Date: Sun, 11 Jul 2004 17:37:52 +0200 From: "Terrence Koeman" <root@mediamonks.net> To: <freebsd-questions@freebsd.org> Cc: nkinkade@gentoo-npk.bmp.ub Subject: RE: Network configuration Message-ID: <200407111737133.SM07768@manrikigusari> In-Reply-To: <200407082101652.SM07768@mail.indatacorp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
Thank you all for the help and time. I finally got it all working with bits
from most emails.
I'll include my configuration here for others in the same situation (any
comments are welcome):
It's now:
--------------
| SDSL Modem |
| Bridged |
--------------
|
--------------------------
| xl1: 217.1.1.155, DHCP |
| Freebsd Box |
| xl0: UP, no ip |
--------------------------
|
----------
|---------------| SWITCH |---------------|
| ---------- |
| | |
------------------- ------------------- -------------------
| C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
------------------- ------------------- -------------------
(Notice the switch of xl1 and xl0, this made it work).
xl1 and xl0 are bridged so that all clients have full internet connectivity.
Additionally the clients share the available bandwidth fairly, with ssh,
telnet, dns and http having a higher priority than other traffic.
Using a private ip on xl0 and adding natd is still possible for use in the
future.
FreeBSD samsara.mediamonks.net 5.2-CURRENT FreeBSD 5.2-CURRENT #5: Sat Jul
10 22:13:16 CEST 2004
terrence@samsara.mediamonks.net:/usr/obj/usr/src/sys/SAMSARA i386
************************************
/sys/i386/conf/SAMSARA:
machine i386
cpu I686_CPU
ident SAMSARA
options SCHED_ULE # ULE scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_DIRHASH # Improve performance on big
directories
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires
PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HZ=5000
options ATA_STATIC_ID # Static device numbering
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options DUMMYNET
options BRIDGE
device isa
device pci
device fdc
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device vga # VGA video card driver
device sc
device npx
device miibus # MII bus support
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
device random # Entropy device
device loop # Network loopback
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
device bpf # Berkeley packet filter
************************************
/etc/rc.conf:
hostname="samsara.mediamonks.net"
ifconfig_xl1="DHCP"
ifconfig_xl0="UP"
jail_enable="NO"
kldxref_enable="NO"
kern_securelevel="3"
kern_securelevel_enable="YES"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
firewall_quiet="NO"
firewall_logging="YES"
firewall_flags=""
nfs_server_enable="NO"
gateway_enable="NO"
syslogd_flags="-ss"
sendmail_enable="NO"
sshd_enable="YES"
usbd_enable="NO"
sshd_enable="YES"
squid_enable="NO"
apache2_enable="YES"
oidentd_enable="YES"
snmpd_enable="YES"
snmpd_flags="-a -Lsd -p /var/run/snmpd.pid 127.0.0.1:161"
************************************
/etc/sysctl.conf:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
kern.ipc.nmbclusters=65535
net.inet.ip.fw.enable=0
net.link.ether.bridge.enable=1
net.link.ether.bridge_cfg=xl0,xl1
net.link.ether.bridge_ipfw=1
************************************
/etc/ipfw.rules:
enable one_pass
#incoming bandwidth
pipe 1 config bw 4500kbits/s queue 10Kbytes
#outgoing bandwidth
pipe 2 config bw 4500kbits/s queue 10Kbytes
#incoming queues, group on dst-host
queue 10 config pipe 1 weight 50 mask dst-ip 0xffffffff #icmp
queue 11 config pipe 1 weight 99 mask dst-ip 0xffffffff #ssh, telnet, dns,
http
queue 12 config pipe 1 weight 40 mask dst-ip 0xffffffff #all other ip
#outgoing queues, group on src-host
queue 20 config pipe 2 weight 50 mask src-ip 0xffffffff #icmp
queue 21 config pipe 2 weight 99 mask src-ip 0xffffffff #ssh, telnet, dns,
http
queue 22 config pipe 2 weight 40 mask src-ip 0xffffffff #all other ip
#queues for local system
queue 30 config pipe 1 weight 50 mask dst-ip 0xffffffff
queue 31 config pipe 2 weight 50 mask src-ip 0xffffffff
#allow traffic on loopback interface
add 00100 allow ip from any to any via lo0
#deny lost/hostile packets to the loopback addresses, return host unreach
add 00110 unreach host log logamount 20 ip from any to 127.0.0.0/8 via any
#deny any private address, return host unreach
add 00301 unreach host log logamount 20 ip from 10.0.0.0/8 to any in via any
add 00302 unreach host log logamount 20 ip from 172.16.0.0/12 to any in via
any
add 00303 unreach host log logamount 20 ip from 192.168.0.0/16 to any in via
any
#deny windows networking, return RST
