp server as well. This hands out IP's to your clients.
> That is where you have to make a choice. Two solid ones:


Actually, to be a router, the server is directly exposed to the WAN (via one ethernet), and the server forwards packets to the LAN (via another ethernet). I have a TP-Link router (473GP), so I would like to use this router to connect two subnet LANs.

For instance, I would like to assign 172.30.1.1/24 to the server (LAN), and I would assign 172.30.2.x/24 to my other hosts. So I set the TP-link 473GP as the bridge for two 172.30.x.0 LANs.

Tom


----------



## `Orum (Aug 18, 2018)

The ideal way to do this, IMHO, is to just use a managed switch and VLANs.  It may be overkill for your situation, but it's very flexible a you only need a single interface for any number of VLANs (well, up to the 4096 limit of 802.1q).  Even older switches these days will often feature some form of PoE for an AP, but if you really want to you can run it off the wireless on the machine itself.

Since you're routing between private address space and public, you'll need something to handle NAPT.  Personally I recommend pf(4).


----------



## TomHsiung (Aug 18, 2018)

`Orum said:


> you'll need something to handle NAPT


By NAPT, did you mean the port forwarding / virtual server function? My 473GP has the port forwarding / virtual server function. If so, how to make the port forwarding work on my server (set as a router)? pf(4)?


----------



## `Orum (Aug 18, 2018)

Though this explanation is a bit oversimplified and narrow, NAPT allows you to take your private network address and translate them to your public IP(s).  It is used for outgoing connections and changes the source IP address, e.g. say any machine at 172.30.1.0/24 wants to connect to a public IP, say 8.8.8.8.  Your router has to translate this private address, using NAPT, done with 'nat' rules if using pf.

Port forwarding is for when you want the reverse, e.g. say you want people on the internet to reach your web server hosted on your server at 172.30.1.1.  In pf these are 'rdr' (redirection) rules and they change the destination address, not the source.  If your router just receives an incoming connection on port 80, without a redirection rule, it will assume it's intended for itself, as it holds that IP address.  With a redirection rule, that tells the router to first translate the destination to the private IP of your server and then evaluate the packet, so it goes to the right place.


----------



## TomHsiung (Aug 18, 2018)

I have only one public IP address, so NAT is not applicable. I have to use NAPT.

If my hosts behind my router has private IP addresses, without NAT or NAPT, the could not communicate with other computers on Internet (however, these hosts of mine could communicate with each other).

If my hosts were divided into two subnets, and if they were both assigned private IP addresses and connected by a router, the cannot communicate with each other (because of private IP address?)?

There are five levels of network communicating:

Application layer: to produce data
Transport layer: to pack your data with TCP or UDP headers (ports, data check, etc)
Internetwor layer: to add IP address headers
Nework access layer: to add MAC address hearders
Physical layer: the copper wire to transfer electronic frame

So at least NAPT needs all below (and include) transport layer, because the ports in the TCP/UDP header have to be modified.


----------



## TomHsiung (Aug 18, 2018)

I guess,

For hosting a server, NAT is feasible. Only IP address is modified at the router. For example, the web server (192.168.1.30) send a packet to WAN, and the default port is 443 (https). When the packet reaches the router, the IP address in the Internetwork layer header is changed to a public IP address, but the port remains 80.

However, when NAPT is the communication methods, the port number is to be changed, which cause the issue. Because, NAPT uses ports from 1024 to 65535. The client could not access the web server as by default, browsers (application layers) receive web server packets from fixed port (443 or 80).


----------



## `Orum (Aug 18, 2018)

TomHsiung said:


> I have only one public IP address, so NAT is not applicable. I have to use NAPT.


NAPT is just one type of NAT.



TomHsiung said:


> If my hosts behind my router has private IP addresses, without NAT or NAPT, the could not communicate with other computers on Internet (however, these hosts of mine could communicate with each other).


Yes, as long as you have your router routing between your networks (and no NAT) that is accurate.



TomHsiung said:


> If my hosts were divided into two subnets, and if they were both assigned private IP addresses and connected by a router, the cannot communicate with each other (because of private IP address?)?


No, your router will route between these subnets as long as it's configured to do so (i.e. assuming you have the correct routes in the routing table and are not blocking traffic).



TomHsiung said:


> There are five levels of network communicating:


The most common model you'll hear people talk about today is the OSI model which has 7 layers.  IIRC there were older models with fewer layers but I never hear people use them nowadays.



TomHsiung said:


> So at least NAPT needs all below (and include) transport layer, because the ports in the TCP/UDP header have to be modified.


