Network configuration

Terrence Koeman root at mediamonks.net
Sun Jul 11 08:38:22 PDT 2004


Hi,

Thank you all for the help and time. I finally got it all working with bits
from most emails.

I'll include my configuration here for others in the same situation (any
comments are welcome):

It's now:

                        --------------
                        | SDSL Modem |
                        |  Bridged   |
                        --------------
                               |
                   --------------------------
                   | xl1: 217.1.1.155, DHCP |
                   |      Freebsd Box       |
                   |    xl0: UP, no ip      |
                   --------------------------
                               |
                           ----------
           |---------------| SWITCH |---------------|
           |               ----------               |
           |                   |                    |
  ------------------- ------------------- -------------------
  | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
  ------------------- ------------------- -------------------

(Notice the switch of xl1 and xl0, this made it work).

xl1 and xl0 are bridged so that all clients have full internet connectivity.
Additionally the clients share the available bandwidth fairly, with ssh,
telnet, dns and http having a higher priority than other traffic.

Using a private ip on xl0 and adding natd is still possible for use in the
future.


FreeBSD samsara.mediamonks.net 5.2-CURRENT FreeBSD 5.2-CURRENT #5: Sat Jul
10 22:13:16 CEST 2004
terrence at samsara.mediamonks.net:/usr/obj/usr/src/sys/SAMSARA  i386

************************************
/sys/i386/conf/SAMSARA:
machine         i386
cpu             I686_CPU
ident           SAMSARA

options         SCHED_ULE               # ULE scheduler
options         INET                    # InterNETworking
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_DIRHASH             # Improve performance on big
directories
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires
PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP
THIS!]
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev

options         HZ=5000
options         ATA_STATIC_ID   # Static device numbering

options         IPFIREWALL
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         DUMMYNET
options         BRIDGE

device          isa
device          pci

device          fdc
device          ata
device          atadisk         # ATA disk drives
device          atapicd         # ATAPI CDROM drives
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          vga             # VGA video card driver
device          sc
device          npx

device          miibus          # MII bus support
device          xl              # 3Com 3c90x (``Boomerang'', ``Cyclone'')

device          random          # Entropy device
device          loop            # Network loopback
device          ether           # Ethernet support
device          pty             # Pseudo-ttys (telnet etc)

device          bpf             # Berkeley packet filter

************************************
/etc/rc.conf:
hostname="samsara.mediamonks.net"

ifconfig_xl1="DHCP"
ifconfig_xl0="UP"

jail_enable="NO"
kldxref_enable="NO"

kern_securelevel="3"
kern_securelevel_enable="YES"

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.rules"
firewall_quiet="NO"
firewall_logging="YES"
firewall_flags=""

nfs_server_enable="NO"
gateway_enable="NO"

syslogd_flags="-ss"

sendmail_enable="NO"
sshd_enable="YES"     
usbd_enable="NO"    
sshd_enable="YES"  
squid_enable="NO"  
apache2_enable="YES"
oidentd_enable="YES"
snmpd_enable="YES"
snmpd_flags="-a -Lsd -p /var/run/snmpd.pid 127.0.0.1:161"

************************************
/etc/sysctl.conf:
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
kern.ipc.nmbclusters=65535
net.inet.ip.fw.enable=0
net.link.ether.bridge.enable=1
net.link.ether.bridge_cfg=xl0,xl1
net.link.ether.bridge_ipfw=1

************************************
/etc/ipfw.rules:
enable one_pass

#incoming bandwidth
pipe 1 config bw 4500kbits/s queue 10Kbytes
#outgoing bandwidth
pipe 2 config bw 4500kbits/s queue 10Kbytes

#incoming queues, group on dst-host
queue 10 config pipe 1 weight 50 mask dst-ip 0xffffffff #icmp
queue 11 config pipe 1 weight 99 mask dst-ip 0xffffffff #ssh, telnet, dns,
http
queue 12 config pipe 1 weight 40 mask dst-ip 0xffffffff #all other ip

#outgoing queues, group on src-host
queue 20 config pipe 2 weight 50 mask src-ip 0xffffffff #icmp
queue 21 config pipe 2 weight 99 mask src-ip 0xffffffff #ssh, telnet, dns,
http
queue 22 config pipe 2 weight 40 mask src-ip 0xffffffff #all other ip

#queues for local system
queue 30 config pipe 1 weight 50 mask dst-ip 0xffffffff
queue 31 config pipe 2 weight 50 mask src-ip 0xffffffff

#allow traffic on loopback interface
add 00100 allow ip from any to any via lo0

#deny lost/hostile packets to the loopback addresses, return host unreach
add 00110 unreach host log logamount 20 ip from any to 127.0.0.0/8 via any

#deny any private address, return host unreach
add 00301 unreach host log logamount 20 ip from 10.0.0.0/8 to any in via any
add 00302 unreach host log logamount 20 ip from 172.16.0.0/12 to any in via
any
add 00303 unreach host log logamount 20 ip from 192.168.0.0/16 to any in via
any

#deny windows networking, return RST
add 00500 reset log logamount 20 ip from any to any 135,137-139 via any

