# FreeBSD gateway



## Maxiu (May 6, 2018)

I want to do gateway on FreeBSD on HP 8460p with this web interfaces.



```
root@komputer:/home/komputer # ifconfig -a
em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether e4:11:5b:27:2b:fd
        hwaddr e4:11:5b:27:2b:fd
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
ue0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:e0:4c:53:44:58
        hwaddr 00:e0:4c:53:44:58
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 24:77:03:22:26:0c
        hwaddr 24:77:03:22:26:0c
        inet 192.168.43.112 netmask 0xffffff00 broadcast 192.168.43.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet MCS mode 11ng
        status: associated
        ssid internet channel 6 (2437 MHz 11g ht/20) bssid 64:db:43:49:78:81
        regdomain FCC country US authmode WPA2/802.11i privacy ON
        deftxkey UNDEF AES-CCM 2:128-bit txpower 30 bmiss 10 scanvalid 60
        protmode CTS ampdulimit 64k -amsdutx amsdurx shortgi -stbc wme
        roaming MANUAL
        groups: wlan
```

On wlan0 is estabish connection, I want to route it on em0 or ue0. Is it possible on this network card?
I tried to do some solution and second computer can't estabish connection.

/etc/rc.conf


```
ifconfig_ue0="inet 10.1.1.1 netmask 255.255.255.0"
#create_args_ue0="mode hostap"
#create_args_ue0="wlanmode hostap"
#hostapd_enable="YES"
gateway_enable="YES"

defaultrouter="192.168.43.1"

dhcpd_enable="YES"
dhcpd_ifaces="ue0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
#dhcpd_withumask="022"
#dhcpd_flags="-q"


wlans_iwn0="wlan0"
ifconfig_wlan0="WPA SYNCDHCP"
```

/usr/local/etc/dhcpd.conf

```
subnet 10.1.1.0 netmask 255.255.255.0 {
        range 10.1.1.10 10.1.1.254;
        option broadcast-address 10.10.1.255;
        option routers 10.1.1.1;
        option domain-name-servers 194.204.152.34
        }
```


```
root@komputer:/home/komputer # netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.43.1       UGS       wlan0
10.1.1.0/24        link#4             U           ue0
10.1.1.1           link#4             UHS         lo0
127.0.0.1          link#2             UH          lo0
192.168.43.0/24    link#3             U         wlan0
192.168.43.112     link#3             UHS         lo0
```


----------



## Phishfry (May 6, 2018)

So if I understand you correctly. You have a wlan0 connection that you want to share with wired interfaces em0 and ue0?
Does your wlan0 connection get its IP via DHCP?

I think you need something like dns/dnsmasq to assign IP's to your wired clients(not dhcpd). wlan0 probably gets IP via DHCP.
So you would create a static network for both em0 and ue0. That or bridge them, which is more complex.


----------



## Maxiu (May 6, 2018)

> 1# So if I understand you correctly. You have a wlan0 connection that you want to share with wired interfaces em0 and ue0?
> 2# Does your wlan0 connection get its IP via DHCP?



1. Yes.
2. Yes. I am use it for test for future move configs for...
https://forums.freebsd.org/threads/tor-torilla-on-freebsd.65567/
https://forums.freebsd.org/threads/...net-card-10-100-1000-will-be-supported.65566/
Using some tunnel for IPsec or something 13.7.1. https://www.freebsd.org/doc/handbook/ipsec.html

And finally VPN over this.



I'am lost `;` on the option `domain-name-servers` 

Now connection is established but I can't to connect to any site on second computer...

part of `ifconfig` from Linux Mint

```
inet addr:10.1.1.10 Bcast:10.1.1.255 Mask:255.255.255.0
```

PS. Only backdor can stop me 

So is needed to forward packet using some firewall or, NAT or something?


----------



## Phishfry (May 6, 2018)

Yes pf can be used for NAT. It requires very few options. This post shows my wireless access point settings.
https://forums.freebsd.org/threads/help-plumbing-a-wireless-ap.60519/post-348330

While it is the opposite of what you need for instructions. For instance hostapd is not needed for your task.
This is the basic pf NAT settings needed . Simply adjust your to suit your interfaces.


