PPPoE router (natd) in FreeBSD

TDC ADSL PPPoE router in FreeBSD (with firewall (ipfw) and routing (natd))


  To run a router it's recommended that the router has two NIC's.
  Remember to configure the LAN-NIC in /etc/rc.conf



  First your kernel needs some options:

options   IPFIREWALL
options   IPFIREWALL_VERBOSE
options   IPFIREWALL_DEFAULT_TO_ACCEPT
options   IPFIREWALL_FORWARD

options   IPDIVERT
options   DUMMYNET

options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET


  I don't know if they all are necessary but use it if in doubt. It works for me.

  Now you need to edit your /etc/ppp/ppp.conf to look like this:

default:
 set log Phase Chat IPCP CCP tun command
 set redial 15 28800
 set reconnect 15 28800

tdc:
 set device PPPoE:rl0:
 disable acfcomp protocomp
 deny acfcomp
 set mtu max 1492
 set speed sync
 enable lqr
 set lqrperiod 5
 set cd 5
 set dial
 set login
 set timeout 0
 set authname USERNAME
 set authkey PASSWORD
 add! default HISADDR
 enable dns
 enable mssfixup


  Remember to change the device in the line "set device PPPoE:rl0:"
  I use a Realtek 8139 based NIC for my connection, therefor the "rl0"

  So, the kernel and ppp.conf has been configured, now we need to change/add
  some stuff in /etc/rc.conf so the connection will be up and running when booting:

ifconfig_rl0="up"
ppp_mode="ddial"
ppp_profile="tdc"
ppp_enable="YES"

  Remember to change the "ifconfig_rl0="up"" if needed.

  To share the connection the next lines should be added to rc.conf too:

gateway_enable="YES"			# Activate gateway
natd_enable="YES"                       # Activate natd
natd_flags="-dynamic"			# flags for the natd command
natd_interface="tun0"                   # Interface to nat on
ppp_nat="NO"				# Make sure that ppp doesn't nat


  If you want a firewall (yes you do!) the next lines should also be added to /etc/rc.conf:

firewall_enable="YES"
firewall_script="/etc/ipfw.sh"


  Change "firewall_script="/etc/ipfw.sh"" to your own firewallscript.

  Now, the firewallscript should be made. Here's an example of my firewallscript:

### Variables: ###
# Let's start with defining som variables:

# Internal NIC:
 INT_NIC="xl0"

# External NIC:
 EXT_NIC="tun0"

# Link to ipfw-binary:
 FWBIN="/sbin/ipfw"

### The script: ###

# Flush all rules:
 $FWBIN -f flush

 $FWBIN add divert natd all from any to any via tun0

# Let's allow everything trough localhost and the internal NIC.
 $FWBIN add allow ip from any to any via lo0
 $FWBIN add allow ip from any to any via $INT_NIC

# Let's allow all connections that the internal network creates:
 $FWBIN add allow tcp from 192.168.0.0/24 to any out via $EXT_NIC keep-state
 $FWBIN add allow tcp from me to any out via $EXT_NIC

# Let's allow all ICMP-thingies:
 $FWBIN add allow icmp from any to any via $EXT_NIC

# Let's allow all established connections:
  $FWBIN add allow tcp from any to any established

# Block filesharing:
 $FWBIN add deny tcp from any to me 135-139 in via $EXT_NIC
 $FWBIN add deny udp from any to me 135-139 in via $EXT_NIC
 $FWBIN add deny tcp from any to me 445 in via $EXT_NIC
 $FWBIN add deny udp from any to me 445 in via $EXT_NIC

# Allow all udp-packages:
 $FWBIN add allow udp from any to any

# Ports which should be allowed through the $EXT_NIC to the server:
 $FWBIN add allow tcp from any to me 21 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 22 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 25 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 80 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 113 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 1243 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 6667-6669 in via $EXT_NIC setup
 $FWBIN add allow tcp from any to me 49100-65535 in via $EXT_NIC setup

# Ports which should be forwarded to a another box on the LAN:

# Deny the rest:
 $FWBIN add 65000 deny log ip from any to any



  Remeber to change stuff in this firewallscript to match your configuration.
  If everything is ok, you should be ready to reboot

 

Dette indlæg blev udgivet i FreeBSD, Knowledge Base, Networking, Old Base, Uncategorized. Bogmærk permalinket.

Skriv et svar