Network configuration
Terrence Koeman
root at mediamonks.net
Thu Jul 15 12:34:58 PDT 2004
I had to do one more thing:
I needed to bind the IP the box got to the other adapter too. So now the ip
is bound twice, but once with a netmask of 255.255.255.255. It was needed to
let the clients ping the bridge by its external ip.
--
Regards,
Terrence Koeman
MediaMonks B.V. (www.mediamonks.com)
Please quote all replies in correspondence.
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of
> Terrence Koeman
> Sent: Sunday, July 11, 2004 17:38
> To: freebsd-questions at freebsd.org
> Cc: ecrist at secure-computing.net; rgrafton at indatacorp.com;
> freebsd-questions-local at be-well.ilk.org; info at mvcg.net;
> nkinkade at gentoo-npk.bmp.ub
> Subject: RE: Network configuration
>
> Hi,
>
> Thank you all for the help and time. I finally got it all
> working with bits
> from most emails.
>
> I'll include my configuration here for others in the same
> situation (any
> comments are welcome):
>
> It's now:
>
> --------------
> | SDSL Modem |
> | Bridged |
> --------------
> |
> --------------------------
> | xl1: 217.1.1.155, DHCP |
> | Freebsd Box |
> | xl0: UP, no ip |
> --------------------------
> |
> ----------
> |---------------| SWITCH |---------------|
> | ---------- |
> | | |
> ------------------- ------------------- -------------------
> | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
> ------------------- ------------------- -------------------
>
> (Notice the switch of xl1 and xl0, this made it work).
>
> xl1 and xl0 are bridged so that all clients have full
> internet connectivity.
> Additionally the clients share the available bandwidth
> fairly, with ssh,
> telnet, dns and http having a higher priority than other traffic.
>
> Using a private ip on xl0 and adding natd is still possible
> for use in the
> future.
>
>
> FreeBSD samsara.mediamonks.net 5.2-CURRENT FreeBSD
> 5.2-CURRENT #5: Sat Jul
> 10 22:13:16 CEST 2004
> terrence at samsara.mediamonks.net:/usr/obj/usr/src/sys/SAMSARA i386
>
> ************************************
> /sys/i386/conf/SAMSARA:
> machine i386
> cpu I686_CPU
> ident SAMSARA
>
> options SCHED_ULE # ULE scheduler
> options INET # InterNETworking
> options FFS # Berkeley Fast Filesystem
> options SOFTUPDATES # Enable FFS soft
> updates support
> options UFS_DIRHASH # Improve performance on big
> directories
> options CD9660 # ISO 9660 Filesystem
> options PROCFS # Process filesystem (requires
> PSEUDOFS)
> options PSEUDOFS # Pseudo-filesystem framework
> options COMPAT_43 # Compatible with BSD
> 4.3 [KEEP
> THIS!]
> options KBD_INSTALL_CDEV # install a CDEV entry in /dev
>
> options HZ=5000
> options ATA_STATIC_ID # Static device numbering
>
> options IPFIREWALL
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=100
> options DUMMYNET
> options BRIDGE
>
> device isa
> device pci
>
> device fdc
> device ata
> device atadisk # ATA disk drives
> device atapicd # ATAPI CDROM drives
> device atkbdc # AT keyboard controller
> device atkbd # AT keyboard
> device vga # VGA video card driver
> device sc
> device npx
>
> device miibus # MII bus support
> device xl # 3Com 3c90x (``Boomerang'',
> ``Cyclone'')
>
> device random # Entropy device
> device loop # Network loopback
> device ether # Ethernet support
> device pty # Pseudo-ttys (telnet etc)
>
> device bpf # Berkeley packet filter
>
> ************************************
> /etc/rc.conf:
> hostname="samsara.mediamonks.net"
>
> ifconfig_xl1="DHCP"
> ifconfig_xl0="UP"
>
> jail_enable="NO"
> kldxref_enable="NO"
>
> kern_securelevel="3"
> kern_securelevel_enable="YES"
>
> firewall_enable="YES"
> firewall_script="/etc/rc.firewall"
> firewall_type="/etc/ipfw.rules"
> firewall_quiet="NO"
> firewall_logging="YES"
> firewall_flags=""
>
> nfs_server_enable="NO"
> gateway_enable="NO"
>
> syslogd_flags="-ss"
>
> sendmail_enable="NO"
> sshd_enable="YES"
> usbd_enable="NO"
> sshd_enable="YES"
