Re: NAT, VPN and other SOHO router advice
Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. Having now read the manpage for bridge(4) and if_bridge(4), I am not certain that this is going to achieve what I want to achieve. I'm told by the FreeBSD HB that The consensus is that assigning both cards an address is a bad idea. Since I want rl1 to have a public IP block and rl0 to have a private IP, I assume this isn't going to work. So, router it is. Now, for this VPN. I reckon my best bet is to run the PPTP client from the BSD box, no? Regards, Nick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT, VPN and other SOHO router advice
Nick Stenning wrote: Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. Having now read the manpage for bridge(4) and if_bridge(4), I am not certain that this is going to achieve what I want to achieve. I'm told by the FreeBSD HB that The consensus is that assigning both cards an address is a bad idea. Since I want rl1 to have a public IP block and rl0 to have a private IP, I assume this isn't going to work. So, router it is. In which case, your Vigor 2600's internal interface and your FreeBSD box would need to be using public IPs, which means you can't use the Vigor to do the NAT and VPN, which was also something you wanted. Now, for this VPN. I reckon my best bet is to run the PPTP client from the BSD box, no? Yes. Have your ISP set up the Vigor's internal interface with a /30 subnet, or however many public IP's you've got, and then set up OpenVPN on the FreeBSD box, or whatever other VPN/PPTP software you'd like... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NAT, VPN and other SOHO router advice
Dear all, I'm currently in the process of jiggling around my SOHO router and a FreeBSD box that I'd like to make more of a router. As it stands currently, the setup is something like this (I hope you've reading this in monospace or it's gonna be a like reading a circuit diagram on a rollercoaster) ( ... ) (( Ye bigge badde interweb )) ( ... ) || || ++ | Vigor 2600 | [10.0.0.2] ++ | | +--+ | | ** | | rl1 | +---| S |-... +-+ | W | | F | | I |-... | B | | T |-... The LAN! | S | rl0 | C | [10.0.0.0/24] | D |---| H |-... | | | | | | | |-... +-+ +--+ [10.0.0.1] Now, the more experiencef of you will immediately notice something is wrong ... yes, that's right, the cable marked with the ** shouldn't really be there. In fact, my syslog really wants me to know that something's wrong: Apr 6 19:04:22 phoenix kernel: arp: 10.0.0.2 is on rl0 but got reply from 00:53:7f:74:f4:f3 on rl1 Now, I'm well aware of why that's happening, and I mostly know how to fix it, but I need a little help with a few remaining issues. First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default router for the network, as specified by the FBSD box's DHCP server. If I disconnect the cable I want to disconnect, however, obviously the FBSD box will have to be the router. Now, I've recompiled my kernel with all the relevant options, and I've got an extensive firewall script (ipfw). I've also got the following in my rc.conf: firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_logging=YES natd_enable=YES natd_interface=rl1 gateway_enable=YES rl1, by the way, has a public IP block on it, and the vigor router has one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf) we have: defaultrouter=xx.yy.zz.201 ifconfig_rl0=inet 10.0.0.1 netmask 255.255.255.0 ifconfig_rl1=inet xx.yy.zz.202 netmask 255.255.255.248 ifconfig_rl1_alias0=xx.yy.zz.203/29 ... So, really, the question for this bit of the email is .. what else do I need to get my FBSD box acting as a router for the machines on the LAN? .. I assume I'd need an IPFW divert rule to set up all the NATing, but I'm unsure what that should be, and whether it would come before or after all the protective stuff in the firewall script etc etc. -- The second part of the question is perhaps slightly more complex. The Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms for you?) to an office elsewhere. As it stands currently, machines on the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24 via this VPN connecion on the Vigor router. Also, machines at the other end of the VPN, in the office, can access machines at this end of the VPN, on the LAN (the other class C: 10.0.0.0/24) The question is, what IPFW divert rules and other whizbangery do I need to set up so that I can disconnect that cable marked ** and have all the VPN stuff keep working. If at all possible, I'd rather not move the management of the VPN onto the FBSD box. -- OK. So that's that. I appreciate any and all responses, and if anyone needs any more information I will be happy to provide it ... so long as it's not my root password ... actually, come to think of it, that wouldn't help unless you were sitting next to me, but nevermind... Regards, Nick Stenning ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT, VPN and other SOHO router advice