----------



## Phishfry (May 6, 2018)

OK so you need to install net/dnsmasq.
Here is a /etc/rc.conf for you.

```
ifconfig_ue0="inet 10.1.1.1 netmask 255.255.255.0"
ifconfig_em0="inet 10.1.2.1 netmask 255.255.255.0"
wlans_iwn0="wlan0"
ifconfig_wlan0="WPA DHCP"
dnsmasq_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog
defaultrouter="192.168.43.1"
```

/usr/local/etc/dnsmasq.conf

```
domain-needed
server=8.8.8.8
server=8.8.4.4
dhcp-range=set:ue0,10.1.1.2,10.1.1.200,255.255.255.0,24h
dhcp-range=set:em0,10.1.2.2,10.1.2.200,255.255.255.0,24h
dhcp-option=ue0,option:router,10.1.1.1
dhcp-option=em0,option:router,10.1.2.1
log-facility=/var/log/dnsmasq.log
log-dhcp
log-async
```
/etc/pf.conf Ths provides ONLY NAT

```
ext_if="wlan0"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
```

Good Luck and Ask any questions you need.
ISC dhcp-server would probably also work. In FreeBSD there is no base  DHCP server only the dhcp-client.
The ISC DHCP client `dhclient` is the default FreeBSD client.
net/isc-dhcp43-server is not in base install.
dns/dnsmasq does more for you though with dns too..


----------



## Phishfry (May 6, 2018)

I see from the file directory of this file that this must be the isc dhcp-server you are talking about.

/usr/local/etc/dhcpd.conf

subnet 10.1.1.0 netmask 255.255.255.0 {
        range 10.1.1.10 10.1.1.254;
        option broadcast-address *10.10.1.255*;
        option routers 10.1.1.1;
        option domain-name-servers 194.204.152.34
        }

Do you see the wrong address for option broadcast-address? Should'nt that be 10.1.1.255
I have never used the isc dhcp server.

Have you tried Google DNS for the "option domain-name-servers" setting? I think that is what it wants.
option domain-name-servers 8.8.8.8 8.8.4.4


----------



## Maxiu (May 12, 2018)

Perfect. It work with IPFW. 

Now, I have a TOR at 127.0.0.1:10001 as SOCK5 or 127.0.0.1:20001 as HTTP, Did You have idea how to rediret it on ue0 or em0?


----------



## Phishfry (May 12, 2018)

You might need to checkout the routes:
https://www.freebsd.org/doc/handbook/network-routing.html

With Section 30.2.2 If you substitute your ''WLAN0"  for 'Internal Net 1' you pretty much have the same setup.


----------



## Maxiu (May 30, 2018)

I would not be able to cope without you 


```
ext_if="wlan0"                                  
int_if="ue0"                                    
                                                 
set skip on lo                                  
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
rdr pass on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 9040
rdr pass on $int_if proto tcp from any to any port 443 -> 127.0.0.1 port 9040
                                                 
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass in on $ext_if inet proto tcp from any to any port www keep state
```


----------



## Maxiu (May 31, 2018)

Ok. I Have a TOR  DNS on 9053. If I add it


```
no-resolv
server=127.0.0.1#9053
listen-address=127.0.0.1
```

to dnsmasq then hardware at LAN side do not working. Probably is looking DNS in own loopback, not into server loopback. Did You know how to redirect connection to DNS TOR dns?


----------



## Maxiu (May 31, 2018)

Edit:


```
ext_if="wlan0"
int_if="ue0"

rdr pass on $int_if proto tcp from any to any port 53 -> 127.0.0.1 port 9053
rdr pass on $int_if proto udp from any to any port 53 -> 127.0.0.1 port 9053
```




They do it self harming


----------



## Phishfry (May 31, 2018)

Just remember that toor was originally developed by the US Navy.
So you must salute the flag everytime you use it. No seriously it is only so secure.

There is a setting in dnsmasq.conf for the loopback.
interface=wlan0,lo0
exclude=something?
I can update this later.


----------



## Maxiu (May 31, 2018)

> Just remember that toor was originally developed by the US Navy.



And still using. I thing if internet too but is slipped out|||


----------



## Phishfry (Jun 1, 2018)

Here is what I was referencing. I know that you might be using ICS DHCP server but it should be similar.

https://superuser.com/questions/924745/making-dnsmasq-listen-on-only-one-interface

I thought I had to do it like this:
dnsmasq.conf snippet
interface=wlan0,lo0
except-interface=em0


----------



## Phishfry (Jun 1, 2018)

Here is some more on the topic:
https://serverfault.com/questions/799200/bind-dnsmasq-dns-to-just-localhost-127-0-0-1


----------