> squid_enable="NO"
> apache2_enable="YES"
> oidentd_enable="YES"
> snmpd_enable="YES"
> snmpd_flags="-a -Lsd -p /var/run/snmpd.pid 127.0.0.1:161"
>
> ************************************
> /etc/sysctl.conf:
> security.bsd.see_other_uids=0
> security.bsd.see_other_gids=0
> kern.ipc.nmbclusters=65535
> net.inet.ip.fw.enable=0
> net.link.ether.bridge.enable=1
> net.link.ether.bridge_cfg=xl0,xl1
> net.link.ether.bridge_ipfw=1
>
> ************************************
> /etc/ipfw.rules:
> enable one_pass
>
> #incoming bandwidth
> pipe 1 config bw 4500kbits/s queue 10Kbytes
> #outgoing bandwidth
> pipe 2 config bw 4500kbits/s queue 10Kbytes
>
> #incoming queues, group on dst-host
> queue 10 config pipe 1 weight 50 mask dst-ip 0xffffffff #icmp
> queue 11 config pipe 1 weight 99 mask dst-ip 0xffffffff #ssh,
> telnet, dns,
> http
> queue 12 config pipe 1 weight 40 mask dst-ip 0xffffffff #all other ip
>
> #outgoing queues, group on src-host
> queue 20 config pipe 2 weight 50 mask src-ip 0xffffffff #icmp
> queue 21 config pipe 2 weight 99 mask src-ip 0xffffffff #ssh,
> telnet, dns,
> http
> queue 22 config pipe 2 weight 40 mask src-ip 0xffffffff #all other ip
>
> #queues for local system
> queue 30 config pipe 1 weight 50 mask dst-ip 0xffffffff
> queue 31 config pipe 2 weight 50 mask src-ip 0xffffffff
>
> #allow traffic on loopback interface
> add 00100 allow ip from any to any via lo0
>
> #deny lost/hostile packets to the loopback addresses, return
> host unreach
> add 00110 unreach host log logamount 20 ip from any to
> 127.0.0.0/8 via any
>
> #deny any private address, return host unreach
> add 00301 unreach host log logamount 20 ip from 10.0.0.0/8 to
> any in via any
> add 00302 unreach host log logamount 20 ip from 172.16.0.0/12
> to any in via
> any
> add 00303 unreach host log logamount 20 ip from
> 192.168.0.0/16 to any in via
> any
>
> #deny windows networking, return RST
> add 00500 reset log logamount 20 ip from any to any
> 135,137-139 via any
>
> #for bridged traffic, skip
> add skipto 20000 ip from any to any via any bridged
>
> #** natd divert is possible here, if xl0 gets a private IP. **
>
> #deny packets with a source address known on a different
> interface, return
> host unreach
> add 00800 unreach host log logamount 20 ip from any to any
> not verrevpath in
>
> # for non-bridged traffic, skip
> add skipto 30000 ip from any to any via any
>
> #push bridged traffic in appropriate queues
> add 20000 queue 10 icmp from any to any in recv xl1
> add 20100 queue 11 ip from any 22,23,53,80 to any in recv xl1
> add 20200 queue 11 ip from any to any 22,23,53,80 in recv xl1
> add 20300 queue 12 ip from any to any in recv xl1
>
> add 21000 queue 20 icmp from any to any in recv xl0
> add 21100 queue 21 ip from any to any 22,23,53,80 in recv xl0
> add 21200 queue 21 ip from any 22,23,53,80 to any in recv xl0
> add 21300 queue 22 ip from any to any in recv xl0
>
> add skipto 50000 log logamount 20 ip from any to any via any
>
> #push non-bridged (local) traffic in appropriate queues
> add 30000 queue 30 icmp from any to any in recv xl1
> add 30100 queue 30 ip from any to any in recv xl1
>
> add 31000 queue 31 icmp from any to any out xmit xl1
> add 31100 queue 31 ip from any to any out xmit xl1
>
> add 50000 pass all from any to any
>
>
> I hope this helps someone in the future :)
>
> --
> Regards,
> Terrence Koeman
>
> MediaMonks B.V. (www.mediamonks.com)
> Please quote all replies in correspondence.
>
> > -----Original Message-----
> > From: Randy Grafton [mailto:rgrafton at indatacorp.com]
> > Sent: Thursday, July 08, 2004 21:04
> > To: root at mediamonks.net
> > Subject: RE: Network configuration
> >
> > I setup a little home network using my FreeBSD box as the
> > 'router'. There
> > are two boxes on my internal LAN that I wanted to have access
> > to from the
> > internet as well as provide full internet access to all internal
> > clients/servers.
