FreeBSD Firewall/Router/Gateway questions.

[Database Administrator]

Ive been playing with this for a few days and am trying to get a good
understanding of what I am doing before I get too far in to this to make
sure that I dont end up with a big mess. First i'll try to explain what
I am trying to do.

FreeBSD Firewall/Router/Gateway

Linksys Router

Internal Network

The FreeBSD box is connect to my isp and then to my Linksys Router. I
would like to use it as a Gateway to the internet. My router takes care
of my internal network. Getting the Freebsd box connected to the
internet and the internal network behind the Router is simple. Where I
am a little confused is connecting the Linksys router to the FreeBSD box
and having it be able to make it out in to the real world. Ive read the
handbook and a few different write ups and they all seem to differ and
dont seem to be like my setup. The writeups ive seen leave the Linksys
router out and use a hub with freebsd managing the internal network
rather than a router. In their cases they all use ipfw combined with
natd to get the network up and running. My confusion, is with the setup
im wanting do I need natd since the traffic is straight through to only
the router and not redirecting traffic to multiple ip's?

So far all I have set up is
________________________________
Freebsd box
gateway_enable="YES"

NIC1 = DHCP -> Internet
NIC2 = 10.1.10.1
________________________________
Linksys Router
10.1.10.2
gateway 10.1.10.1

The internal network is regulated by the router and is working fine.
Im not sure what to set as the default gateway on the freebsd box if
anything since the ip assigned by my isp in not static. I will worry
about setting up a firewall later once I understand how to get the
router connected out through the freebsd box. I want to use PF for the
firewall rather than ipfw which is also a bit of a road block since all
of the writeups i find including the one in the book is using natd +
ipfw.

Sorry, and I know this is probably all very simple for people who have a
good understanding of networking. This is just a project that I am
working on to get a better understanding of it myself.

[Database Administrator]

usenetforall wrote:
> Linksys Router

Is this Linksys router a wireless router?
If not, you can just replace it with a switch (connected to the FreeBSD
gateway / router instead.
The FreeBSD box can do DHCP for the internal network also.


If the Linksys router is a wireless router, you could set it up as an
access point instead of a router, that will save som trouble.

> natd to get the network up and running. My confusion, is with the setup
> im wanting do I need natd since the traffic is straight through to only
> the router and not redirecting traffic to multiple ip's?

Do you have multiple machines on your internal network?
Do they have private ip addresses[1] (as opposed to public ip addresses[2])?


> Freebsd box
> gateway_enable="YES"
>
> NIC1 = DHCP -> Internet
> NIC2 = 10.1.10.1

I guess you are getting a public ip address from you ISP.
The internal ip address you use is from a range of private ip addresses.
Nothing wrong with that. But private ip addresses can't travel on the
internet - they are not allowed to.
As long as your internal network is using private ip addresses, you must
have nat[3] somewhere before the packets leave your private network.


> router connected out through the freebsd box. I want to use PF for the
> firewall rather than ipfw which is also a bit of a road block since all
> of the writeups i find including the one in the book is using natd +
> ipfw.

I believe there are several pf tutorials around. Have searched for the
right thing?
FWIW, natd + ipfw works fine for me.

References:
1) http://en.wikipedia.org/wiki/Private_network
2) http://en.wikipedia.org/wiki/IP_address
2) http://en.wikipedia.org/wiki/Network...ss_translation

HTH
--
Torfinn Ingolfsen,
Norway

[Database Administrator]

In article <4915cd3c$1@news.broadpark.no>, tingo@start.no says...
> usenetforall wrote:
> > Linksys Router
>
> Is this Linksys router a wireless router?
> If not, you can just replace it with a switch (connected to the FreeBSD
> gateway / router instead.
> The FreeBSD box can do DHCP for the internal network also.
>
>
> If the Linksys router is a wireless router, you could set it up as an
> access point instead of a router, that will save som trouble.

Yes. The linksys is a wireless Router.



> Do you have multiple machines on your internal network?
> Do they have private ip addresses[1] (as opposed to public ip addresses[2])?