On Thu, 6 Apr 2006, Nick Stenning wrote: [snip] First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default router for the network, as specified by the FBSD box's DHCP server. If I disconnect the cable I want to disconnect, however, obviously the FBSD box will have to be the router. Now, I've recompiled my kernel with all the relevant options, and I've got an extensive firewall script (ipfw). I've also got the following in my rc.conf: firewall_enable=YES firewall_script=/etc/ipfw.rules firewall_logging=YES natd_enable=YES natd_interface=rl1 gateway_enable=YES rl1, by the way, has a public IP block on it, and the vigor router has one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf) we have: defaultrouter=xx.yy.zz.201 ifconfig_rl0=inet 10.0.0.1 netmask 255.255.255.0 ifconfig_rl1=inet xx.yy.zz.202 netmask 255.255.255.248 ifconfig_rl1_alias0=xx.yy.zz.203/29 ... So, really, the question for this bit of the email is .. what else do I need to get my FBSD box acting as a router for the machines on the LAN? .. I assume I'd need an IPFW divert rule to set up all the NATing, but I'm unsure what that should be, and whether it would come before or after all the protective stuff in the firewall script etc etc. Hi Nick, It looks to me like you are on the right track. The only other option that I have in my rc.conf is: natd_flags=-config /etc/natd.conf This forces natd to read my configuration file. I think in normal operations, natd will pretty-much do the right thing, but you might want to customize yours like I have mine. Here are some statements that I have in my natd.conf: dynamic yes use_sockets yes same_ports yes log no log_denied yes log_ipfw_denied yes In terms of the divert rule, mine looks like this: /sbin/ipfw add 50 divert natd all from any to any via fxp0 You'll want to replace 'fxp0' with your external interface, in this case, 'rl1'. On FreeBSD 6, the /etc/rc.firewall script will automatically add the proper divert rule if you set the firewall_type to be either open or client in rc.conf. Good luck, -Andy Reitz. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT, VPN and other SOHO router advice
Nick Stenning wrote: [ ... ] The second part of the question is perhaps slightly more complex. The Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms for you?) to an office elsewhere. As it stands currently, machines on the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24 via this VPN connecion on the Vigor router. Also, machines at the other end of the VPN, in the office, can access machines at this end of the VPN, on the LAN (the other class C: 10.0.0.0/24) The question is, what IPFW divert rules and other whizbangery do I need to set up so that I can disconnect that cable marked ** and have all the VPN stuff keep working. If at all possible, I'd rather not move the management of the VPN onto the FBSD box. Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. It's possible to do other things, such as changing the NAT address range used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine, including GRE passthrough and PPTP in /etc/natd.conf, but that would be evil, hard to debug, and otherwise tempting the fates. :-) # NATD configuration options dynamic yes interface rl1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes #punch_fw 1:100 redirect_proto gre 10.1.1.2 redirect_port udp 10.1.1.2:500 500 redirect_port udp 10.1.1.2:4500 4500 redirect_port udp 10.1.1.2:62515 62515 redirect_port tcp 10.1.1.2:1 1 redirect_port tcp 10.1.1.2:pptp pptp # The above rules allow passthrough for the Cisco VPN software, and should also work with SonicWall's VPN client. OpenVPN uses just a single UDP port, and would be very easy to set up on FreeBSD if you liked. -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NAT, VPN and other SOHO router advice
On 4/6/06, Chuck Swiger [EMAIL PROTECTED] wrote: Given what you've said, you should set up the FreeBSD machine as a bridge rather than a router. It's possible to do other things, such as changing the NAT address range used by rl1 and your Vigor 2600, yet also set up NAT on the FreeBSD machine, including GRE passthrough and PPTP in /etc/natd.conf, but that would be evil, hard to debug, and otherwise tempting the fates. :-) # NATD configuration options dynamic yes interface rl1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes #punch_fw 1:100 redirect_proto gre 10.1.1.2 redirect_port udp 10.1.1.2:500 500 redirect_port udp 10.1.1.2:4500 4500 redirect_port udp 10.1.1.2:62515 62515 redirect_port tcp 10.1.1.2:1 1 redirect_port tcp 10.1.1.2:pptp pptp # The above rules allow passthrough for the Cisco VPN software, and should also work with SonicWall's VPN client. OpenVPN uses just a single UDP port, and would be very easy to set up on FreeBSD if you liked. -- -Chuck Thanks to both of you for all your input .. its a great help! Chuck -- since you appear to have given me the config options for something that's evil, hard to debug, and otherwise tempting the fates, would you mind explaining how to set up the FBSD box as a bridge? Or perhaps I'm missing something ... is that what that config is for? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]