Date: Thu, 6 Apr 2006 19:28:52 +0100 From: "Nick Stenning" <nickstenning@gmail.com> To: freebsd-questions@freebsd.org Subject: NAT, VPN and other SOHO router advice Message-ID: <c7eef7920604061128j2703048u1fbf229a93758c91@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Dear all,
I'm currently in the process of jiggling around my SOHO router and a
FreeBSD box that I'd like to make more of a router. As it stands
currently, the setup is something like this (I hope you've reading
this in monospace or it's gonna be a like reading a circuit diagram on
a rollercoaster)
( ....................... )
(( Ye bigge badde interweb ))
( ....................... )
||
||
+------------+
| Vigor 2600 | [10.0.0.2]
+------------+
| | +------+
| | ** | |
rl1 | +---------------| S |-----...
+-----+ | W |
| F | | I |-----...
| B | | T |-----... The LAN!
| S | rl0 | C | [10.0.0.0/24]
| D |-------------------| H |-----...
| | | |
| | | |-----...
+-----+ +------+
[10.0.0.1]
Now, the more experiencef of you will immediately notice something is
wrong ... yes, that's right, the cable marked with the ** shouldn't
really be there. In fact, my syslog really wants me to know that
something's wrong:
Apr 6 19:04:22 phoenix kernel: arp: 10.0.0.2 is on rl0 but got reply
from 00:53:7f:74:f4:f3 on rl1
Now, I'm well aware of why that's happening, and I mostly know how to
fix it, but I need a little help with a few remaining issues.
First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default
router for the network, as specified by the FBSD box's DHCP server. If
I disconnect the cable I want to disconnect, however, obviously the
FBSD box will have to be the router. Now, I've recompiled my kernel
with all the relevant options, and I've got an extensive firewall
script (ipfw). I've also got the following in my rc.conf:
firewall_enable=3D"YES"
firewall_script=3D"/etc/ipfw.rules"
firewall_logging=3D"YES"
natd_enable=3D"YES"
natd_interface=3D"rl1"
gateway_enable=3D"YES"
rl1, by the way, has a public IP block on it, and the vigor router has
one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf)
we have:
defaultrouter=3D"xx.yy.zz.201"
ifconfig_rl0=3D"inet 10.0.0.1 netmask 255.255.255.0"
ifconfig_rl1=3D"inet xx.yy.zz.202 netmask 255.255.255.248"
ifconfig_rl1_alias0=3D"xx.yy.zz.203/29"
...
So, really, the question for this bit of the email is .. what else do
I need to get my FBSD box acting as a router for the machines on the
LAN? .. I assume I'd need an IPFW divert rule to set up all the
NATing, but I'm unsure what that should be, and whether it would come
before or after all the protective stuff in the firewall script etc
etc.
------
The second part of the question is perhaps slightly more complex. The
Vigor router has set up on it a LAN-to-LAN PPTP VPN (enough acronyms
for you?) to an office elsewhere. As it stands currently, machines on
the LAN can access (ping/SMB shares) a class C subnet, 192.168.1.0/24
via this VPN connecion on the Vigor router. Also, machines at the
other end of the VPN, in the office, can access machines at this end
of the VPN, on the LAN (the other class C: 10.0.0.0/24)
The question is, what IPFW divert rules and other whizbangery do I
need to set up so that I can disconnect that cable marked ** and have
all the VPN stuff keep working. If at all possible, I'd rather not
move the management of the VPN onto the FBSD box.
------
OK. So that's that. I appreciate any and all responses, and if anyone
needs any more information I will be happy to provide it ... so long
as it's not my root password ... actually, come to think of it, that
wouldn't help unless you were sitting next to me, but nevermind...
Regards,
Nick Stenning
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c7eef7920604061128j2703048u1fbf229a93758c91>