I do have multiple machines behind the linksys router. Two are wireless
and two are not. This home network of mine is mostly just a toy. Two are
running FreeBSD and two are running Windows XP. The network behind the
linksys works great and hasnt been a problem.



> I guess you are getting a public ip address from you ISP.
> The internal ip address you use is from a range of private ip addresses.
> Nothing wrong with that. But private ip addresses can't travel on the
> internet - they are not allowed to.
> As long as your internal network is using private ip addresses, you must
> have nat[3] somewhere before the packets leave your private network.


This is exactly right. The reason for my confusion is the area of the
FreeBSD handbook that starts to talk about routing. I dont want to paste
the whole thing here but if I understand it right, I can set up a route
that will allow traffic to pass between interfaces.
http://www.freebsd.org/doc/en/books/...k-routing.html
The only time I should need natd is if I want to forward ports to my
internal network? The routing is where I am mostly confused. I have the
reading comprehension of a three year old unfortunately so I struggle a
bit understanding exactly what I am reading. I usually do better with
trial and error but this is a situation that I would like to know what I
am doing before I mess around as it will lock me out of the internet
until I get it figured out.



> I believe there are several pf tutorials around. Have searched for the
> right thing?
> FWIW, natd + ipfw works fine for me.

I am very close to giving up and just going with natd + ipfw mostly
because there are more and better tutorials for this set up. I really
would rather learn and use PF though. From what I understand, PF can not
only take care of the firewall aspect of what I am trying to do, but it
can also take care of all of the nat tasks and then some as well. I have
allot of documentation on PF and plan on hitting the books soon but I
would like to fully understand one thing at a time and for now I would
just like to know that I understand what makes my network tic including
the routing/gateway aspect. It may come in usefull to me some day. Plus
im just curious and apparently like self abuse.

Thanks.

> References:
> 1) http://en.wikipedia.org/wiki/Private_network
> 2) http://en.wikipedia.org/wiki/IP_address
> 2) http://en.wikipedia.org/wiki/Network...ss_translation

Im going to check these out. Thanks again.

[Database Administrator]

Dave wrote:
> This is exactly right. The reason for my confusion is the area of the
> FreeBSD handbook that starts to talk about routing. I dont want to paste
> the whole thing here but if I understand it right, I can set up a route
> that will allow traffic to pass between interfaces.

Yes, that is correct. However, re-read my note in the previous posting:
packets with private ip addresses in them are not allowed to travel on
the internet.
This restriction is enforced by all routers on the Internet.

> The only time I should need natd is if I want to forward ports to my
> internal network? The routing is where I am mostly confused. I have the

No, See above. The machines on your internal network have private ip
addresses, so you _will_ need nat if you are going to send any traffic
to the Internet.
Like browsing a web page, sending mail, and so on.

Nat works like this: outbound packets have their source ip address
changed so it looks like they are comning from the nat gateway. On
return, inbound packets are changed back, so that they will be delivered
to the correct internal host.

> I am very close to giving up and just going with natd + ipfw mostly
> because there are more and better tutorials for this set up. I really
> would rather learn and use PF though. From what I understand, PF can not

Well, you could also learn natd + ipfw first and the pf later.
--
Torfinn Ingolfsen,
Norway

[Database Administrator]

In article <4917f275@news.broadpark.no>, tingo@start.no says...
> Dave wrote:


> No, See above. The machines on your internal network have private ip
> addresses, so you _will_ need nat if you are going to send any traffic
> to the Internet.
> Like browsing a web page, sending mail, and so on.

> Nat works like this: outbound packets have their source ip address
> changed so it looks like they are comning from the nat gateway. On
> return, inbound packets are changed back, so that they will be delivered
> to the correct internal host.

Ok, here is a bit of a techincal question about nat, which I am starting
to understan finaly by the way . If I ever get this to work, My
network behind my router gets nat'ed at the router. Then with my setup,
it will get nat'ed again when routing through the freebsd firewall and
out in to the real world. Will this double nat'ing cause problems? This
may be a dumb question but I had to ask.



