Building an Internet Gateway

1
Building an Internet Gateway

• The ABC of NAT on BSD

2
Overview

• Introduction
• Equipment
• Configuration
• Installation LAN
• Internet sharing via POTS/ADSL modem
• Internet sharing via cable modem
• Firewall
• Configuring LAN Machines
• Caveats Future Options

3
Introduction

• Aim is to
• Share an Internet connection over a LAN
• Protect the LAN from the Internet
• Also hope to
• require only minimal maintenance,
• provide a remote administration capability,
• provide automatic configuration for LAN, and
• not interfere with Internet operation.

4
Introduction

• Why build a PC-based gateway?
• To run services, such as
• a domain name service for local machines,
• a shared web proxy,
• a personal or business web server,
• a mail server to centralise access to your mail,
• a file server for backup or extra storage.
• To impress your friends/opposite sex.
• Because you love FreeBSD.

5
Equipment

• A basic PC
• CPU m/b (Pentium 90 is overpowered)
• RAM, HDD, FDD, video card, keyboard, etc
• Newer peripherals are better!
• A network card for the LAN
• A hub/switch and cables for the LAN
• A modem (POTS, ADSL, or cable)
• Modem may require an extra network card

6
Install Configure LAN

• Install FreeBSD (use handbook)
• Use sysinstall to activate gateway
• Or add gateway_enableyes to rc.conf
• Or run sysctl w net.inet.ip.forwarding1
• Set up network card for LAN
• Use static IP address from test ranges
• E.g 192.168.0.1/24 10.0.0.1/24

7
Configure PPP

• POTS and ADSL users
• Config stored in /etc/ppp/ppp.conf
• Samples in /usr/share/examples/ppp/
• Can set up multiple profiles in one file
• Can choose operating mode
• ddial continuous connection
• auto on-demand connection
• background once-off connection

8
Configure PPP

• Profiles share a default configuration
• Sample

default ident user-ppp VERSION (built
COMPILATIONDATE) allow users root ppp set
log Phase Chat LCP IPCP CCP tun command set
ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0
0.0.0.0 accept chap accept pap add
default HISADDR nat enable yes enable dns
9
Configure PPP over POTS

• Need to specify a basic modem script
• Sample

dialup set device /dev/cuaa0 set redial 1530
3 set reconnect 15 3 set speed 115200 set dial
"ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \
\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T
TIMEOUT 40 CONNECT" set login "" set timeout
0 set phone dialup-phone set authname
dialup-username set authkey dialup-password
10
Configure PPP over ADSL

• Need to enable netgraph(4)
• kldload netgraph
• Sample profile

adsl set device PPPoEinterface-name set mru
1492 set mtu 1492 set speed sync enable
lqr set dial "" set login "" set redial 15
10000 set timeout 0 set lqrperiod 5 set
authname adsl-username set authkey
adsl-password
11
Running PPP

• PPP invoked with mode and profile
• E.g. ppp auto dialup
• To run at start-up edit rc.conf
• E.g for ADSL
• ppp_enable"YES"
• ppp_mode"ddial"
• ppp_profile"adsl"
• ppp_user"ppp"
• ppp_nat"YES"

12
Configure for Cable

• Use DHCP to configure network card
• Uses firewall rule to handle NAT
• Configure natd(8) to run at start-up
• Add to rc.conf
• natd_enable"YES"
• natd_interface"rl0"
• natd_flags"-dynamic"

13
Configure for BigPond Cable

• Telstra BigPond users need BPALogin
• Download FreeBSD port (http//bpalogin.sourceforge
  .net/)
• Extract (tar xvzf bpalogin-port.tar.gz)
• Build (cd bpalogin make)
• Install (make install)
• Edit /usr/local/etc/bpalogin.conf

14
Configure for BigPond Cable

• Sample /usr/local/etc/bpalogin.conf

Print some diagnostics debuglevel 1
Authentication details username
your-username password your-password You can
override the default domain if you do not have
search vic.bigpond.net.au in your
/etc/resolv.conf authdomain vic.bigpond.net.au
Use port 5050 on the local machine localport
5050 Set the minimum heartbeat
interval. minheartbeatinterval 60
15
Configuring Firewall

• FreeBSD includes simple LAN firewall
• Allows incoming mail, web, DNS
• Allows all outgoing traffic
• Needs minor tweaks to rc.firewall
• Enable through rc.conf
• firewall_enable"YES"
• firewall_type"simple"

16
Configuring Firewall

• Edit rc.firewall (about line 20)

set these to your outside interface network and
netmask and ip oif"ed0" onet"192.0.2.0"
delete omask"255.255.255.240"
delete oip"192.0.2.1" set these to your
inside interface network and netmask and
ip iif"ed1" inet"192.168.0.0" imask"255.255.255
.0" iip"192.168.0.1" setup_loopback Stop
spoofing fwcmd add deny all from
inetimask to any in via oif fwcmd
add deny all from onetomask to any in via
iif delete
17
Configuring LAN Machines

• Configure with static IP
• E.g. 192.168.0.2, 192.168.0.14
• Netmask is the same (e.g 255.255.255.0)
• Must manually copy DNS info
• Gateway IP is often required
• May sometimes be referred to as a router

18
Caveats

• NAT interferes with traffic
• Okay for most connections (e.g. TCP)
• Breaks active FTP (use passive FTP)
• Creates problems for ICQ (and other UDP)
• Breaks protocols that embed local IP
• Firewalls can cause problems
• Some protocols make incoming connections
• E.g. identd for IRC, gnutella, other P2P

19
Future

• Use gateway as a DHCP server
• Automatically provide IP, DNS, gateway to LAN
  machines
• Web proxy (e.g. squid)
• Web server (e.g apache)
• Mail server (e.g postfix, qmail)
• IMAP mail store (e.g. cyrus, courier)