#for bridged traffic, skip
add skipto 20000 ip from any to any via any bridged

#** natd divert is possible here, if xl0 gets a private IP. **

#deny packets with a source address known on a different interface, return
host unreach
add 00800 unreach host log logamount 20 ip from any to any not verrevpath in

# for non-bridged traffic, skip
add skipto 30000 ip from any to any via any

  #push bridged traffic in appropriate queues
  add 20000 queue 10 icmp from any to any in recv xl1
  add 20100 queue 11 ip from any 22,23,53,80 to any in recv xl1
  add 20200 queue 11 ip from any to any 22,23,53,80 in recv xl1
  add 20300 queue 12 ip from any to any in recv xl1

  add 21000 queue 20 icmp from any to any in recv xl0
  add 21100 queue 21 ip from any to any 22,23,53,80 in recv xl0
  add 21200 queue 21 ip from any 22,23,53,80 to any in recv xl0
  add 21300 queue 22 ip from any to any in recv xl0

add skipto 50000 log logamount 20 ip from any to any via any

  #push non-bridged (local) traffic in appropriate queues
  add 30000 queue 30 icmp from any to any in recv xl1
  add 30100 queue 30 ip from any to any in recv xl1

  add 31000 queue 31 icmp from any to any out xmit xl1
  add 31100 queue 31 ip from any to any out xmit xl1

add 50000 pass all from any to any


I hope this helps someone in the future :)

-- 
Regards,
Terrence Koeman
 
MediaMonks B.V. (www.mediamonks.com)
Please quote all replies in correspondence.     

