Re: problems with networking and route command
In freebsd-questions Digest, Vol 415, Issue 6, Message: 1 On Fri, 18 May 2012 08:07:16 -0400 David Banning david+dated+1337774837.907...@skytracker.ca wrote: It is machines that connect and receive via DHCP 192.168.1.2 and above that can't connect to the internet though the server. I don't know a whole lot about route - I have been attempting a variation of route commands without success. [Chuck Swiger wrote:] You need to implement NAT on this box, since 192.168.0.0/16 is an RFC-1918 unrouteable private network range. I previously connected to the internet using ppp with the -nat option and now my connection has changed - so that makes sense. So I implemented natd. Unfortunately natd does not work as yet. I followed the setup as laid out in man natd and also used the layout in; http://www.freebsddiary.org/ipfw.php I've since seen Derek's response in the archives (I get the digests) at http://lists.freebsd.org/pipermail/freebsd-questions/2012-May/241035.html and I agree that 1998 is far too old to be of much use. I differ however about advisability of referring to the Handbook IPFW page, which frankly sucks - the only section of the Handbook that does, that I know of; you will find ipfw(8) and /etc/rc.firewall to be much better friends. Here is my natd setup 1. Compiled IPFIREWALL IPDIVERT into my kernel - went fine. Didn't need to, both will load from modules from the /etc/rc.d scripts. Many these days prefer to use in-kernel NAT (firewall_nat_enable=YES) instead, but natd still works as ever; you can always switch later. Here is my rc.conf network related entries; natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf gateway_enable=YES ifconfig_rl0=inet 64.40.244.36 netmask 255.255.255.240 defaultrouter=64.40.244.33 ifconfig_vr0=DHCP ifconfig_vr0=up ifconfig_vr0=inet 192.168.1.1 Only the last ifconfig_vr0 counts, but that's ok, DHCP is for clients, not where vr0 gets its address from, right? Ah, you fix that below .. network_interfaces=rl0 vr0 lo0 ifconfig_lo0=inet 127.0.0.1 firewall_enable=YES firewall_script=/etc/firewall.rules firewall_type=simple firewall_logging=YES firewall_type only applies where firewall_script=/etc/rc.firewall, however that would be ignored by your custom /etc/firewall.rules. dhcpd_ifaces=vr0 dhcpd_enable=YES My firewall rules; ipfw add 64000 allow ip from any to any ipfw add divert natd all from any to any via rl0 ipfw add allow tcp from any to 192.168.2.1 139 ipfw add allow tcp from any to 192.168.1.1 139 That won't work; after specifying the current rule as 64000, subsequent unnumbered rules will be placed at 64100, 64200 etc - so they will never be reached. If you put that 'allow all' at the end that would work, although a default policy of 'deny all' is very much safer. ipfw add 6000 deny tcp from any to 64.40.244.36 139 ipfw add 6010 deny tcp from any to 64.40.244.36 445 These two will now be the first rules encountered, being so numbered. You'll also want to deny an awful lot more than NETBIOS packets to your outside address, see below. ipfw add deny tcp from any to any 139 And that will go at the end, again after everything has been allowed. Always use 'ipfw list' or 'ipfw show' to check your running ruleset. I would seriously advise you to consider using the rc.firewall 'simple' ruleset, at least as a basis, for a setup like yours. It's designed specifically to protect small networks, and particularly to place the NAT rules in just the right place between inbound and outbound anti- spoofing rules. See /etc/defaults/rc.conf for the variables you can set that should work more or less out of the box, though you may want to modify rc.firewall (or better, a copy of it, say rc.myfirewall) if you need to any add particular rules for specific services you need. It will also protect your IPv6 network, if that's relevant to you. My /etc/natd.conf; interface rl0 use_sockets yes same_ports yes Should be ok. You already have natd_interface=rl0 in rc.conf. Consider 'unregistered_only yes', particularly if not using the anti-spoofing rules provided in rc.firewall 'simple'. My /etc/services includes the line; natd 8668/divert # Network Address Translation socket Output of ifconfig; # ifconfig fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 02:11:d8:b3:0e:43 ch 1 dma -1 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 ether 14:d6:4d:47:88:ae media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 64.40.244.36 netmask 0xfff0 broadcast 64.40.244.47 inet6
