# Gateway with access point and wired.



## IOX123 (Mar 28, 2014)

Hello,

Hope this is in the right section. My wireless router just died so I'm trying to set up my FreeBSD gateway as an access point but also keeping my wired connection.

I think I've set everything up correct except my rules. Wireless clients can join the access point but can't get out to the web. I have the access point on a different subnet 192.168.2.1

the wired is 192.168.1.1.

Here is my rc.conf:


```
gateway_enable="YES"
keymap="us.iso"
sshd_enable="YES"
ifconfig_re0="DHCP"
ifconfig_vr0="inet 192.168.1.1 netmask 255.255.255.0"
pf_enable="YES"
pflog_enable="YES"
syslogd_flags="-ss"
hostapd_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 192.168.2.1 netmask 255.255.255.0 ssid freebsd mode 11g channel 1"
```


And my pc.conf:


```
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "re0"
int_if  = "vr0"
#air_if = "wlan0"

#protocol
icmp_types = "{ echoreq, unreach }"

#hosts
Xbox360 = "192.168.1.105"
webserver = "192.168.1.100"
shoutcast = "192.168.1.100"
laptop = "192.168.1.117"


#ports
#Xlive_udp = "{ 1:65535 }"
#Xlive_tcp = "{ 1:65535 }"
Xlive_udp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
Xlive_tcp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
#Xlive_tcp = "{ 3074, 53 }"
#Xlive_udp = "{ 3074, 53, 88 }"
#ssh_port = "{ 1970 }"
webserver_port = "{ 80 }"
shoutcast_ports = "{ 8000, 8001, 8010 }"
laptop_port = "{ 26000 }"



#nets
lan_net = "{ 192.168.1.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"



# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set optimization conservative

# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub in all

#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port $webserver_port -> $webserver
#rdr on $ext_if proto tcp from any to ($ext_if) port $ssh_port -> $ssh
rdr on $ext_if proto tcp from any to ($ext_if) port $laptop_port -> $laptop
rdr on $ext_if proto tcp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if proto udp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
#nat on $ext_if from $air_if:network to any -> (ext_if) static-port
no nat on $int_if proto tcp from $int_if to $lan_net


#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
pass out keep state
block drop in log on $ext_if from $priv_nets to any
block drop out log on $ext_if from any to $priv_nets


# anti spoofing
antispoof for { $int_if, $ext_if }

pass proto tcp from any to $laptop port $laptop_port
pass proto tcp from any to $webserver port $webserver_port
#pass log proto tcp from any to $ssh port $ssh_port
pass proto udp from any to $shoutcast port $shoutcast_ports
pass proto tcp from any to $shoutcast port $shoutcast_ports
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state



#pass in  on $air_if from $air_if:network to any keep state
#pass out on $air_if from any to $air_if:network keep state

pass inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state

pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
pass out from any to any keep state
```

Here is `ifconfig`:


```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether c8:60:00:df:fb:f1
        inet 72.39.11.123 netmask 0xffffe000 broadcast 255.255.255.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
        ether 00:50:ba:68:e2:cf
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::250:baff:fe68:e2cf%vr0 prefixlen 64 scopeid 0x7
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 1c:7e:e5:23:6e:11
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 1c:7e:e5:23:6e:11
        inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::1e7e:e5ff:fe23:6e11%wlan0 prefixlen 64 scopeid 0xb
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: running
        ssid freebsd channel 1 (2412 MHz 11g) bssid 1c:7e:e5:23:6e:11
        regdomain FCC indoor ecm authmode WPA privacy MIXED deftxkey 2
        TKIP 2:128-bit TKIP 3:128-bit txpower 27 scanvalid 60 protmode CTS wme
        burst dtimperiod 1 -dfs
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33200
        nd6 options=9<PERFORMNUD,IFDISABLED>
```

Here is `tcpdump -n -e -ttt -v -i pflog0`.

The wireless client is 192.168.2.5.


```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
00:00:00.000000 rule 80..16777216/0(match): pass in on wlan0: (tos 0x0, ttl 1, id 22924, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    192.168.2.5 > 224.0.0.2: igmp leave 224.0.0.251
00:00:00.000008 rule 80..16777216/8(ip-option): pass in on wlan0: (tos 0x0, ttl 1, id 22924, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    192.168.2.5 > 224.0.0.2: igmp leave 224.0.0.251
00:00:00.000318 rule 80..16777216/0(match): pass in on wlan0: (tos 0x0, ttl 1, id 65070, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    192.168.2.5 > 224.0.0.251: igmp v2 report 224.0.0.251
00:00:00.000005 rule 80..16777216/8(ip-option): pass in on wlan0: (tos 0x0, ttl 1, id 65070, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    192.168.2.5 > 224.0.0.251: igmp v2 report 224.0.0.251
```


