Re: NAT and PPPoE problems

mrb_at_bmyster.com

Date: Mon, 13 Oct 2003 10:33:12 -0400 (EDT)
To: "Alex de Kruijff" <freebsd@akruijff.dds.nl>


-- 
Brent Bailey CCNA
Bmyster LLC
Computer Networking and Webhosting
Network Engineer, Webmaster, President
http://www.bmyster.com
mrb@bmyster.com
207-247-8330
#############################################
FreeBSD PPPoE HOWTO
FreeBSD Requirements for PPPoE
Be sure that you have a version of userppp that supports PPPoE. Please note
that userppp is included in FreeBSD. It is not add-on software. Recent
FreeBSD releases should be fine.
Any -CURRENT, -STABLE and -RELEASE versions of FreeBSD should be able to
support PPPoE. FreeBSD 4.0-CURRENT and 3.3-STABLE releases have been tested
and found to work.
Configuring FreeBSD Kernel for PPPoE
In order to support PPPoE, three lines must be added at the end of the
FreeBSD kernel file. Beginners with no idea how to compile a kernel, please
read the following carefully. For more experienced users who know how to
compile a kernel, just see step 3 below and add the three lines to your
kernel.
  1. First you must change to the kernel configuration directory:
    cd /usr/src/sys/i386/conf
  2. In the kernel configuration directory, use your favorite text editor
    and edit the kernel file. For example, if you use emacs, you would
    type:
    vi KERNEL
  3. Go to the end of the kernel file and add the following three lines:
    options NETGRAPH
    options NETGRAPH_PPPOE
    options NETGRAPH_SOCKET
  4. After adding these three lines, save the modified kernel file.
  5. Type this command to set the kernel configuration:
    config KERNEL
  6. Now you must change to the kernel setup directory:
    cd ../../compile/KERNEL
  7. In the kernel setup directory, type the following three commands:
    make depend
    make
    make install
Your kernel is now ready for PPPoE!
Configuring FreeBSD /etc/ppp/ppp.conf File
To edit the /etc/ppp/ppp.conf file, just use your favorite text editor.
Replace any existing file content with the lines below. Be sure the "set
device PPPoE:---" line is correct for your network interface card. (We used
ed1 for the NIC in this example.) Change the authname and authkey to your
sympatico user id (b1xxxxxx) and your password.
    # /etc/ppp/ppp.conf
    default:
    set log Phase Chat LCP IPCP CCP tun command
    nat enable yes
    nat same_ports yes
    nat use_sockets yes
    set redial 15 28800
    set reconnect 15 28800
    pppoe:
    set device PPPoE:ed1:
    set mru 1492
    set mtu 1492
    set speed sync
    enable lqr
    set lqrperiod 5
    set cd 5
    set dial
    set login
    set timeout 0
    set authname b1xxxxxx@sympatico.ca
    set authkey yourpassword
    set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
    add default HISADDR
    enable dns
    # end of ppp configuration
Configuring FreeBSD /etc/rc.conf  File
The /etc/rc.conf file should be set up as follows for the ethernet interface
that goes to your DSL modem. (Again, this example uses ed1 for the NIC.)
    # /etc/rc.conf
    network_interfaces="auto"  #Set network interfaces automatically
    ifconfig_ed1="inet 10.0.0.1 netmask 255.0.0.0 -arp up"
    ppp_enable="YES"            #This enables PPP on startup
    (recommended)
    ppp_mode="background"
    ppp_profile="pppoe"
    #end of  /etc/rc.conf
Rebooting the System
After you have compiled the kernel to support PPPoE and have edited the
/etc/ppp/ppp.conf and /etc/rc.conf files with the right configuration, you
can reboot your system. If you enabled ppp in the /etc/rc.conf as
recommended, you should be connected and can now enjoy surfing the net on
FreeBSD using PPPoE.
Starting PPP Manually
If you did not enable ppp to automatically connect on startup in the
/etc/rc.conf file, you can use this command to connect to the Internet
manually:
    ppp -background pppoe
############################################
##############################################
######## IPFW & NAT #############################
using IPFW and NATD
Applicable to: FreeBSD 4.2
Updated: January 1, 2001
This cheat *** describes how to set up a dual-homed host (gateway) using
kernel packet filtering (IPFW) and the network address traslation daemon
(NATD). This procedure assumes the FreeBSD machine is equipped with two
ethernet interfaces. If the outside interface is a dial-up connection or a
PPP-over-Ethernet (PPPoE) DSL connection, use ppp(8)'s NAT facility
instead.
Before performing this procedure, you should read the FreeBSD Handbook
sections Firewalls and Gateways and Routes, and review the ipfirewall(4),
ipfw(8), and natd(8) manual pages.
For the purpose of this procedure, the following assumptions have been made:
The outside (Internet) interface is device 'dc0' and is assigned the IP
address 123.45.67.89/22, either static or dynamic (DHCP).
The inside interface is device 'ep0' and is assigned the IP address
10.20.155.0/24.
