# Share Wireless Connection via Ethernet



## jofu (Oct 21, 2012)

Hi,

I am a little bit lost.
I have the following setup: my FreeBSD machine is connecting to a wireless network over which I am connected to the Internet. Now I want to share this connection via my FreeBSD machine to the ethernet interface, using it as a gateway/NAT. My external network is in the 192.168.1.0/24 range, my internal one is in 10.0.0.0/24. The external one uses DHCP, for my internal one I just want to use static addresses for now to simplify things.

I tried both, pf and ipfw, read several webpages, but I can't get it to work 

This is my /etc/rc.conf:


```
hostname="mini.hell.com"
keymap="german.iso.kbd"
wlans_iwn0="wlan0"
ifconfig_wlan0="WPA DHCP"
#ifconfig_wlan0_ipv6="inet6 accept_rtadv"
ifconfig_re0="inet 10.0.0.1 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"
sshd_enable="YES"
moused_enable="YES"
ntpd_enable="YES"
powerd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.rules"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
#natd_enable="YES"
#natd_interface="iwn0"
#natd_flags=""
```

This is my pf.rules:



```
### Options ###
set limit states 100000

### Macros ###
ext_if = "iwn0"               # External network interface for IPv4
ext_if6 = "iwn0"              # External network interface for IPv6
ext_addr = "192.162.1.112"       # External IPv4 address (i.e., global)
int_if = "re0"               # Internal network interface for IPv4
int_if6 = "re0"              # Internal network interface for IPv6
int_addr = "10.0.0.1"        # Internal IPv4 address (i.e., gateway for private network)
int_network = "10.0.0.0/24"  # Internal IPv4 network

### Tables ###
# Host local address
table <local> const { 127.0.0.1 }
# IPv4 private address ranges
table <private> const { 10/8, 172.16/12, 192.168/16 }
# Special-use IPv4 addresses defined in RFC3330
table <special> const { 0/8, 14/8, 24/8, 39/8, 127/8, 128.0/16, 169.254/16, 192.0.0/24, 192.0.2/24, 192.88.99/24, 198.18/15, 240/4 }

### Scrub: Packet normalization ###
# Scrub for all incoming packets
scrub in all
# Randomize the ID field for all outgoing packets
scrub out all random-id
# If you have MTU problem or something like that
#scrub out all random-id  max-mss 1400

### NAT ###
nat on $ext_if from $int_network to ! <private> -> $ext_addr

### Filters ###
# Permit keep-state packets for UDP and TCP on external interfaces
pass out quick on $ext_if proto udp all keep state
pass out quick on $ext_if6 proto udp all keep state
pass out quick on $ext_if proto tcp all modulate state flags S/SA
pass out quick on $ext_if6 proto tcp all modulate state flags S/SA

# Permit any packets from internal network to this host
pass in quick on $int_if inet from $int_network to $int_addr

# Permit established sessions from internal network to any (incl. the Internet)
pass in quick on $int_if inet from $int_network to any keep state
# If you want to limit the number of sessions per NAT, nodes per NAT (simultaneously), and sessions per source IP
# Please refer to <http://www.openbsd.org/faq/pf/filter.html> for greater detailed information
#pass in quick on $int_if inet from $int_network to any keep state (max 30000, source-track rule, max-src-nodes 100, max-src-states 500 )

# Permit and log all packets from clients in private network through NAT
pass in quick log on $int_if all

# Pass any other packets
pass in all
pass out all
```

Probably there is an easier rules set than this.

I hope someone has an idea, thanks


----------



## bbzz (Oct 21, 2012)

1) It is "cleaner" to tell your wireless router how to find 10.0.0.0 range rather than turn on nat on FreeBSD router (if you can access your wifi router).
2) Your external interface on FreeBSD router sohuld be cloned wlan0 interface, not iwn0. Make sure that is setup first.
3) Remember that you need to specify gateway and set up dns on internal devices since there's no dhcp.
4) Simplified *pf.conf*:


```
exf_if="wlan0"
int_if="re0"

scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble

### only need following rule if you can't turn on routing on wireless router
nat on $ext_if from $int_if:network to any -> ($ext_if:0)

set skip on lo0

antispoof quick for { $ext_if $int_if } inet

block log all

pass out quick on $ext_if
pass in  quick on $int_if from $int_if:network
```

You don't need rest of the stuff unless you know what's it doing. This will permit all connections from both internal network and FreeBSD router outside, but let in only established connections.
I haven't actually loaded rules but it should work.