> >
> > Like I said, I recompiled my kernel with the nat options.
> > I'll list the
> > steps here, if you've already performed them then at least I
> > got in some
> > typing practice.
> >
> > Install the kernel sources. Insert your install disk and from
> > the command
> > line run /stand/sysinstall.
> > Select the Configure option then the Distributions option
> then src and
> > finally sys.
> > Once the sources are installed you will go to
> > /usr/src/sys/i386/conf. Within
> > this directory are two files, GENERIC and LINT. Make a copy
> > of GENERIC with
> > a name of your choosing. Edit the GENERIC copy and add the
> > following lines:
> > options IPFIREWALL
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_VERBOSE_LIMIT=10
> > options IPDIVERT
> >
> > Save the modified file and compile your kernel. This is
> done by doing:
> > config <GENERIC COPY NAME>
> > cd ../../<GENERIC COPY NAME>
> > make
> > make install
> > reboot
> >
> > Now you'll edit your /etc/rc.conf file.
> > Add these lines to it:
> > gateway_enable="YES"
> > ifconfig_xl0="inet 217.1.1.155 netmask <your netmask>"
> > ifconfig_xl0_alias0="inet 217.1.1.155 netmask <your netmask>"
> > ifconfig_xl0_alias1="inet 217.1.1.156 netmask <your netmask>"
> > ifconfig_xl0_alias2="inet 217.1.1.157 netmask <your netmask>"
> > ifconfig_xl0_alias3="inet 217.1.1.158 netmask <your netmask>"
> > ifconfig_xl1="inet 192.168.1.1 netmask 255.255.255.0"
> > firewall_type="OPEN"
> > firewall_quiet="YES"
> > firewall_logging="YES"
> > natd_enable="YES"
> > natd_interface="xl0"
> > natd_flags="-f /etc/natd.conf" (explained below)
> >
> > Now create the /etc/natd.conf file with these lines:
> > same ports yes
> > dynamic yes
> > redirect_port tcp 192.168.1.2 217.1.1.156
> > redirect_port udp 192.168.1.2 217.1.1.156
> > redirect_port tcp 192.168.1.3 217.1.1.157
> > redirect_port udp 192.168.1.3 217.1.1.157
> > redirect_port tcp 192.168.1.4 217.1.1.158
> > redirect_port udp 192.168.1.5 217.1.1.158
> >
> > The redirect_port has this syntax:
> > redirect_port tcp <dest_internal_address> <src_external_address>
> > redirect_port udp <dest_internal_address> <src_external_address>
> >
> > --------------
> > | SDSL Modem |
> > | Bridged |
> > --------------
> > |
> > --------------------------
> > | xl0: 217.1.1.155 |
> > | xl0: 217.1.1.156 |
> > | xl0: 217.1.1.157 |
> > | xl0: 217.1.1.158 |
> > | |
> > | Freebsd Box |
> > | |
> > | xl1: 192.168.1.1 |
> > --------------------------
> > |
> > ----------
> > |---------------| SWITCH |---------------|
> > | ---------- |
> > | | |
> > ------------------- ------------------- -------------------
> > | C1: 192.168.1.2 | | C2: 192.168.1.3 | | C3: 192.168.1.4 |
> > ------------------- ------------------- -------------------
> >
> > Once these changes are made you can run /etc/netstart. This
> > little script is
> > great, anytime that you make network config changes you can
> > run this instead
> > of having to restart the whole system.
> >
> > All of your internal clients will now need to have
> > 192.168.1.1 listed as
> > their default router/gateway.
> >
> > Whew! Did that help?
> >
> > -Randy
> >
> >
> >
> > -----Original Message-----
> > From: Terrence Koeman [mailto:root at mediamonks.net]
> > Sent: Thursday, July 08, 2004 11:12 AM
> > To: rgrafton at indatacorp.com
> > Subject: RE: Network configuration
> >
> > Well, I can do the firewall part. It's just the gateway thing
> > I can't figure
> > out.
> >
> > The three 'clients' have to have a public IP address
> because they are
> > actually servers.
> >
> > I need;
> > -the three servers to have full internet connectivity, in and out
> > -the possibility to manipulate/block/prioritize the packets
> > to and from them
> > -the freebsd box needs to have an external IP address for access
> >
> > Currently I have no idea what to bind to xl1, what method to
> > use to get the
> > packets out (routing, bridging?), and what gateway to use on the
> > 'clients'...
