From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 19:27:25 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80D3C16A570 for ; Thu, 6 Apr 2006 19:27:25 +0000 (UTC) (envelope-from nickstenning@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC20A45D3D for ; Thu, 6 Apr 2006 18:28:52 +0000 (GMT) (envelope-from nickstenning@gmail.com) Received: by zproxy.gmail.com with SMTP id i28so220825nzi for ; Thu, 06 Apr 2006 11:28:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=EXRmd+mZnjgtMnA1sHf4Wjf721+z/9U5Cf4wNiFF+JrjSGfp6GCSIWK7aDW8OVzHt/xior9uYcb0TFuu0xgseoz55/5QjqJFxEHiObXZoXpbNYH4QTvoLNRWb4E+2PqRBje+njvFESWSbEuHwvIQY6o3Tsk4IE2+WQTZI5+TlY0= Received: by 10.37.20.43 with SMTP id x43mr1517143nzi; Thu, 06 Apr 2006 11:28:52 -0700 (PDT) Received: by 10.36.57.4 with HTTP; Thu, 6 Apr 2006 11:28:52 -0700 (PDT) Message-ID: Date: Thu, 6 Apr 2006 19:28:52 +0100 From: "Nick Stenning" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: NAT, VPN and other SOHO router advice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 19:27:28 -0000 Dear all, I'm currently in the process of jiggling around my SOHO router and a FreeBSD box that I'd like to make more of a router. As it stands currently, the setup is something like this (I hope you've reading this in monospace or it's gonna be a like reading a circuit diagram on a rollercoaster) ( ....................... ) (( Ye bigge badde interweb )) ( ....................... ) || || +------------+ | Vigor 2600 | [10.0.0.2] +------------+ | | +------+ | | ** | | rl1 | +---------------| S |-----... +-----+ | W | | F | | I |-----... | B | | T |-----... The LAN! | S | rl0 | C | [10.0.0.0/24] | D |-------------------| H |-----... | | | | | | | |-----... +-----+ +------+ [10.0.0.1] Now, the more experiencef of you will immediately notice something is wrong ... yes, that's right, the cable marked with the ** shouldn't really be there. In fact, my syslog really wants me to know that something's wrong: Apr 6 19:04:22 phoenix kernel: arp: 10.0.0.2 is on rl0 but got reply from 00:53:7f:74:f4:f3 on rl1 Now, I'm well aware of why that's happening, and I mostly know how to fix it, but I need a little help with a few remaining issues. First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default router for the network, as specified by the FBSD box's DHCP server. If I disconnect the cable I want to disconnect, however, obviously the FBSD box will have to be the router. Now, I've recompiled my kernel with all the relevant options, and I've got an extensive firewall script (ipfw). I've also got the following in my rc.conf: firewall_enable=3D"YES" firewall_script=3D"/etc/ipfw.rules" firewall_logging=3D"YES" natd_enable=3D"YES" natd_interface=3D"rl1" gateway_enable=3D"YES" rl1, by the way, has a public IP block on it, and the vigor router has one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf) we have: defaultrouter=3D"xx.yy.zz.201" ifconfig_rl0=3D"inet 10.0.0.1 netmask 255.255.255.0" ifconfig_rl1=3D"inet xx.yy.zz.202 netmask 255.255.255.248" ifconfig_rl1_alias0=3D"xx.yy.zz.203/29" ... So, really, the question for this bit of the email is .. what else do I need to get my FBSD box acting as a router for the machines on the LAN? .. I assume I'd need an IPFW divert rule to set up all the NATing, but I'm unsure what that should be, and whether it would come before or after all the protective stuff in the firewall script etc etc. ------ The second part of the question is perhaps slightly more complex. The Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms for you?) to an office elsewhere. As it stands currently, machines on the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24 via this VPN connecion on the Vigor router. Also, machines at the other end of the VPN, in the office, can access machines at this end of the VPN, on the LAN (the other class C: 10.0.0.0/24) The question is, what IPFW divert rules and other whizbangery do I need to set up so that I can disconnect that cable marked ** and have all the VPN stuff keep working. If at all possible, I'd rather not move the management of the VPN onto the FBSD box. ------ OK. So that's that. I appreciate any and all responses, and if anyone needs any more information I will be happy to provide it ... so long as it's not my root password ... actually, come to think of it, that wouldn't help unless you were sitting next to me, but nevermind... Regards, Nick Stenning