add 00500 reset log logamount 20 ip from any to any 135,137-139 via any
#for bridged traffic, skip
add skipto 20000 ip from any to any via any bridged
#** natd divert is possible here, if xl0 gets a private IP. **
#deny packets with a source address known on a different interface, return
host unreach
add 00800 unreach host log logamount 20 ip from any to any not verrevpath in
# for non-bridged traffic, skip
add skipto 30000 ip from any to any via any
#push bridged traffic in appropriate queues
add 20000 queue 10 icmp from any to any in recv xl1
add 20100 queue 11 ip from any 22,23,53,80 to any in recv xl1
add 20200 queue 11 ip from any to any 22,23,53,80 in recv xl1
add 20300 queue 12 ip from any to any in recv xl1
add 21000 queue 20 icmp from any to any in recv xl0
add 21100 queue 21 ip from any to any 22,23,53,80 in recv xl0
add 21200 queue 21 ip from any 22,23,53,80 to any in recv xl0
add 21300 queue 22 ip from any to any in recv xl0
add skipto 50000 log logamount 20 ip from any to any via any
#push non-bridged (local) traffic in appropriate queues
add 30000 queue 30 icmp from any to any in recv xl1
add 30100 queue 30 ip from any to any in recv xl1
add 31000 queue 31 icmp from any to any out xmit xl1
add 31100 queue 31 ip from any to any out xmit xl1
add 50000 pass all from any to any
I hope this helps someone in the future :)
--
Regards,
Terrence Koeman
MediaMonks B.V. (www.mediamonks.com)
Please quote all replies in correspondence.
> -----Original Message-----
> From: Randy Grafton [mailto:rgrafton@indatacorp.com]
> Sent: Thursday, July 08, 2004 21:04
> To: root@mediamonks.net
> Subject: RE: Network configuration
>
> I setup a little home network using my FreeBSD box as the
> 'router'. There
> are two boxes on my internal LAN that I wanted to have access
> to from the
> internet as well as provide full internet access to all internal
> clients/servers.
>
> Like I said, I recompiled my kernel with the nat options.
> I'll list the
> steps here, if you've already performed them then at least I
> got in some
> typing practice.
>
> Install the kernel sources. Insert your install disk and from
> the command
> line run /stand/sysinstall.
> Select the Configure option then the Distributions option then src and
> finally sys.
> Once the sources are installed you will go to
> /usr/src/sys/i386/conf. Within
> this directory are two files, GENERIC and LINT. Make a copy
> of GENERIC with
> a name of your choosing. Edit the GENERIC copy and add the
> following lines:
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=10
> options IPDIVERT
>
> Save the modified file and compile your kernel. This is done by doing:
> config <GENERIC COPY NAME>
> cd ../../<GENERIC COPY NAME>
> make
> make install
> reboot
>
> Now you'll edit your /etc/rc.conf file.
> Add these lines to it:
> gateway_enable="YES"
> ifconfig_xl0="inet 217.1.1.155 netmask <your netmask>"
> ifconfig_xl0_alias0="inet 217.1.1.155 netmask <your netmask>"
> ifconfig_xl0_alias1="inet 217.1.1.156 netmask <your netmask>"
> ifconfig_xl0_alias2="inet 217.1.1.157 netmask <your netmask>"
> ifconfig_xl0_alias3="inet 217.1.1.158 netmask <your netmask>"
> ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_type="OPEN"
> firewall_quiet="YES"
> firewall_logging="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-f /etc/natd.conf" (explained below)
>
> Now create the /etc/natd.conf file with these lines:
> same ports yes
> dynamic yes
> redirect_port tcp 192.168.1.2 217.1.1.156
> redirect_port udp 192.168.1.2 217.1.1.156
> redirect_port tcp 192.168.1.3 217.1.1.157
> redirect_port udp 192.168.1.3 217.1.1.157
> redirect_port tcp 192.168.1.4 217.1.1.158
> redirect_port udp 192.168.1.5 217.1.1.158
>
> The redirect_port has this syntax:
> redirect_port tcp <dest_internal_address> <src_external_address>
> redirect_port udp <dest_internal_address> <src_external_address>
>
> --------------
> | SDSL Modem |
> | Bridged |
> --------------
> |
> --------------------------
> | xl0: 217.1.1.155 |
> | xl0: 217.1.1.156 |
> | xl0: 217.1.1.157 |
> | xl0: 217.1.1.158 |
> | |
> | Freebsd Box |
> | |
> | xl1: 192.168.1.1 |
> --------------------------
> |
> ----------
> |---------------| SWITCH |---------------|
> | ---------- |
> | | |
> ------------------- ------------------- -------------------
> | C1: 192.168.1.2 | | C2: 192.168.1.3 | | C3: 192.168.1.4 |
> ------------------- ------------------- -------------------
>
> Once these changes are made you can run /etc/netstart. This
> little script is
> great, anytime that you make network config changes you can
> run this instead
> of having to restart the whole system.