> Well, you could also learn natd + ipfw first and the pf later.

Ive been reading every single web page that I can find on PF and have
been through about 1000 tutorials now. OpenBSD's web site actually has
some very good documentation and a great example on nat using PF and I
think that I am beginning to understand it although the rules are going
to take a bit. I can use some example configs at first until I get a
better understanding to just allow all traffic out and start to restrict
what traffic comes in. I'll keep posting on here as I progress.

My main problem now is just getting the network working. I cant seem to
get the FreeBSD box to see the router connected to my second nic. I can
ping the freebsd box 10.1.10.1 from the router (i have the router set to
10.1.10.2) and I can get the router to ping itself. I can also get the
Freebsd box to ping 10.1.10.1 but cant get a reply from 10.1.10.2. I
think that it is a routing problem. I dont believe that I have a routing
table set to allow the Freebsd box to see the internal network. I'll
have to fix this. I also havent been able to get the router to access
anything outside of the network even with a wide open firewall which
means that I still must not understand the nat using PF 100% yet but I
need to take care of one problem at a time. Im going to take my laptop
home today and set up my freebsd firewall behind the router since i know
that it can connect out and allows connections through, and try to the
the laptop routed through the freebsd box and out in to the real world.
Its too difficult to trouble shoot using the router as the internal
network.

[Database Administrator]

Chris Jewell wrote:
>> This restriction is enforced by all routers on the Internet.
>
> Your experience certainly differs from mine. The FreeBSD firewall for

I guess I live in a sheltered place on the Internet :-) Or perhaps
Norwegian ISP's are more vigilant in enforcing those standards?
I was in doubt when I wrote that sentence, but I figured writing "should
be enforced" would confuse the OP even more.

> I'm hoping that Mr Cerf's crystal ball is correct, and that the IPv6
> transition will happen in 2009 or 2010,

I wouldn't bet on it.
Where are the how-tos and guides for running an IPv6 setup?
Wherer are the how-to for setting up and running an IPv6 firewall?

> because IPv4 address space will have been exhausted by then.

Oh, I guess we will manage (ok, kludge) us along still.
With the recent economic situation, where are all the devices that will
exhaust it?
ISP's (at least in my part of the world) are happy to sell NAT
solutions, and have no immediate plans or even roadmaps for a transition
to IPv6.

> Then the rest of us can forget about NAT, leaving it to those who think that it is a substitute for
> firewall filtering.

Well, for my own part, nat and the division between private and public
ip addresses are something I am used to.
I still need that firewall how-to: how do I understand, setup and run an
IPv6 network and firewall?
--
Torfinn Ingolfsen,
Norway

[Database Administrator]

Neurosis wrote:
> Ok, here is a bit of a techincal question about nat, which I am starting
> to understan finaly by the way . If I ever get this to work, My
> network behind my router gets nat'ed at the router. Then with my setup,
> it will get nat'ed again when routing through the freebsd firewall and
> out in to the real world. Will this double nat'ing cause problems? This
> may be a dumb question but I had to ask.

It can cause problems. I am using a double nat setup and it works for
me. YMMV.
My guess is that it depends very much on the protocols you need to pass
through that setup.

> My main problem now is just getting the network working. I cant seem to
> get the FreeBSD box to see the router connected to my second nic. I can
> ping the freebsd box 10.1.10.1 from the router (i have the router set to
> 10.1.10.2) and I can get the router to ping itself. I can also get the
> Freebsd box to ping 10.1.10.1 but cant get a reply from 10.1.10.2. I
> think that it is a routing problem. I dont believe that I have a routing

Use 'netstat -r' (or even 'netstat -rn') to check your routing tables.
HTH
--
Torfinn Ingolfsen,
Norway

[Database Administrator]

On Tue, 11 Nov 2008 17:20:21 +0100, Torfinn Ingolfsen wrote:

> Chris Jewell wrote:
>>> This restriction is enforced by all routers on the Internet.
>>
>> Your experience certainly differs from mine. The FreeBSD firewall for
>
> I guess I live in a sheltered place on the Internet :-) Or perhaps
> Norwegian ISP's are more vigilant in enforcing those standards? I was in
> doubt when I wrote that sentence, but I figured writing "should be
> enforced" would confuse the OP even more.