----------



## junovitch@ (Mar 28, 2014)

I've made a bunch of changes.  Namely, you are allowing anything from your wlan0 interface and your nat rules are all wierd.  I've combined the nat rules into one.  Your redirection rules are odd too, I don't think any of them as even needed since it's your Xbox that would log in to a server and then PF's stateful connection tracking handling would take it from there.  You should never have random connections coming in to talk to your Xbox.  Any comments I've made have 5 comment markers before them.  Remember easy to understand rules are easy to secure rules.


```
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
##### combine wlan0 and vr0 into a macro
ext_if  = "re0"
int_if  = "{" wlan0, vr0 "}"

#protocol
icmp_types = "{ echoreq, unreach }"

#hosts
Xbox360 = "192.168.1.105"
webserver = "192.168.1.100"
shoutcast = "192.168.1.100"
laptop = "192.168.1.117"

#ports
#Xlive_udp = "{ 1:65535 }"
#Xlive_tcp = "{ 1:65535 }"
Xlive_udp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
Xlive_tcp = "{ 3074, 3075, 80, 53, 443, 88, 1863, 1024:65535 }"
#Xlive_tcp = "{ 3074, 53 }"
#Xlive_udp = "{ 3074, 53, 88 }"
#ssh_port = "{ 1970 }"
webserver_port = "{ 80 }"
shoutcast_ports = "{ 8000, 8001, 8010 }"
laptop_port = "{ 26000 }"

#nets
##### Change to table lookup for speed: http://www.openbsd.org/faq/pf/tables.html
table <lan_net> { 192.168.1.0/24 }
table <priv_nets> { 127.0.0.0/8, \
                    192.168.0.0/16, \
                    172.16.0.0/12, \
                    10.0.0.0/8 }

# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set optimization conservative

# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
#scrub in all
##### How about all scrub options on anything to/from the WAN?
scrub on $ext_if all no-df random-id reassemble tcp fragment reassemble

------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
##### Combine nat rules
nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
##### This rule will never match, nothing should enter your external interface from the address of your xbox
#nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
##### This rule is pointless, just use the catch all above
#nat on $ext_if from $lan_net to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port $webserver_port -> $webserver
#rdr on $ext_if proto tcp from any to ($ext_if) port $ssh_port -> $ssh
rdr on $ext_if proto tcp from any to ($ext_if) port $laptop_port -> $laptop
rdr on $ext_if proto tcp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if proto udp from any to ($ext_if) port $shoutcast_ports -> $shoutcast
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360


#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
pass out keep state
##### remove, no point in calling out RFC1918 addresses that will never match, the 'block log all' above is enough
#block drop in log on $ext_if from $priv_nets to any
#block drop out log on $ext_if from any to $priv_nets

# anti spoofing
antispoof for { $int_if, $ext_if }

pass proto tcp from any to $laptop port $laptop_port
pass proto tcp from any to $webserver port $webserver_port
#pass log proto tcp from any to $ssh port $ssh_port
##### combine shoutcast
pass proto { tcp, udp } from any to $shoutcast port $shoutcast_ports
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp keep state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp keep state
block in quick on $int_if inet proto igmp all
pass quick on { $ext_if $int_if } inet proto tcp from any port 67:68 to any port 67:68 keep state flags S/SA
pass quick on { $int_if $ext_if } inet proto udp from any port 67:68 to any port 67:68 keep state


pass inet proto icmp all icmp-type $icmp_types keep state

##### simply this one a bit
#pass in  on $int_if from $int_if:network to any keep state
pass in on $inf_if
##### by default you pass out keep state at the top, no need for this
#pass out on $int_if from any to $int_if:network keep state
##### This would be fine, it would be the last match for outbound tcp and use modulate state
pass out on $ext_if proto tcp all modulate state flags S/SA
##### by default you pass out keep state at the top, no need for this
#pass out on $ext_if proto { udp,icmp } all keep state
##### No need for this with just passing in on your internal interface above
#pass in  from $lan_net to $lan_net keep state
##### by default you pass out keep state at the top, no need for this
#pass out from $lan_net to $lan_net keep state
##### Last rule matches in PF.  This effectively overrides all your pass out rules above. 
#pass out from any to any keep state
```


----------



## IOX123 (Mar 28, 2014)

Oh wow thanks !

I'll try them now and let you know.


----------



## IOX123 (Mar 28, 2014)

Getting some errors.

`pfctl -f /etc/pf.conf`


```
No ALTQ support in kernel
ALTQ related functions disabled
/etc/pf.conf:7: syntax error
/etc/pf.conf:85: macro 'int_if' not defined
/etc/pf.conf:85: syntax error
/etc/pf.conf:94: macro 'int_if' not defined
/etc/pf.conf:94: syntax error
/etc/pf.conf:95: macro 'int_if' not defined
/etc/pf.conf:96: macro 'int_if' not defined
/etc/pf.conf:97: macro 'int_if' not defined
/etc/pf.conf:98: macro 'int_if' not defined
/etc/pf.conf:99: macro 'int_if' not defined
/etc/pf.conf:100: macro 'int_if' not defined
/etc/pf.conf:107: macro 'inf_if' not defined
/etc/pf.conf:107: syntax error
pfctl: Syntax error in config file: pf rules not loaded
```


----------



## junovitch@ (Mar 28, 2014)

Shoot, sorry.  Remove the comma in line 7.  It should be:

```
int_if  = "{" wlan0 vr0 "}"
```

Line 85:

```
antispoof for $int_if
antispoof for $ext_if
```

Line 107 - spelled wrong. Change inf_if to int_if.


----------



## IOX123 (Mar 28, 2014)

Works 

thank you.


----------



## junovitch@ (Mar 28, 2014)

Good deal.  Here's a few good sites I've referenced in the past for rule examples:  http://daemon-notes.com/articles/network/pf and https://calomel.org/pf_config.html.  Besides the pf.conf() man page, they provide some very useful information on how to write your rules.


----------



## IOX123 (Mar 28, 2014)

Ok thanks I'll check them out.


----------