> >
> > Any help would be really appreciated.
> >
> > --
> > Regards,
> > Terrence Koeman
> >
> > MediaMonks B.V. (www.mediamonks.com)
> > Please quote all replies in correspondence.
> >
> > > -----Original Message-----
> > > From: Randy Grafton [mailto:rgrafton at indatacorp.com]
> > > Sent: Thursday, July 08, 2004 19:32
> > > To: root at mediamonks.net
> > > Subject: RE: Network configuration
> > >
> > > I would recommend that your start out open and then start
> > > closing things up.
> > >
> > > I'm not an ipfw expert but I can get you going with the
> > > gateway thing. Since you said that you have nat running, I
> > > assume that you recompiled your kernel?
> > > If not then email me back and I'll provide a quick how to.
> > >
> > > Why are you looking to make the clients available from
> the internet?
> > > Your answer to this question could open some other
> > > possibilities for configuration.
> > >
> > > -Randy
> > >
> > >
> > > -----Original Message-----
> > > From: owner-freebsd-questions at freebsd.org
> > > [mailto:owner-freebsd-questions at freebsd.org] On Behalf Of
> > > Terrence Koeman
> > > Sent: Thursday, July 08, 2004 10:03 AM
> > > To: Barbish3 at adelphia.net; freebsd-questions at freebsd.org
> > > Subject: RE: Network configuration
> > >
> > > I haven't got any real config right now as I'm not sure about
> > > how to start with this.
> > >
> > > --
> > > Regards,
> > > Terrence Koeman
> > >
> > > MediaMonks B.V. (www.mediamonks.com)
> > > Please quote all replies in correspondence.
> > >
> > > > -----Original Message-----
> > > > From: JJB [mailto:Barbish3 at adelphia.net]
> > > > Sent: Thursday, July 08, 2004 17:58
> > > > To: root at mediamonks.net
> > > > Subject: RE: Network configuration
> > > >
> > > > Post the full content of your rc.conf file and your
> ipfw rule set.
> > > >
> > > > -----Original Message-----
> > > > From: owner-freebsd-questions at freebsd.org
> > > > [mailto:owner-freebsd-questions at freebsd.org]On Behalf
> Of Terrence
> > > > Koeman
> > > > Sent: Thursday, July 08, 2004 11:10 AM
> > > > To: freebsd-questions at freebsd.org
> > > > Subject: Network configuration
> > > >
> > > > Hi,
> > > >
> > > > I have been busy setting up a network the last 3 days,
> > but I cannot
> > > > get it working.
> > > >
> > > > Basically I have no clue what has to be setup etc. and
> if I need
> > > > bridging or not.
> > > >
> > > > The situation is as follows:
> > > >
> > > > --------------
> > > > | SDSL Modem |
> > > > | Bridged |
> > > > --------------
> > > > |
> > > > --------------------------
> > > > | xl0: 217.1.1.155 |
> > > > | |
> > > > | Freebsd Box |
> > > > | |
> > > > | xl1 |
> > > > --------------------------
> > > > |
> > > > ----------
> > > > |---------------| SWITCH |---------------|
> > > > | ---------- |
> > > > | | |
> > > > ------------------- ------------------- -------------------
> > > > | C1: 217.1.1.156 | | C2: 217.1.1.157 | | C3: 217.1.1.158 |
> > > > ------------------- ------------------- -------------------
> > > >
> > > >
> > > > The FreeBSD box has full internet connectivity and I can
> > > also get NAT
> > > > working, but the thing is that I need those non-private
> > > IP's bound to
> > > > the clients and I need ipfw between the clients and the
> > > modem. Also I
> > > > need the FreeBSD machine to have a non-private IP address.
> > > I have no
> > > > clue as to getting the packets from those clients to the
> > > internet. I
> > > > tried bridging xl0 and xl1 and using 217.1.1.155 as
> > > gateway, but that
> > > > didn't work.
> > > >
> > > > Maybe someone that knows how to do something like this can
> > > shed some
> > > > light on it for me?
> > > >
> > > > Thanks in advance.
> > > >
> > > > --
> > > > Regards,
> > > > Terrence Koeman
> > > >
> > > > MediaMonks B.V. (www.mediamonks.com)
> > > > Please quote all replies in correspondence.
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3791 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040715/86ba0683/smime.bin
More information about the freebsd-questions
mailing list