Re: problems with networking and route command
At 07:07 AM 5/18/2012, David Banning wrote: It is machines that connect and receive via DHCP 192.168.1.2 and above that can't connect to the internet though the server. I don't know a whole lot about route - I have been attempting a variation of route commands without success. You need to implement NAT on this box, since 192.168.0.0/16 is an RFC-1918 unrouteable private network range. I previously connected to the internet using ppp with the -nat option and now my connection has changed - so that makes sense. So I implemented natd. Unfortunately natd does not work as yet. I followed the setup as laid out in man natd and also used the layout in; http://www.freebsddiary.org/ipfw.php Here is my natd setup 1. Compiled IPFIREWALL IPDIVERT into my kernel - went fine. Here is my rc.conf network related entries; natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf gateway_enable=YES ifconfig_rl0=inet 64.40.244.36 netmask 255.255.255.240 defaultrouter=64.40.244.33 ifconfig_vr0=DHCP ifconfig_vr0=up ifconfig_vr0=inet 192.168.1.1 network_interfaces=rl0 vr0 lo0 ifconfig_lo0=inet 127.0.0.1 firewall_enable=YES firewall_script=/etc/firewall.rules firewall_type=simple firewall_logging=YES dhcpd_ifaces=vr0 dhcpd_enable=YES My firewall rules; ipfw add 64000 allow ip from any to any ipfw add divert natd all from any to any via rl0 ipfw add allow tcp from any to 192.168.2.1 139 ipfw add allow tcp from any to 192.168.1.1 139 ipfw add 6000 deny tcp from any to 64.40.244.36 139 ipfw add 6010 deny tcp from any to 64.40.244.36 445 ipfw add deny tcp from any to any 139 My /etc/natd.conf; interface rl0 use_sockets yes same_ports yes My /etc/services includes the line; natd 8668/divert # Network Address Translation socket Output of ifconfig; # ifconfig fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 02:11:d8:b3:0e:43 ch 1 dma -1 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 ether 14:d6:4d:47:88:ae media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 64.40.244.36 netmask 0xfff0 broadcast 64.40.244.47 inet6 fe80::211:95ff:fe66:7162%rl0 prefixlen 64 scopeid 0x3 ether 00:11:95:66:71:62 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 From my initial communication I have swapped the uses of the two network cards - which explains the reversal of entries for devices vr0 and rl0. Still I have server connection to the internet on rl0 and server connection to the network on vr0 - but the network cannot connect to the internet via rl0. If there are any commands that would help collect information leading to the answer I would appreciate any feedback. Try using the examples here: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html That freebsddiary article is very old, and many versions ago. Essentially you need to forward the packets from your NAT'd private interface over to the interface on the internet. You can try this using an open firewall, sending all packets to test the setup. Then add rules to lock it down to only the ports you want to allow. -Derek -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problems with networking and route command
It is machines that connect and receive via DHCP 192.168.1.2 and above that can't connect to the internet though the server. I don't know a whole lot about route - I have been attempting a variation of route commands without success. You need to implement NAT on this box, since 192.168.0.0/16 is an RFC-1918 unrouteable private network range. I previously connected to the internet using ppp with the -nat option and now my connection has changed - so that makes sense. So I implemented natd. Unfortunately natd does not work as yet. I followed the setup as laid out in man natd and also used the layout in; http://www.freebsddiary.org/ipfw.php Here is my natd setup 1. Compiled IPFIREWALL IPDIVERT into my kernel - went fine. Here is my rc.conf network related entries; natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf