# Wifi gateway + firewall



## KeresContorni (Mar 26, 2011)

Hi all (sorry for bad English, I'm Italian), I have to make a gateway firewall:

- Ethernet connects to the Internet;
- Wifi open and free for laptop into office;

I have found a good guide in Handbook FreeBSD Host Access Points (free mode):
Handbook - 31.3.5

I have installed dhcpd server on wlan0 and I have tested with a laptop. Laptop gets IP address, netmask, gateway and dns from dhcp server via wifi. From dhcp I can ping the IP address on the WiFi card and the IP address on the Ethernet card on the server.

Now I have:

My laptop -> Wifi + dhcp + ethernet -> Internet.

Now I want to make this:

My laptop -> Wifi + dhcp -> Ethernet -> Internet.

Nat! But only for 80/tcp, 443 /cp, 53/tcp. Other tcp or udp deny.

I have found on the Internet: FreeBSD NAT

I have added in kernel configuration:


```
options IPFIREWALL, IPDIVERT
```

Compiled kernel and installed.

In next boot I have to execute:
`natd -n MyNetworkInterface`

When I run [cmd=]ipfw -a show[/cmd] I see nothingâ€¦  But the *natd* daemon is runningâ€¦

Can anyone help me?
Thank you very much.


----------



## KeresContorni (Mar 26, 2011)

Tomorrow I want to try this:

Setting up a Firewall NAT using PF


----------



## KeresContorni (Mar 28, 2011)

Ok, I have found a solution. WiFi as Access Point is OK with dhcp server.

In /etc/sysctl.conf I write:

```
net.inet.ip.forwarding=1
```

In /etc/pc.conf I write:


```
ext_if = "rl0"
int_if = "wlan0"
internal_net = "192.168.2.0/24"

nat on $ext_if from $internal_net to any -> ($ext_if)
```

Now it's perfect, but now I want to block all traffic in/out and I want to open only http, https, dns from wlan0 to internet. I want to go out from ethernet only for VPN access (for remote proxy).


```
block drop log all
pass out log quick on $ext_if inet proto udp from ($ext_if) to any port { 53, 123, 80, 443 } keep state
```
Is it correct? for VPN? Any solution?
Thank's.


----------



## DutchDaemon (Mar 28, 2011)

KeresContorni, read the comments under your posts, and act on them.


----------

