# Help sharing a connection.



## simon (Aug 13, 2022)

freebsdhelp 

Hi guys,
I have a problem...
I have shared my internet between two computers using 'pf'.
It has worked before but now isn't!
I'm not new to this but I might have erred somewhere.
My router:
192.168.88.1
My wifi address: 192.168.88.222
My ethernet add via DHCP: 192.168.89.10
My nameserver (as issued via DHCP and it is the same server used by the computer going online): 192.168.5.1 
Now, the computer hosting the pf and DHCP server (192.168.88.222) goes online just fine, but the client (192.168.89.10) can't!
Is there any problem with the DNS settings as above?
It is driving me batty and I think the (fresh) install is broken


----------



## simon (Aug 13, 2022)

The gateway switch is enabled as you see below:


[root@Pulsar_Home /etc]#  sysrc gateway_enable="YES"
gateway_enable: YES -> YES

And here is the pf.conf file.

#packet Firewall Ruleset ####
#################################

###################
#### Variables ####
###################

# External interface                                                   ext_if="wlan0"

# Internal interface
int_if="fxp0"                                                          
# Follow RFC1918 and don't route to non-routable IPs
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16,
        172.16.0.0/12, 192.0.2.0/24, 224.0.0.0/3,                              255.255.255.255 }"

# Set allowed ICMP types
# Blocking ICMP entirely is bad practice and will break things,
# FreeBSD applies rate limiting by default to mitigate attacks.
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

####################################
#### Options and optimizations #####
####################################

# Set interface for logging (statistics)
set loginterface $ext_if
nat on wlan0 inet from fxp0:network to any -> (wlan0)
# Drop states as fast as possible without having excessively low timeouts
#set optimization aggressive

# Block policy, either silently drop packets or tell sender that request is blocked
#set block-policy return

# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0

# Scrub traffic
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# scrub from CHANGEME to any no-df random-id fragment reassemble
#scrub on $ext_if all

#######################
#### NAT & Proxies ####
#######################

# Enable NAT and tell pf not to change ports if needed
# Add special exception for game consoles such as PS3 and PS4 (NAT type 2 vs 3)
# ie static-port mapping. Do NOT enable both rules.
# nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
nat on $ext_if from $int_if:network to any -> ($ext_if)

# Redirect ftp connections to ftp-proxy
rdr pass on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021

# Enable ftp-proxy (active connections)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

# Enable UPnP (requires miniupnpd, game consoles needs this)
# rdr-anchor "miniupnpd"

# Anchors needs to be set after nat/rdr-anchor
# Same as above regarding miniupnpd
anchor "ftp-proxy/*"
# anchor "miniupnpd"

################################
#### Rules inbound (int_if) ####
################################

# Pass on everything incl multicast
pass in quick on $int_if from any to 239.0.0.0/8
pass in quick on $int_if inet all keep state
################################
#### Rules inbound (ext_if) ####                                       ################################

# Drop packets from non-routable addresses immediately
block drop in quick on $ext_if from $nonroute to any

# Allow DHCP
pass in quick on $ext_if inet proto udp to ($ext_if) port { sunrpc, nfsd-status, nfsd-keepalive, nfsd, lockd, 797 67, 68 }
pass in quick on $ext_if inet proto tcp to ($ext_if) port { sunrpc, nfsd-status, nfsd-keepalive, nfsd, lockd, 797,  80 22 25 110 123 137:139 }

# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types

# Allow FTPs to connect to the FTP-proxy
pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy

# Block everything else
#block in on $ext_if all

#################################
#### Rules outbound (ext_if) ####
#################################
# Drop packets to non-routable addresses immediately, allow everything else
block drop out quick on $ext_if from any to $nonroute
pass out on $ext_if all
pass in quick proto tcp to wlan0 port ssh flags S/SA keep state


----------



## simon (Aug 13, 2022)

This is the dhcpd.conf:


# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
#option domain-name "sp.net";
option domain-name-servers 192.168.88.1, 192.168.5.1;

default-lease-time 604800;
max-lease-time 604800;
                                                                       # Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# This is a very basic subnet declaration.

subnet 192.168.89.0 netmask 255.255.255.0 {
  use-host-decl-names on;
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  range 192.168.89.10 192.168.89.254;
  option routers 192.168.5.1, 192.168.88.1;
}


# Hosts which require special configuration options can be listed in
# host statements.   If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.


----------



## simon (Aug 13, 2022)

Never mind guys,

Something very odd happened:

I updated it to 13.1-p1 from 13.1 and it suddenly just started working!
I still think it was a broken install and the update has somehow fixed it by installing/adding a necessary but previously missing file.
But please, go over the files above and let me know if anything should be changed, I'd really appreciate the extra eyes checking for mistakes!

Thank you so much!


----------



## tux2bsd (Aug 13, 2022)

Every `pf` recipe I've seen sets scrub on, I don't know why it isn't FreeBSD's `pf` default...


----------



## simon (Aug 13, 2022)

But I haven't enabled it ;-)


tux2bsd said:


> Every pf recipe I've seen sets scrub on, I don't know why it isn't the default...


----------



## simon (Aug 14, 2022)

Okay, here's something you can certainly help with:

How do I get the computer 192.168.89.10 accessible from 192.168.88.222.

I know it will involve NAT or a bridge but pointers or an example would be sincerely appreciated.


----------