If your outside interface is a DSL connection or a cable modem, please
refer to Setting-up a DSL Connection or Setting-up a Cable Modem, as
appropriate, before beginning this procedure.
Edit the kernel configuration file, /usr/src/sys/i386/conf/YOURKERNEL, and
add firewall/NAT support: <br>
options     IPFIREWALL           #firewall </br>
options     IPDIVERT             #divert sockets <br>
There are some other options you might want to include as well: </br>
options     IPFIREWALL_VERBOSE   #print information about <br>
                                 # dropped packets </br>
options     "IPFIREWALL_VERBOSE_LIMIT=100" #limit verbosity <br>
options     TCP_DROP_SYNFIN      #drop TCP packets with SYN+FIN </br>
options     TCP_RESTRICT_RST     #restrict emission of TCP RST <br>
options     "ICMP_BANDLIM" </br>
For more information on these options, please refer to the
/usr/src/sys/i386/conf/LINT. <br>
</br>
Recompile the kernel, but do not reboot yet. Refer to Building a Custom
Kernel for information on recompiling your kernel. <br></br>
Edit /etc/rc.conf: <br>
gateway_enable="YES"       # Set to YES if this host will be a gateway. </br>
firewall_enable="YES"      # Set to YES to enable firewall functionality <br>
firewall_script="/etc/rc.firewall"  # Which script to run to set up the
firewall </br>
firewall_type="open"       # Firewall type (see /etc/rc.firewall) <br>
firewall_quiet="NO"        # Set to YES to suppress rule display </br>
natd_program="/sbin/natd"  # path to natd, if you want a different one. <br>
natd_enable="YES"          # Enable natd (if firewall_enable == YES). </br>
natd_interface="dc0"       # Public interface or IPaddress to use. <br>
natd_flags="-f /etc/natd.conf"  # Additional flags for natd. </br>
<br></br>
Create /etc/natd.conf: <br>
dynamic yes   (If you are using DHCP) </br>
use_sockets yes <br>
same_ports yes </br>
<br></br>
Verify that the following line appears in /etc/services:  <br>
natd      8668/divert   # Network Address Translation </br>
<br>
Shutdown and reboot. </br>
At this point, you should have a working gateway machine. Test to make
sure machines on the local network can access the Internet.
<br>
Check your firewall rules: </br>
# ipfw list <br>
</br>
You should see something like: <br>
</br>
00100 divert 8668 ip from any to any via dc0 <br>
00100 allow ip from any to any via lo0 </br>
00200 deny ip from any to 127.0.0.0/8 <br>
65000 allow ip from any to any </br>
<br>
As you might have guessed, this is not a very secure firewall. So let's
tighten it up: </br>
<br>
Edit /etc/rc.conf and change the line: </br>
firewall_script="/etc/rc.firewall" <br>
</br>
to:<br>
firewall_script="/etc/rc.ipfw" </br>
Copy /etc/rc.firewall to /etc/rc.ipfw and edit it to reflect the outside
and inside interface addresses and to include the following rules as you
see fit:
# rc.ipfw - Firewall Rules <br>
#</br>
# This file is a modified version of /etc/rc.firewall. <br>
#</br>
# Maintained by:  D. O'Connor <br>
# Modified:       7/18/2000. <br>
# </br>
<br>
# Suck in the configuration variables. </br>
if [ -r /etc/defaults/rc.conf ]; then <br>
        . /etc/defaults/rc.conf </br>
        source_rc_confs <br>
elif [ -r /etc/rc.conf ]; then </br>
        . /etc/rc.conf <br>
fi </br>
if [ -n "${1}" ]; then <br>
        firewall_type="${1}" </br>
fi <br>
</br>
# Firewall program <br>
fwcmd="/sbin/ipfw" </br>
<br>
# Outside interface network and netmask and ip </br>
oif="dc0" <br>
onet="x.x.x.x" <br>
omask="255.255.252.0" </br>
oip="x.x.x.x" <br>
</br>
# Inside interface network and netmask and ip <br>
iif="ep0" </br>
inet="x.x.x.x" <br>
imask="255.255.255.0" </br>
iip="10.20.155.1" <br>
</br>
# My ISP's DNS servers <br>
dns1="207.228.35.42" </br>
dns2="207.228.37.195" <br>
</br>
# Flush previous rules <br>
${fwcmd} -f flush </br>
<br>
# Allow loopbacks, deny imposters </br>
${fwcmd} add 100 pass all from any to any via lo0 <br>
${fwcmd} add 200 deny all from any to 127.0.0.0/8 </br>
<br>
# If you're using 'options BRIDGE', uncomment the following line to pass
ARP </br>
#${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 <br>
</br>
# Stop spoofing <br>
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} </br>
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} <br>
</br>
# Stop RFC1918 nets on the outside interface <br>
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} </br>
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} <br>
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} </br>
<br>
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
</br>
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E) <br>
# on the outside interface </br>
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif} <br>
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif} </br>
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif} <br>
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif} </br>
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif} <br>
</br>
