TDC ADSL PPPoE router in FreeBSD (with firewall (ipfw) and routing (natd)) To run a router it's recommended that the router has two NIC's. Remember to configure the LAN-NIC in /etc/rc.conf First your kernel needs some options: options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options DUMMYNET options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_PPPOE options NETGRAPH_SOCKET I don't know if they all are necessary but use it if in doubt. It works for me. Now you need to edit your /etc/ppp/ppp.conf to look like this: default: set log Phase Chat IPCP CCP tun command set redial 15 28800 set reconnect 15 28800 tdc: set device PPPoE:rl0: disable acfcomp protocomp deny acfcomp set mtu max 1492 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname USERNAME set authkey PASSWORD add! default HISADDR enable dns enable mssfixup Remember to change the device in the line "set device PPPoE:rl0:" I use a Realtek 8139 based NIC for my connection, therefor the "rl0" So, the kernel and ppp.conf has been configured, now we need to change/add some stuff in /etc/rc.conf so the connection will be up and running when booting: ifconfig_rl0="up" ppp_mode="ddial" ppp_profile="tdc" ppp_enable="YES" Remember to change the "ifconfig_rl0="up"" if needed. To share the connection the next lines should be added to rc.conf too: gateway_enable="YES" # Activate gateway natd_enable="YES" # Activate natd natd_flags="-dynamic" # flags for the natd command natd_interface="tun0" # Interface to nat on ppp_nat="NO" # Make sure that ppp doesn't nat If you want a firewall (yes you do!) the next lines should also be added to /etc/rc.conf: firewall_enable="YES" firewall_script="/etc/ipfw.sh" Change "firewall_script="/etc/ipfw.sh"" to your own firewallscript. Now, the firewallscript should be made. Here's an example of my firewallscript: ### Variables: ### # Let's start with defining som variables: # Internal NIC: INT_NIC="xl0" # External NIC: EXT_NIC="tun0" # Link to ipfw-binary: FWBIN="/sbin/ipfw" ### The script: ### # Flush all rules: $FWBIN -f flush $FWBIN add divert natd all from any to any via tun0 # Let's allow everything trough localhost and the internal NIC. $FWBIN add allow ip from any to any via lo0 $FWBIN add allow ip from any to any via $INT_NIC # Let's allow all connections that the internal network creates: $FWBIN add allow tcp from 192.168.0.0/24 to any out via $EXT_NIC keep-state $FWBIN add allow tcp from me to any out via $EXT_NIC # Let's allow all ICMP-thingies: $FWBIN add allow icmp from any to any via $EXT_NIC # Let's allow all established connections: $FWBIN add allow tcp from any to any established # Block filesharing: $FWBIN add deny tcp from any to me 135-139 in via $EXT_NIC $FWBIN add deny udp from any to me 135-139 in via $EXT_NIC $FWBIN add deny tcp from any to me 445 in via $EXT_NIC $FWBIN add deny udp from any to me 445 in via $EXT_NIC # Allow all udp-packages: $FWBIN add allow udp from any to any # Ports which should be allowed through the $EXT_NIC to the server: $FWBIN add allow tcp from any to me 21 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 22 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 25 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 80 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 113 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 1243 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 6667-6669 in via $EXT_NIC setup $FWBIN add allow tcp from any to me 49100-65535 in via $EXT_NIC setup # Ports which should be forwarded to a another box on the LAN: # Deny the rest: $FWBIN add 65000 deny log ip from any to any Remeber to change stuff in this firewallscript to match your configuration. If everything is ok, you should be ready to reboot