NAPT functions at layers 3 and 4 of the OSI model, data below these levels (or above) isn't used for it to function.



TomHsiung said:


> For hosting a server, NAT is feasible. Only IP address is modified at the router. For example, the web server (192.168.1.30) send a packet to WAN, and the default port is 443 (https). When the packet reaches the router, the IP address in the Internetwork layer header is changed to a public IP address, but the port remains 80.


Remember, there are two ports in each layer 4 header for the well-known protocols (TCP/UDP), the source port and the destination port.  NAPT changes the _source_ port for outgoing connections, and servers don't really care about what that port is.  In fact there are 5 pieces of information sockets are typically identified by: Source/Destination IP/Port, and the protocol.

Anyway, this discussion is getting quite academic at this point so I'm not sure it still belongs here.  But, one way or another you can do what you want, the only question is how you should configure things and what hardware you will need to accomplish that.  Start with a topology diagram, and work from there.  The FreeBSD handbook is an invaluable tool for when you go to implement it.  If you get a specific issue with configuration, then we can help here as long as you provide us with the details of the problem and your current configuration.


----------



## TomHsiung (Aug 18, 2018)

Actually, I want to build a custo Mac server. It was the characteristics of the motherboard made me thought if I could set the server as a router (because the motherboard has two 10/100/1000 Mbps wired ethernet cards). The advantage is obvious, the server will directly connected to the wide area network (Internet), and guests could access services provided (by Apache, etc.)

However, as I dig deeper, there are lots of issues to be fixed. Apple is about to release Mojave this fall, and macOS shares some parts with FreeBSD. Little information about Unix in macOS is available publicly.

And the server is directly exposed to public wide area network, so I could access it via SSH. I have set up dynamic IP (the IP is updated every 10 minutes), with a registered domain. So I could connect my server via SSH at anywhere. However, I need to access other hosts behind the server (router). In addition, I plan to add another router behind the server (first router), which makes things complex.

If the hosts within the LAN want to access Internet, NAPT must be turned on at the server.


----------



## kpa (Aug 18, 2018)

This is what I have for my router/firewall/file server/build server/mutant hybrid:

http://www.asrock.com/mb/Intel/J3355B-ITX/

It's still kinda overkill and I'm trying to figure more use for the spare CPU power.


----------



## Maelstorm (Aug 18, 2018)

I use an old computer as my router.   As for hardware, it has 3 Ethernet ports and one WiFi card, 40GB harddisk, and 256MB Ram.  It seems to work just fine.  As for the services that it runs...  NAT, DNS, DHCP, SSH, and the firewall is IPFW.  I'm using ISC's Bind for the DNS server.


----------



## Maelstorm (Aug 18, 2018)

Phishfry said:


> Atheros is our best wireless chipset in my opinion...



I'm not too sure about that.  I've been using a Ralink Tech RT5392 chipset PCI WiFi card and it has been working flawlessly.  This is the one that I bought:

https://www.amazon.com/gp/product/B006THNHE4/ref=oh_aui_detailpage_o04_s00?ie=UTF8&psc=1

And it's cheap too.


----------



## Phishfry (Aug 18, 2018)

What kind of throughput do you see? The manual page for run(4) shows a cavaet of 802.11b only. Is that still true?
Does ifconfig show 802.11n? Host or Client mode?
These cards all use the same firmware and I assumed they were all 802.11b.


----------



## Maelstorm (Aug 19, 2018)

My internal LAN is 100mb, but the WAN connection is something like 24-28mb.  So I see at least what the WAN is.  Oh, the WiFi card is the uplink interface for my LAN segment which ties into the U-Verse Gateway.


----------



## Phishfry (Aug 19, 2018)

Is `ifconfig wlan0` showing N mode?


> MCS mode 11na


----------



## Maelstorm (Aug 19, 2018)

Nah, it's currently 11g.  But what's the point of going faster if you don't need it?  My internal LAN is 100 megabit, but the WAN is 24-28 megabit.  So 54Mbps works fine.  It's like having Comcast's Turbo Max internet at 200Mbps.  The numbers are impressive, but my routers and switches will not do > 100Mbps.  I would have to buy all new hardware.


----------



## TomHsiung (Aug 19, 2018)

Last night I thought about the function of router of my server, and I summarize them below.

1.The server must support packet forwarding function, which is the basic function of a router. To move a packet from ethernet 1 to 2, or vice verse vice. Interestingly, the ethernet connected to the public network would be a host of the wide area network, and the ethernet connected to my private network would be the gateway of my private network.

