# Gateway to router connection



## mefizto (Sep 2, 2011)

Greetings all,

I have been building a FreeBSD pf based firewall.  The FreeBSD box has an Internet facing interface ext_if, with IP address assigned by DHCP from the IPS provider, and a internal local network facing interface int_if with IP address 192.168.0.1.

For testing purposes, I connected a computer with IP address in the range of 198.168.0.2 - 254, and the firewall appears to work as intended.

The question is, how do I connect a plurality of devices, i.e., computers, printers, backup servers, and the like to the int_if, and still be able to control the access to and among the devices from the FreeBSD box.

My initial attempt was to use a a switch/router (AirLink 101), with the switch/router WAN interface set to IP address in the range of 192.168.0.xxx, e.g., 192.168.0.5 and the LAN interface with IP addresses 192.168.1.xxx.  However, the problem, as I see it is, that all the LAN IP addresses 192.168.1.xxx will be translated to 192.168.0.5 and presented to the int_if.  Therefore, the FreeBSD box cannot do any processing to control the access to and among the devices, because it does not have any concept of the IP addresses of the range 192.168.1.xxx.

Am I missing something due to my inexperience, or do I need a different device instead of the switch/router?

Any insight would be greatly appreciated.

Kindest regards,

M


----------



## SirDice (Sep 2, 2011)

Simplest solution is to block _all_ access to the outside and force people through a proxy server. You can add authentication and authorization to the proxy which would allow you to control who has internet access.


----------



## mefizto (Sep 2, 2011)

SirDice,

first, thank you for the answer, however, the suggestion at this stage of my knowledge is beyond my comprehension.  I need to take small steps to learn how the networking works.

Second, the packets would still need to pass through the NAT on the switch, which is a problem in my current understanding.

So if you could address my immediate issue, I would really appreciate it.  I had found


```
http://www.freebsd.org/doc/handbook/network-routing.html
```

but the example does not work for me.

Kindest regards,

M


----------



## SirDice (Sep 2, 2011)

You don't need NAT if you have a proxy running on the box. Clients connect to the proxy and the proxy will make a connection to a website. Since the proxy runs on the box connected to the internet there's no need for NAT.

But a plain simple NAT setup for PF will look something like this:

```
ext_if="rl1"
int_if="rl0"
internal_net="192.168.0.0/24"

nat on $ext_if from $internal_net to any -> ($ext_if)

set skip on lo0

block all

pass in on $int_if from $internal_net to any keep state
```


----------



## kpa (Sep 2, 2011)

You need a simple switch and/or a wireless access point. If that airlink router is all you have and you don't want to spend money on additional hardware you can try this setup with it:

http://doc.pfsense.org/index.php/Use_an_existing_wireless_router_with_pfSense

Replace any mention of pfSense with router (the one you are now setting up with FreeBSD as the OS).


----------



## mefizto (Sep 2, 2011)

SirDice,

thank you for your reply, but I am afraid that we miscommunicate.  I DO know, how to do the NAT, my pf.conf looks - apart of a naming convention and interfaces - exactly as you described.  As noted, it works with a single computer connected to int_if.

However, the question is, what device I need to connect to the int_if, which will enable to connect plurality of peripherals through the device.

Could you point me to some references describing your suggested solution with the proxy server?

kpa,

thank you for your reply.  What constitutes a "simple switch"?  I have no problem to buy such a device, I just do not know what I need and how it avoids the double NAT?

Kindest regards,

M


----------



## Eldiemo (Sep 2, 2011)

Just add a switch to your int-if and you can connect all devices you like.
Make sure it's a switch without router function so you don't need to worry about the double NAT


----------



## mefizto (Sep 3, 2011)

Many thanks to everybody who responded, problem solved.

Kindest regards,

M


----------