>
> All of your internal clients will now need to have
> 192.168.1.1 listed as
> their default router/gateway.
>
> Whew! Did that help?
>
> -Randy
>
>
>
> -----Original Message-----
> From: Terrence Koeman [mailto:root@mediamonks.net]
> Sent: Thursday, July 08, 2004 11:12 AM
> To: rgrafton@indatacorp.com
> Subject: RE: Network configuration
>
> Well, I can do the firewall part. It's just the gateway thing
> I can't figure
> out.
>
> The three 'clients' have to have a public IP address because they are
> actually servers.
>
> I need;
> -the three servers to have full internet connectivity, in and out
> -the possibility to manipulate/block/prioritize the packets
> to and from them
> -the freebsd box needs to have an external IP address for access
>
> Currently I have no idea what to bind to xl1, what method to
> use to get the
> packets out (routing, bridging?), and what gateway to use on the
> 'clients'...
>
> Any help would be really appreciated.
>
> --
> Regards,
> Terrence Koeman
>
> MediaMonks B.V. (www.mediamonks.com)
> Please quote all replies in correspondence.
>
> > -----Original Message-----
> > From: Randy Grafton [mailto:rgrafton@indatacorp.com]
> > Sent: Thursday, July 08, 2004 19:32
> > To: root@mediamonks.net
> > Subject: RE: Network configuration
> >
> > I would recommend that your start out open and then start
> > closing things up.
> >
> > I'm not an ipfw expert but I can get you going with the
> > gateway thing. Since you said that you have nat running, I
> > assume that you recompiled your kernel?
> > If not then email me back and I'll provide a quick how to.
> >
> > Why are you looking to make the clients available from the internet?
> > Your answer to this question could open some other
> > possibilities for configuration.
> >
> > -Randy
> >
> >
> > -----Original Message-----
> > From: owner-freebsd-questions@freebsd.org
> > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of
> > Terrence Koeman
> > Sent: Thursday, July 08, 2004 10:03 AM
> > To: Barbish3@adelphia.net; freebsd-questions@freebsd.org
> > Subject: RE: Network configuration
> >
> > I haven't got any real config right now as I'm not sure about
> > how to start with this.
> >
> > --
> > Regards,
> > Terrence Koeman
> >
> > MediaMonks B.V. (www.mediamonks.com)
> > Please quote all replies in correspondence.
> >
> > > -----Original Message-----
> > > From: JJB [mailto:Barbish3@adelphia.net]
> > > Sent: Thursday, July 08, 2004 17:58
> > > To: root@mediamonks.net
> > > Subject: RE: Network configuration
> > >
> > > Post the full content of your rc.conf file and your ipfw rule set.
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-questions@freebsd.org
> > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Terrence
> > > Koeman
> > > Sent: Thursday, July 08, 2004 11:10 AM
> > > To: freebsd-questions@freebsd.org
> > > Subject: Network configuration
> > >
> > > Hi,
> > >
> > > I have been busy setting up a network the last 3 days,
> but I cannot
> > > get it working.
> > >
> > > Basically I have no clue what has to be setup etc. and if I need
> > > bridging or not.
> > >
> > > The situation is as follows:
> > >
> > > --------------
> > > | SDSL Modem |
> > > | Bridged |
> > > --------------
> > > |
> > > --------------------------
> > > | xl0: 217.1.1.155 |
> > > | |
> > > | Freebsd Box |
> > > | |
> > > | xl1 |
> > > --------------------------
> > > |
> > > ----------
> > > |---------------| SWITCH |---------------|
> > > | ---------- |
> > > | | |
> > > ------------------- ------------------- -------------------
> > > | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
> > > ------------------- ------------------- -------------------
> > >
> > >
> > > The FreeBSD box has full internet connectivity and I can
> > also get NAT
> > > working, but the thing is that I need those non-private
> > IP's bound to
> > > the clients and I need ipfw between the clients and the
> > modem. Also I
> > > need the FreeBSD machine to have a non-private IP address.
> > I have no
> > > clue as to getting the packets from those clients to the
> > internet. I
> > > tried bridging xl0 and xl1 and using 217.1.1.155 as
> > gateway, but that
> > > didn't work.
> > >
> > > Maybe someone that knows how to do something like this can
> > shed some
> > > light on it for me?
> > >
> > > Thanks in advance.
> > >
> > > --
> > > Regards,
> > > Terrence Koeman
> > >
> > > MediaMonks B.V. (www.mediamonks.com)
> > > Please quote all replies in correspondence.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200407111737133.SM07768>