gateway_enable=YES ifconfig_rl0=inet 64.40.244.36 netmask 255.255.255.240 defaultrouter=64.40.244.33 ifconfig_vr0=DHCP ifconfig_vr0=up ifconfig_vr0=inet 192.168.1.1 network_interfaces=rl0 vr0 lo0 ifconfig_lo0=inet 127.0.0.1 firewall_enable=YES firewall_script=/etc/firewall.rules firewall_type=simple firewall_logging=YES dhcpd_ifaces=vr0 dhcpd_enable=YES My firewall rules; ipfw add 64000 allow ip from any to any ipfw add divert natd all from any to any via rl0 ipfw add allow tcp from any to 192.168.2.1 139 ipfw add allow tcp from any to 192.168.1.1 139 ipfw add 6000 deny tcp from any to 64.40.244.36 139 ipfw add 6010 deny tcp from any to 64.40.244.36 445 ipfw add deny tcp from any to any 139 My /etc/natd.conf; interface rl0 use_sockets yes same_ports yes My /etc/services includes the line; natd 8668/divert # Network Address Translation socket Output of ifconfig; # ifconfig fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 02:11:d8:b3:0e:43 ch 1 dma -1 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 ether 14:d6:4d:47:88:ae media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 64.40.244.36 netmask 0xfff0 broadcast 64.40.244.47 inet6 fe80::211:95ff:fe66:7162%rl0 prefixlen 64 scopeid 0x3 ether 00:11:95:66:71:62 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 From my initial communication I have swapped the uses of the two network cards - which explains the reversal of entries for devices vr0 and rl0. Still I have server connection to the internet on rl0 and server connection to the network on vr0 - but the network cannot connect to the internet via rl0. If there are any commands that would help collect information leading to the answer I would appreciate any feedback. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
problems with networking and route command
I am having a problem getting users who get their dhcp from my system to be able to connect to the internet. On one network interface my server can connect to the internet no problem - that's device vr0. On another, rl0 - I have a connection to the local network - no problem connecting to local machines from the server. The problem is that the local machines cannot access the internet through the FreeBSD server. Here is the output of ifconfig; fwe0: flags=8802BROADCAST,SIMPLEX,MULTICAST mtu 1500 ether 02:11:d8:b3:0e:43 ch 1 dma -1 vr0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 64.40.244.36 netmask 0xfff0 broadcast 64.40.244.47 inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 ether 14:d6:4d:47:88:ae media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 inet6 fe80::211:95ff:fe66:7162%rl0 prefixlen 64 scopeid 0x3 ether 00:11:95:66:71:62 media: Ethernet autoselect (100baseTX full-duplex) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 And here is the ipv4 part output of netstat -nr # netstat -nr Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default64.40.244.33 UGSc8 2365vr0 64.40.244.32/28link#2 UC 10vr0 64.40.244.33 00:0c:42:07:26:35 UHLW90vr0 1187 127.0.0.1 127.0.0.1 UH 761626lo0 192.168.1 link#3 UC 40rl0 192.168.1.16 link#3 UHLW2 2032rl0 192.168.1.40 00:1b:78:e6:c3:cc UHLW0 31rl0 1189 192.168.1.101 00:07:e9:b9:50:98 UHLW412526rl0 1193 192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 3 330rl0 It is machines that connect and receive via DHCP 192.168.1.2 and above that can't connect to the internet though the server. I don't know a whole lot about route - I have been attempting a variation of route commands without success. If anyone by looking at my information can suggest a route command, or suggest a way to dig for more information on this it would be greatly appreciated. lot about this ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: problems with networking and route command
Hi-- On May 16, 2012, at 1:08 PM, David Banning wrote: [ ... ] It is machines that connect and receive via DHCP 192.168.1.2 and above that can't connect to the internet though the server. I don't know a whole lot about route - I have been attempting a variation of route commands without success. You need to implement NAT on this box, since 192.168.0.0/16 is an RFC-1918 unrouteable private network range. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