# Network Address Translation.  This rule is placed here deliberately <br>
# so that it does not interfere with the surrounding address-checking </br>
# rules.  If for example one of your internal LAN machines had its IP <br>
# address set to 192.0.2.1 then an incoming packet for it after being </br>
# translated by natd(8) would match the `deny' rule above.  Similarly <br>
# an outgoing packet originated from it before being translated would </br>
# match the `deny' rule below. <br>
${fwcmd} add divert natd all from any to any via ${natd_interface} </br>
<br>
# Stop RFC1918 nets on the outside interface </br>
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif} <br>
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif} </br>
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif} <br>
</br>
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1, <br>
# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)  </br>
# on the outside interface <br>
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif} </br>
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif} <br>
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif} </br>
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif} <br>
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif} </br>
<br>
# Allow established connections with minimal overhead </br>
${fwcmd} add pass tcp from any to any established <br>
</br>
# Allow IP fragments to pass through <br>
${fwcmd} add pass all from any to any frag </br>
<br>
### TCP RULES </br>
<br>
# HTTP - Allow access to our web server </br>
${fwcmd} add pass tcp from any to any 80 setup mail <br>
${fwcmd} add pass tcp from any to any 25 setup </br>
<br>
# FTP - Allow incoming data channel for outgoing connections, </br>
# reject & log all incoming control connections <br>
${fwcmd} add pass tcp from any 20 to any 1024-65535 setup </br>
${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup <br>
</br>
# SSH Login - Allow & Log all incoming <br>
${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup </br>
<br>
# IDENT - Reset incoming connections  </br>
${fwcmd} add reset tcp from any to any 113 in via ${oif} setup  <br>
</br>
# Reject&Log all setup of incoming connections from the outside <br>
${fwcmd} add deny log tcp from any to any in via ${oif} setup </br>
<br>
# Allow setup of any other TCP connection </br>
${fwcmd} add pass tcp from any to any setup <br>
</br>
### UDP RULES <br>
</br>
# DNS - Allow queries out in the world <br>
${fwcmd} add pass udp from any to ${dns1} 53 </br>
${fwcmd} add pass udp from any to ${dns2} 53 <br>
${fwcmd} add pass udp from ${dns1} 53 to any </br>
${fwcmd} add pass udp from ${dns2} 53 to any <br>
 </br>
# SMB - Allow local traffic <br>
${fwcmd} add pass udp from any to any 137-139 via ${iif} </br>
<br>
# SYSLOG - Allow machines on inside net to log to us. </br>
${fwcmd} add pass log udp from any to any 514 via ${iif} <br>
</br>
# NTP - Allow queries out in the world <br>
${fwcmd} add pass udp from any 123 to any 123 via ${oif} </br>
${fwcmd} add pass udp from any 123 to any via ${iif} <br>
${fwcmd} add pass udp from any to any 123 via ${iif} </br>
<br>
# TRACEROUTE - Allow outgoing  </br>
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} <br>
</br>
### ICMP RULES <br>
</br>
# ICMP packets <br>
# Allow all ICMP packets on internal interface </br>
${fwcmd} add pass icmp from any to any via ${iif} <br>
</br>
# Allow outgoing pings <br>
${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} </br>
${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif}    <br>
</br>
# Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad
Header <br>
${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} </br>
<br>
# Deny the rest of them </br>
${fwcmd} add deny icmp from any to any <br>
</br>
### MISCELLANEOUS REJECT RULES <br>
</br>
# Reject broadcasts from outside interface <br>
${fwcmd} add 63000 deny ip from any to 0.0.0.255:0.0.0.255 in via ${oif}
</br>
<br>
# Reject&Log SMB connections on outside interface </br>
${fwcmd} add 64000 deny log udp from any to any 137-139 via ${oif} <br>
</br>
# Reject&Log all other connections from outside interface <br>
${fwcmd} add 65000 deny log ip from any to any via ${oif} </br>
<br>
# Everything else is denied by default, unless the </br>
# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel  <br>
</br><br>
Load the new firewall rules: </br>
# sh /etc/rc.ipfw <br>
Be sure to do this from the console!  </br>
Note: You can reload the firewall rules over a network connection (telnet,
ssh) by running the command in the background:  <br>
# sh /etc/rc.ipfw & </br>
> On Sun, Oct 12, 2003 at 06:16:34PM -0700, Sean Noonan wrote:
>> Hi Folks,
>>
>> I've used NAT with FreeBSD for years now, but recently had to change my
>> ISP.  My new ISP, SBC, uses PPPoE (yuck).  I've finally got PPPoE
>> working,
>> but am having a heck of a time getting NAT to work with it.  I'm
>> tracking
>> STABLE and cvsup'd, etc, about two weeks ago to 4.9-PRERELEASE.  Here's
>> my
>> config:
>>
> Its my experiance that its best if you have some external hardware
> that handels this. My provider uses PPTP but my ADSL modum handels this
> and routes all the packets to me.
>
> --
> Alex
>
> Articles based on solutions that I use:
> http://www.kruijff.org/alex/index.php?dir=docs/FreeBSD/
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"