# FreeBSD as Router



## fullauto (Apr 19, 2012)

Thanks in advance for any help.

I have a GENERIC Free*BSD* 9.0 machine (+ options ip_divert) that I would like to use as a router/firewall for my network.  I have done ALL the how-to's and the reading associated with this project and have thus far only managed to pull most of my hair out.

Let me explain my wanted network topography:


```
::Commercial Cable with static IP::
                                      |
                                      |
          ::FreeBSD router with NATD/IPFW:: (68.15.xxx.xxx[rl0]/192.168.1.1[dc0])
                                      |
                                      |
                                      |
                            ::10/100 8 port switch::
                                      |
                                      |
            -----------------------------------------------------
            :Server 192.168.1.10:   :Wintel/DHCP:   :Wintel/DHCP:
```

rc.conf

```
##################################
# Network Name of Machine
hostname="Bender"

# IP4 address and Netmask
ifconfig_rl0="68.15.62.102 netmask 255.255.255.224"
ifconfig_dc0=" inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
defaultrouter="68.15.62.97"

# Alternet IP4
#ifconfig_rl0="DHCP"
#ifconfig_dc0=" inet 192.168.1.2 netmask 255.255.255.0"
#defaultrouter="192.168.1.1"

firewall_enable="YES"
firewall_type="OPEN"
firewall_script="/etc/ipfw.rules"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-f /etc/natd.conf"
ntpd_enable="YES"
ntpd_flags="-g"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

# Added to get X11 working 3-25-12
hald_enable="YES"
dbus_enable="YES"

###############################
#
# Services
sshd_enable="YES"
ftpd_enable="NO"
inetd_enable="NO"
proftpd_enable="NO"
sendmail_enable="NO"
apache22_enable="NO"
qpopper_enable="NO"
named_enable="NO"
```


```
port 8668
interface rl0

# Apache22 HTTPd
redirect_port tcp 192.168.1.10:80 80

# ProFTPd
redirect_port tcp 192.168.1.10:20-21 20-21

# POP3
redirect_port tcp 192.168.1.10:110 110

# SMTPd
redirect_port tcp 192.168.1.10:25 25

file "natd.conf", 15 lines
```


```
ipfw -q -f flush                # delete all rules
#set defaults
oif="rl0"                       # Outbound Interface
iif="dc0"                       # Inbound Interface
cmd="ipfw -q add "              # Build rule prefix

## Start Rules  #####################################

$cmd 00050 divert natd from any to any via $oif
$cmd 00100 allow ip from any to any via lo0
$cmd 00250 allow ip from any to 192.168.1.10 20-21
$cmd 00300 allow ip from any to 192.168.1.10 22
$cmd 00350 allow ip from any to 192.168.1.10 25
#$cmd 00400 allow ip from any to 192.168.1.10 53
$cmd 00450 allow ip from any to 192.168.1.10 80
$cmd 00500 allow ip from any to 192.168.1.10 110
$cmd 35000 allow all from 192.168.1.0 out via $oif

## Last Rule: Deny EVERYTHING that ipfw didn't get already ##
$cmd 65535 deny ip from any to any

file "ipfw.rules", 22 lines
```

I know I have many errors.  Please don't poke too much as I am a novice, but can anyone help me with this? *W*hen I hook the FreeBSD[rl0] to the cable modem, and the [dc0] to the switch with the other systems, I cannot get onto the internet from any machine including the router.  Another thing: for some reason, the router stops accepting my ssh requests. x(

I am willing to take this one step at a time, and if anyone out there is willing to give me a hand with this, as well as explain it to me so I don't have to burden this community constantly, I am willing to let someone ssh in.  

:\


----------



## throAU (Apr 19, 2012)

If you get rid of all your firewall rules (leave it open), can you access the internet from the FreeBSD machine?

Verify basic connectivity first, once you're happy that works (which means your IP addressing scheme, subnet masks, gateways, etc are correct) then get your firewall set up.

What are the goals you are aiming for with this setup?  (e.g., i need server A to access the internet, and incoming requests to port 80 to hit it, etc).

Also:  rather than just passing ports straight through to your internal hosts, you are better off setting up some sort of inspection/sanity checking via a local daemon on your FreeBSD box as appropriate.  If you just pass the port through, you're opening a hole directly to the internal host for the internal host's service to be potentially exploited.


----------



## aa (Apr 19, 2012)

If that DHCP for rl0 was already working, stick to it, or put the modem in router mode and use PPPoE, either way, you can not manually set rl0, it won't work.


----------



## fluca1978 (Apr 19, 2012)

I will check, as already suggested, the base connectivity of the FreeBSD machine before and after having loaded the firewall rules. Is the router able to ping either the default gateway and the server? From which side you are not able to SSH-into the router?

And a couple of hints: 
1) if your aim is to use a free firewall solution I would suggest you to take a look at pfsense, which is based on FreeBSD and simplifies a lot of tasks
2) hiding your public IPs in the diagram and exposing them via rc.conf is probably not the information-hiding you wanted


----------