2.The sever must provide PAT function. Beside this server, I have other hosts and I assigned private IP addresses to them. So to let them be able to access the Internet, PAT is the first-of-choice (because I have only dynamic public IP address). Consequently, the PAT function must be enabled on the server.

3.I need to access anyone of my host in the private network (behind the server) via SSH, Apple Remote Desktop, etc. So these hosts in the private network would behave like a SSH server, and so on. Although the PAT allows hosts in private network to exchange data with the wide are network, as SSH server, web server, PAT is not able to make them be accessed from the wide area network. This is due to the fact that PAT would change the port. For instance, the web service 80 port would be changed to a random port number between 1024 and 65535. As a web server, this is not-acceptable. Same issue exists for SSH server (port 22). To fix this issue, I think I need the port forwarding function. So the third function must be enable on the router / server is port forwarding.
(*Still investigating, and it seems like the PF function of BSD could do something for this*)

Below is my network topology:

WAN > (ethernet 1) Server / Router (ethernet 2) > switch (to connect some hosts) [subnet 1] > router 2 (to split the private network into 2 subnets) > other hosts [subnet 2].

4.DHCP function on server is recommended to be turned on. I about to connect two APs to subnet 1, and these APs are for wireless devices, like smart phones, iPads, Androids, MacBook Pro, etc. So to assign IP address by DHCP is recommended. For hosts connected to subnet 2, I plan to use static IP and these hosts are wire-connected hosts like iMac, Win, Linux, printer, etc.
(*This issue has been figured out*)

5.My ISP assigns me public IP address via PPPoE. So anther must-enabled feature of the server is that, the server is able to dial PPPoE automatically. Occasionally, I need to reboot or turn off my server / router, and if I had to dial PPPoE manually, things got complicated. For instance, if I am not at home (server / router is at home), and away from my home thousands of miles, once I reboot the server / router, the connection breaks and I am about to lose the access to the server / router. All private network will down if this happens.
(*This issue has been figured out*)

6.The server has to update the dynamic IP with my registered domain periodically. The reason for this is that my public IP address changes over time (several hours to a week, maybe). If I want to access my server from WAN via domain, I need to match the public IP and the domain. Domain is fixed, but IP is changing. So I have to update the info (IP and domain matching) in my name server (the name server is provided by http://freedns.afraid.org/).
(*Still investigating, and it seems like that a cron job script would resolve this issue*)

PS: The freedns.afraid.org site is hosted by FreeBSD, and the DNS service provided by it also is via FreeBSD.

I would update this post if I get new ideas.


----------



## rigoletto@ (Aug 19, 2018)

I don't want to be the party pooper, but since you are already getting some overkill hardware why not use OPNsense ( or set a similar setup by yourself ) and get some more security features? I mean, make it a UTM instead.


----------



## TomHsiung (Aug 20, 2018)

Luckily, it seems that automatically PPPoE dialing is supported by the OS.


----------



## Phishfry (Aug 20, 2018)

Tom, Checkout net/mpd5 for our PPoE daemon.


----------



## Maelstorm (Aug 20, 2018)

TomHsiung said:


> Luckily, it seems that automatically PPPoE dialing is supported by the OS.



I know for a fact that the ppp(8) in the base system does in fact work.  When I had ADSL, that's what the service provider used to authenticate users.  We were also given a free dialup account to use in case the DSL line went down.  I had my firewall set to ping a random internet site from a list every few minutes to see if the ping passed or failed.  If it failed, it would automatically go to the dialup.  When the DSL came back up, I hooked into a ppp event with a script to terminate the dialup connection.

I am not sure why they wanted or needed PPPoE authentication because DSL is a hard wired connection which rides on top of land lines.  It's not like they don't know who is paying for the line.

And for those who are interested, ADSL uses Dual Tone Modulation with 256 tone pairs at a frequency spread of 26KHz to 1.2MHz.  I am not sure what VDSL/HDSL uses, but I think it might be similar, but a much higher top end frequency.  Nowadays, AT&T is forcing people off DSL and onto U-Verse for their internet connection.


----------



## TomHsiung (Aug 20, 2018)

Maelstorm said:


> I am not sure why they wanted or needed PPPoE authentication


I have used this ISP service for at least 10 years. So the PPPoE was there ten year ago. And my ISP do not plan to upgrade the network devices within my home area. So the PPPoE still alive today.


----------



## Phishfry (Aug 20, 2018)

The reason you might want to use MPD5 over native PPP is that PPP is a single threaded application. So that means you need fast core CPU. If you have fast PPPoE you might want to look into MPD5. It is a multithreaded application to get around the limitations of PPP.


----------



## mfaridi (Aug 22, 2018)

You can use PFSense too.


----------