It really does seem to depend on where in the Internet one is connected.

>> I'm hoping that Mr Cerf's crystal ball is correct, and that the IPv6
>> transition will happen in 2009 or 2010,
>
> I wouldn't bet on it.

I'd bet against it.

> Where are the how-tos and guides for running an IPv6 setup? Wherer are
> the how-to for setting up and running an IPv6 firewall?

Well, you could set the ball rolling :-)

>> because IPv4 address space will have been exhausted by then.
>
> Oh, I guess we will manage (ok, kludge) us along still. With the recent
> economic situation, where are all the devices that will exhaust it?
> ISP's (at least in my part of the world) are happy to sell NAT
> solutions, and have no immediate plans or even roadmaps for a transition
> to IPv6.

More importantly, where are the affordable IPv6 devices? Consumer
routers on the end of ADSL or cable connections are the majority of
Internet connected devices. I don't know of any that are IPv6 enabled,
and most IPv6 hardware is still aimed at medium-large corporations.

That said, a lot of ISPs are IPv6 enabled.

>> Then the rest of us can forget about NAT, leaving it to those who
>> think that it is a substitute for
>> firewall filtering.
>
> Well, for my own part, nat and the division between private and public
> ip addresses are something I am used to. I still need that firewall
> how-to: how do I understand, setup and run an IPv6 network and firewall?

The "people think NAT is a substitute for filtering" argument is a straw
man. At the same time, NAT allows one to do the filtering effectively
and simply at the gateway, whereas IPv6 seems to need it to be done at
every endpoint.

And how many IPv6 nameservers are available? The transition isn't going
to happen until the infrastructure is there to support it.

[Database Administrator]

In article <7rhc6f3uyq.fsf@pileated.puffin.com>, chrisj@puffin.com
says...
> Torfinn Ingolfsen writes:


> Your experience certainly differs from mine. The FreeBSD firewall for
> my household network rejects thousands of incoming packets every day
> with RFC1918 source addresses. This condition has persisted for a
> decade or so, through about 6 different ISPs. IMHO the routers on the
> Internet should block those packets, and I think I even recall a BCP
> RFC saying that they should, but my experience is that they don't.

I didnt even realize that it was possible to get packets out to the net
through a gateway showing a private source address. I assumed that
anything coming out of your internal/private network showed your
external address and not your private internal one. In the case of using
a router for your home network I assume that it nat's everything that
leaves the router out in to the real world? What would be a situation
that packets would leave a machine to the real world using a private ip
source address?

sorry for the newbie networking questions.

[Database Administrator]

Mark Madsen wrote:
> Well, you could set the ball rolling :-)

Most likely I will not. I get a headache everytime I try to think about
how I would get myself an IPv6 setup.

> More importantly, where are the affordable IPv6 devices? Consumer
> routers on the end of ADSL or cable connections are the majority of
> Internet connected devices. I don't know of any that are IPv6 enabled,

Agreed.

> That said, a lot of ISPs are IPv6 enabled.

Well, not so here in Norway - the computer / IT press have checked.

> The "people think NAT is a substitute for filtering" argument is a straw
> man. At the same time, NAT allows one to do the filtering effectively
> and simply at the gateway, whereas IPv6 seems to need it to be done at
> every endpoint.

A firewall on every machine? Instead of one firewall that separates "my"
network from the Internet? I guess that way of thinking will scare away
a few people.


> And how many IPv6 nameservers are available? The transition isn't going
> to happen until the infrastructure is there to support it.

Well, many root name servers are ready, but does that help at all?
At least 9 of the 13 root servers[1] are IPv6 enabled, if we are to
believe Wikipedia.

References:
1) http://en.wikipedia.org/wiki/Root_nameserver
--
Torfinn Ingolfsen,
Norway