> -----Original Message-----
> From: Randy Grafton [mailto:rgrafton at indatacorp.com] 
> Sent: Thursday, July 08, 2004 21:04
> To: root at mediamonks.net
> Subject: RE: Network configuration
> 
> I setup a little home network using my FreeBSD box as the 
> 'router'. There
> are two boxes on my internal LAN that I wanted to have access 
> to from the
> internet as well as provide full internet access to all internal
> clients/servers.
> 
> Like I said, I recompiled my kernel with the nat options. 
> I'll list the
> steps here, if you've already performed them then at least I 
> got in some
> typing practice.
> 
> Install the kernel sources. Insert your install disk and from 
> the command
> line run /stand/sysinstall.
> Select the Configure option then the Distributions option then src and
> finally sys.
> Once the sources are installed you will go to 
> /usr/src/sys/i386/conf. Within
> this directory are two files, GENERIC and LINT. Make a copy 
> of GENERIC with
> a name of your choosing. Edit the GENERIC copy and add the 
> following lines:
> options  IPFIREWALL
> options  IPFIREWALL_VERBOSE
> options  IPFIREWALL_VERBOSE_LIMIT=10
> options  IPDIVERT
> 
> Save the modified file and compile your kernel. This is done by doing:
> config <GENERIC COPY NAME>
> cd ../../<GENERIC COPY NAME>
> make
> make install
> reboot
> 
> Now you'll edit your /etc/rc.conf file.
> Add these lines to it:
> gateway_enable="YES"
> ifconfig_xl0="inet 217.1.1.155 netmask <your netmask>"
> ifconfig_xl0_alias0="inet 217.1.1.155 netmask <your netmask>"
> ifconfig_xl0_alias1="inet 217.1.1.156 netmask <your netmask>"
> ifconfig_xl0_alias2="inet 217.1.1.157 netmask <your netmask>"
> ifconfig_xl0_alias3="inet 217.1.1.158 netmask <your netmask>"
> ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0"
> firewall_type="OPEN"
> firewall_quiet="YES"
> firewall_logging="YES"
> natd_enable="YES"
> natd_interface="xl0"
> natd_flags="-f /etc/natd.conf" (explained below)
> 
> Now create the /etc/natd.conf file with these lines:
> same ports yes
> dynamic yes
> redirect_port tcp 192.168.1.2 217.1.1.156
> redirect_port udp 192.168.1.2 217.1.1.156
> redirect_port tcp 192.168.1.3 217.1.1.157
> redirect_port udp 192.168.1.3 217.1.1.157
> redirect_port tcp 192.168.1.4 217.1.1.158
> redirect_port udp 192.168.1.5 217.1.1.158
> 
> The redirect_port has this syntax:
> redirect_port tcp <dest_internal_address> <src_external_address>
> redirect_port udp <dest_internal_address> <src_external_address>
> 
>                      --------------
>                      | SDSL Modem |
>                      |  Bridged   |
>                      --------------
>                            |
>                  --------------------------
>                  |    xl0: 217.1.1.155    |
>                  |    xl0: 217.1.1.156    |
>                  |    xl0: 217.1.1.157    |
>                  |    xl0: 217.1.1.158    |
>                  |                        |
>                  |    Freebsd Box         |
>                  |                        |
>                  |    xl1: 192.168.1.1    |
>                  --------------------------
>                               |
>                           ----------
>           |---------------| SWITCH |---------------|
>           |               ----------               |
>           |                    |                   |
>  ------------------- ------------------- -------------------
>  | C1: 192.168.1.2 | | C2: 192.168.1.3 | | C3: 192.168.1.4 |
>  ------------------- ------------------- -------------------
> 
> Once these changes are made you can run /etc/netstart. This 
> little script is
> great, anytime that you make network config changes you can 
> run this instead
> of having to restart the whole system.
> 
> All of your internal clients will now need to have 
> 192.168.1.1 listed as
> their default router/gateway.
> 
> Whew! Did that help?
> 
> -Randy
> 
> 
> 
> -----Original Message-----
> From: Terrence Koeman [mailto:root at mediamonks.net] 
> Sent: Thursday, July 08, 2004 11:12 AM
> To: rgrafton at indatacorp.com
> Subject: RE: Network configuration
> 
> Well, I can do the firewall part. It's just the gateway thing 
> I can't figure
> out.
> 
> The three 'clients' have to have a public IP address because they are
> actually servers.
> 
> I need;
> -the three servers to have full internet connectivity, in and out
> -the possibility to manipulate/block/prioritize the packets 
> to and from them
> -the freebsd box needs to have an external IP address for access
> 
> Currently I have no idea what to bind to xl1, what method to 
> use to get the
> packets out (routing, bridging?), and what gateway to use on the
> 'clients'...
> 
> Any help would be really appreciated.
> 
> -- 
> Regards,
> Terrence Koeman
>  
> MediaMonks B.V. (www.mediamonks.com)
> Please quote all replies in correspondence.     
> 
> > -----Original Message-----
> > From: Randy Grafton [mailto:rgrafton at indatacorp.com] 
> > Sent: Thursday, July 08, 2004 19:32
> > To: root at mediamonks.net
> > Subject: RE: Network configuration
> > 
> > I would recommend that your start out open and then start 
> > closing things up.
> > 
> > I'm not an ipfw expert but I can get you going with the 
> > gateway thing. Since you said that you have nat running, I 
> > assume that you recompiled your kernel?
> > If not then email me back and I'll provide a quick how to.
> > 
> > Why are you looking to make the clients available from the internet?
> > Your answer to this question could open some other 
> > possibilities for configuration.
> > 
> > -Randy
> > 
> > 
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of 
> > Terrence Koeman
> > Sent: Thursday, July 08, 2004 10:03 AM
> > To: Barbish3 at adelphia.net; freebsd-questions at freebsd.org
> > Subject: RE: Network configuration
> > 
> > I haven't got any real config right now as I'm not sure about 
> > how to start with this.
> > 
> > --
> > Regards,
> > Terrence Koeman
> >  
> > MediaMonks B.V. (www.mediamonks.com)
> > Please quote all replies in correspondence.     
> > 
> > > -----Original Message-----
> > > From: JJB [mailto:Barbish3 at adelphia.net]
> > > Sent: Thursday, July 08, 2004 17:58
> > > To: root at mediamonks.net
> > > Subject: RE: Network configuration
> > > 
> > > Post the full content of your rc.conf file and your ipfw rule set.
> > > 
> > > -----Original Message-----
> > > From: owner-freebsd-questions at freebsd.org
> > > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Terrence 
> > > Koeman
> > > Sent: Thursday, July 08, 2004 11:10 AM
> > > To: freebsd-questions at freebsd.org
> > > Subject: Network configuration
> > > 
> > > Hi,
> > > 
> > > I have been busy setting up a network the last 3 days, 
> but I cannot 
> > > get it working.
> > > 
> > > Basically I have no clue what has to be setup etc. and if I need 
> > > bridging or not.
> > > 
> > > The situation is as follows:
> > > 
> > >                     --------------
> > >                     | SDSL Modem |
> > >                     |  Bridged   |
> > >                     --------------
> > >                        |
> > >                 --------------------------
> > >                 |    xl0: 217.1.1.155    |
> > >                 |                        |
> > >                 |    Freebsd Box         |
> > >                 |                        |
> > >                 |           xl1          |
> > >                 --------------------------
> > >                              |
> > >                          ----------
> > >          |---------------| SWITCH |---------------|
> > >          |               ----------               |
> > >          |                    |                   |
> > > ------------------- ------------------- -------------------
> > > | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
> > > ------------------- ------------------- -------------------
> > > 
> > > 
> > > The FreeBSD box has full internet connectivity and I can 
> > also get NAT 
> > > working, but the thing is that I need those non-private 
> > IP's bound to 
> > > the clients and I need ipfw between the clients and the 
> > modem. Also I 
> > > need the FreeBSD machine to have a non-private IP address. 
> > I have no 
> > > clue as to getting the packets from those clients to the 
> > internet. I 
> > > tried bridging xl0 and xl1 and using 217.1.1.155 as 
> > gateway, but that 
> > > didn't work.
> > > 
> > > Maybe someone that knows how to do something like this can 
> > shed some 
> > > light on it for me?
> > > 
> > > Thanks in advance.
> > > 
> > > --
> > > Regards,
> > > Terrence Koeman
> > > 
> > > MediaMonks B.V. (www.mediamonks.com)
> > > Please quote all replies in correspondence.



More information about the freebsd-questions mailing list