Routing problem

Routing problem

Post by Jess » Wed, 18 Dec 2002 05:16:50



I am trying to implement a Freebsd firewall on a work LAN which has 2
computers that need to be accessable fomr the Internet.  One is a domain
controller and DNS server, the other has IIS to host the company site and
runs a mail server.

I have no problems using the reserver Internal IP range 192.168.*.* through
NAT and IPFW, but have never had to have the LAN clients accessable from out
side the network before.

The system works fine using 192.168.1.1 on the internal NIC, but when I use
one of the 5 static IPs on the internal NIC, I can no longer access the
internet from the freebsd box.

I tried aliasing the external NIC with all the 5 static IPs and used port
and address redirection in rc.conf.  This allowed me to ping the servers,
but the company domain which points to the dns server on the internal ip no
longer resolved.  I was forwarding all 53 requests to the dns servers
192.168.*.* address.  Not sure if the response was getting out again though.

If the dsl gateway was 222.222.222.220

and I had 222.222.222.221, 222.222.222.222, 222.222.222.223, 222.222.222.224
and 222.222.222.225 as static ips.  How can i keep the dns, web and amil
services behind a freebsd firewall rules yet still available from the
internet.

Is it possible to use a static IP on an internal NIC or must this be a fixed
IP range such as a full class C to work correctly?

 
 
 

Routing problem

Post by Rob MacGrego » Wed, 18 Dec 2002 05:34:03



> I am trying to implement a Freebsd firewall on a work LAN which has 2
> computers that need to be accessable fomr the Internet.  One is a domain
> controller and DNS server, the other has IIS to host the company site and
> runs a mail server.

> I have no problems using the reserver Internal IP range 192.168.*.* through
> NAT and IPFW, but have never had to have the LAN clients accessable from out
> side the network before.

> The system works fine using 192.168.1.1 on the internal NIC, but when I use
> one of the 5 static IPs on the internal NIC, I can no longer access the
> internet from the freebsd box.

> I tried aliasing the external NIC with all the 5 static IPs and used port
> and address redirection in rc.conf.  This allowed me to ping the servers,
> but the company domain which points to the dns server on the internal ip no
> longer resolved.  I was forwarding all 53 requests to the dns servers
> 192.168.*.* address.  Not sure if the response was getting out again though.

> If the dsl gateway was 222.222.222.220

> and I had 222.222.222.221, 222.222.222.222, 222.222.222.223, 222.222.222.224
> and 222.222.222.225 as static ips.  How can i keep the dns, web and amil
> services behind a freebsd firewall rules yet still available from the
> internet.

> Is it possible to use a static IP on an internal NIC or must this be a fixed
> IP range such as a full class C to work correctly?

Ok, configure the external interface with the 5 static IP addresses.  Then
configure IPFW/NAT to forward requests to those addresses (on specified ports
only!) to the Windows boxes inside as appropriate.  You may want to do that on
both the internal and external interfaces.

Oh, you *REALLY* should host such services from a DMZ, not your internal
network.  You should also be *VERY* careful about hosting Internet facing
services on a domain controller.  Those servers shouldn't be part of your
domain, let alone domain controllers.

--
  Rob MacGregor (MCSE)
      The light at the end of the tunnel is an oncoming dragon.

 
 
 

Routing problem

Post by Jess » Wed, 18 Dec 2002 07:57:18


Thanks for the advice.

DMZ does seem the better option, as I dont really have any other machines
needing internet access on the Lan, was hoping it was possible to simply add
the external IP on the inside interface.

How would this work?

default_router="222.222.222.220"
ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0"        # Internal Lan
ifconfig_rl1="inet 222.222.222.221 netmask 255.255.255.248"  # External
Interface
ifconfig_rl2="inet 222.222.222.222 netmask 255.255.255.248"  # DMZ

These rules work with the first 2 cards to open the firewall:
ipfw -q flush
ipfw add divert 8668 all from any to any via rl1
ipfw add allow all from any to any

With the DMZ can something like this work or would you recommend another
method, such as bridging, routing or is IPFILTER a better choice for this?
ipfw -q flush
ipfw add divert 8668 all from not 222.222.222.222:255.255.255.248 to not
222.222.222.222:255.255.255.248 via rl1
ipfw add allow all from any to any

If you know any urls on how to set this up it would be a great help.  What
little I can find seems to be more geared for IPFILTER than IPFW.



> > I am trying to implement a Freebsd firewall on a work LAN which has 2
> > computers that need to be accessable fomr the Internet.  One is a domain
> > controller and DNS server, the other has IIS to host the company site
and
> > runs a mail server.

> > I have no problems using the reserver Internal IP range 192.168.*.*
through
> > NAT and IPFW, but have never had to have the LAN clients accessable from
out
> > side the network before.

> > The system works fine using 192.168.1.1 on the internal NIC, but when I
use
> > one of the 5 static IPs on the internal NIC, I can no longer access the
> > internet from the freebsd box.

> > I tried aliasing the external NIC with all the 5 static IPs and used
port
> > and address redirection in rc.conf.  This allowed me to ping the
servers,
> > but the company domain which points to the dns server on the internal ip
no
> > longer resolved.  I was forwarding all 53 requests to the dns servers
> > 192.168.*.* address.  Not sure if the response was getting out again
though.