----------



## jofu (Oct 21, 2012)

Thanks!
About point 1), no I cannot change the router settings.
2) I have wlan0 as interface, which is connected to the external network.
3) In my internal clients I have put 10.0.0.1 as gateway and DNS, is this alright?

I changed now to your pf.conf, thanks, but there seems still something wrong.
I can ping the external IP of my freebsd machine from my internal clients, but I cannot ping any other machines that are in the external network.

Any more thoughts?


----------



## jofu (Oct 21, 2012)

This is the output of ifconfig:


```
iwn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
	ether 00:21:6b:54:05:8e
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: IEEE 802.11 Wireless Ethernet autoselect mode 11g
	status: associated
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 00:21:70:ad:c1:aa
	inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
	inet6 fe80::221:70ff:fead:c1aa%re0 prefixlen 64 scopeid 0x2 
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:21:6b:54:05:8e
	inet 192.168.1.112 netmask 0xffffff00 broadcast 192.168.1.255
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: IEEE 802.11 Wireless Ethernet DS/5.5Mbps mode 11g
	status: associated
	ssid NewYork channel 11 (2462 MHz 11g) bssid 00:12:17:d5:37:24
	country US authmode OPEN privacy ON deftxkey 1 wepkey 1:40-bit
	txpower 15 bmiss 10 scanvalid 450 bgscan bgscanintvl 300
	bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme roaming MANUAL
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```


----------



## bbzz (Oct 21, 2012)

jofu said:
			
		

> Thanks!
> About point 1), no I cannot change the router settings.
> 2) I have wlan0 as interface, which is connected to the external network.
> 3) In my internal clients I have put 10.0.0.1 as gateway and DNS, is this alright?
> ...



DNS server should be your wireless router, most likely, you aren't running DNS server on FreeBSD router. So, 192.168.1.1 or so.

What's the output of:
`$ sysctl -n net.inet.ip.forwarding`

The machines you are trying to ping, can they be pinged (firewall, etc)?

Can you ping internet ip now that you setup DNS correctly.


----------



## jofu (Oct 21, 2012)

bbzz said:
			
		

> DNS server should be your wireless router, most likely, you aren't runnig DNS server on FreeBSD router. So, 192.168.1.1 or so.


Ok, but I even cannot reach the external router with the DNS server from my internal network.



			
				bbzz said:
			
		

> What's the output of:
> `$ sysctl -n net.inet.ip.forwarding`


It gives me 1.



			
				bbzz said:
			
		

> The machines you are trying to ping, can they be pinged (firewall, etc)?
> 
> Can you ping internet ip now that you setup DNS correctly.



They can be pinged, also if I can't ping googles DNS server for instance, so my packets are somehow not going through


----------



## bbzz (Oct 21, 2012)

Ok. Can your FreeBSD router ping wireless router?

Setup ping from one of internal machines to wireless router, and post output of
`# pfctl -sa`
on FreeBSD router at the same time.

You did load your new pf rules, right?


----------



## jofu (Oct 22, 2012)

Yes from my FreeBSD router I can ping everything fine.
`# pfctl -sa`
gives me:

```
No ALTQ support in kernel
ALTQ related functions disabled
FILTER RULES:

INFO:
Status: Enabled for 0 days 00:02:52           Debug: Urgent

State Table                          Total             Rate
  current entries                        0               
  searches                            1276            7.4/s
  inserts                                0            0.0/s
  removals                               0            0.0/s
Counters
  match                               1276            7.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

OS FINGERPRINTS:
700 fingerprints loaded
```

Thanks for all the help, I really don't understand why it won't work.


----------



## bbzz (Oct 22, 2012)

You need to load new rules with
`# pfctl -f /etc/pf.conf`


----------



## jofu (Oct 23, 2012)

Super, now it works. The problem was actually a small typo in your rule set above.
First line should be


```
ext_if="wlan0"
```
instead of


```
exf_if="wlan0"
```

Thanks a lot


----------



## bbzz (Oct 23, 2012)

Welcome


----------



## mbzadegan (Jun 22, 2014)

Hi,
I search for a step-by-step help to configure FreeBSD to share my wireless internet into my ethernet card!
I 've done this cenario on the ARCH Linux (with IPTABLES rules) but for FreeBSD still I could not share WLAN over LAN.
Thanks.


----------



## quakerdoomer (Dec 10, 2018)

How do I create iwn0 from wlan0?


----------