> > If the dsl gateway was 222.222.222.220

> > and I had 222.222.222.221, 222.222.222.222, 222.222.222.223,
222.222.222.224
> > and 222.222.222.225 as static ips.  How can i keep the dns, web and amil
> > services behind a freebsd firewall rules yet still available from the
> > internet.

> > Is it possible to use a static IP on an internal NIC or must this be a
fixed
> > IP range such as a full class C to work correctly?

> Ok, configure the external interface with the 5 static IP addresses.  Then
> configure IPFW/NAT to forward requests to those addresses (on specified
ports
> only!) to the Windows boxes inside as appropriate.  You may want to do
that on
> both the internal and external interfaces.

> Oh, you *REALLY* should host such services from a DMZ, not your internal
> network.  You should also be *VERY* careful about hosting Internet facing
> services on a domain controller.  Those servers shouldn't be part of your
> domain, let alone domain controllers.

> --
>   Rob MacGregor (MCSE)
>       The light at the end of the tunnel is an oncoming dragon.

 
 
 

Routing problem

Post by Rob MacGrego » Wed, 18 Dec 2002 16:40:02



> Thanks for the advice.

> DMZ does seem the better option, as I dont really have any other machines
> needing internet access on the Lan, was hoping it was possible to simply add
> the external IP on the inside interface.

> How would this work?

> default_router="222.222.222.220"
> ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0"        # Internal Lan
> ifconfig_rl1="inet 222.222.222.221 netmask 255.255.255.248"  # External
> Interface
> ifconfig_rl2="inet 222.222.222.222 netmask 255.255.255.248"  # DMZ

Without a diagram I can't really say for certain, knowing the real IPs would
help too.  Even if you mangle the first 2 octects (or even the first 3) it
allows people to check you've got your routing and netmasks right :-)

However, I don't think the above would work.  What you probably want is:

ROUTER (222.222.222.220/29)
   |
   |
   | rl1 (222.222.222.221/29, .222/29, .223/29, .224/29, .225/29)
-------
FreeBSD ----- DMZ
-------  rl2 (192.168.254.1/24)
   | rl0 (192.168.1.1/24)
   |
   |
  LAN

Quote:> If you know any urls on how to set this up it would be a great help.  What
> little I can find seems to be more geared for IPFILTER than IPFW.

'Fraid I've never played with IPFW, I'm an IPFilter fan (in part because it's
not purely a FreeBSD thing).  No reason I know of that IPFW won't do what you're
after.

--
  Rob MacGregor (MCSE)
      The light at the end of the tunnel is an oncoming dragon.

 
 
 

Routing problem

Post by Jess » Thu, 19 Dec 2002 04:11:18


Been reading up on this, my problem is not with the ipfw or nat but with the
actual NIC config settings.  When I try to load the nat rules I get an error
saying I didnt provide the alaised address or similar.  My natd command was
fine so the problem is the aliases listed in rc.conf.  I should not have
used the subnet provided for the static IP but apparantly should always use
a subnet of 255.255.255.255 whan adding an alias.  Will try this again when
I get back to work.

Also came across this though.
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges....
html

Going to try this out tonight on my own home network.

If I understand this correctly, I can set the IP for the external NIC and
leave the internal blank.

Add the options BRIDGE to the laready IPFIREWALL and IPFIREWALL_VERBOSE
etc.. options
resompile the kernel and there is no more need for NAT

Add these to /etc/sysctl.conf and set the internal ip for the internal
network and simply modfy the ipfw rules to suit with no need for divert
net.link.ether.bridge_cfg=$oif:0,$iif:0
net.link.ether.bridge_ipfw=1
net.link.ether.bridge=1

Not sure if this means I can then use the other static IP on the internal
interface or if I will have to still use an internal range, ie 192.168.*.*
I dont see why if it is a bridge it would not work with the static ip.

Does this sound right or am I being too naive that it would be as easy as
that.  Am aware that intel and 3com cards support bridging and possibility
that my cheap realteks may not like this, but apart from this propblem does
the above sound right?



> > Thanks for the advice.

> > DMZ does seem the better option, as I dont really have any other
machines
> > needing internet access on the Lan, was hoping it was possible to simply
add
> > the external IP on the inside interface.

> > How would this work?

> > default_router="222.222.222.220"
> > ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0"        # Internal
Lan
> > ifconfig_rl1="inet 222.222.222.221 netmask 255.255.255.248"  # External
> > Interface
> > ifconfig_rl2="inet 222.222.222.222 netmask 255.255.255.248"  # DMZ

> Without a diagram I can't really say for certain, knowing the real IPs
would
> help too.  Even if you mangle the first 2 octects (or even the first 3) it
> allows people to check you've got your routing and netmasks right :-)

> However, I don't think the above would work.  What you probably want is:

> ROUTER (222.222.222.220/29)
>    |
>    |
>    | rl1 (222.222.222.221/29, .222/29, .223/29, .224/29, .225/29)
> -------
> FreeBSD ----- DMZ
> -------  rl2 (192.168.254.1/24)
>    | rl0 (192.168.1.1/24)
>    |
>    |
>   LAN

> > If you know any urls on how to set this up it would be a great help.
What
> > little I can find seems to be more geared for IPFILTER than IPFW.

> 'Fraid I've never played with IPFW, I'm an IPFilter fan (in part because
it's
> not purely a FreeBSD thing).  No reason I know of that IPFW won't do what
you're
> after.

> --
>   Rob MacGregor (MCSE)
>       The light at the end of the tunnel is an oncoming dragon.