Routing problem

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Routing problem

Efren Bravo
Hi there,

I installed a FreeBSD 10.1 box and upgraded to 10.4. I tried to configure
this box as a FW but I can't get ping works from inside LAN to outside
world, neither any tcp/upd connection. Basic configs:

router ip: 190.92.124.89

kernel (recompiled & installed OK):
a lot of innecesary things disabled before recompilation
---
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LOOKUP
options IPFILTER_DEFAULT_BLOCK

/etc/rc.conf
---
#WAN
ifconfig_re0="inet 190.92.124.90 netmask 255.255.255.248"

# LAN
ifconfig_em0="inet 10.170.0.1 netmask 25.255.255.128"

defaultrouter="190.92.124.89"
gateway_eanble="YES"

/etc/ipfilter.rules
---
pass out quick lo0 all
pass in quick lo0 all

pass out quick em0 all
pass in quick em0 all

pass out quick re0 all
pass in quick re0 all

Routing tables
---
Destin                  GW                  Flags  Netif
default                  190.92.124.89   UGS   re0
10.170.0.0/25        link#1               U       em0
10.170.0.21           link#1               UHS   lo0
127.0.0.1               link#3               UH    lo0
190.92.124.88/29   link#2               U       re0
190.92.124.91       link#2               UHS   lo0

From inside box I can ping outside world and inside LAN, but from a
internal PC (IP:10.170.0.11) I cannot reach outside world.

I need help, someone who tell where to look to fix it because I don't
realize why happens this.
thanks in advance
--
----------------
Efren Bravo
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Routing problem

Trond Endrestøl
On Mon, 23 Oct 2017 15:19-0400, Efren Bravo wrote:

> Hi there,
>
> I installed a FreeBSD 10.1 box and upgraded to 10.4. I tried to configure
> this box as a FW but I can't get ping works from inside LAN to outside
> world, neither any tcp/upd connection. Basic configs:
>
> router ip: 190.92.124.89
>
> kernel (recompiled & installed OK):
> a lot of innecesary things disabled before recompilation
> ---
> options IPFILTER
> options IPFILTER_LOG
> options IPFILTER_LOOKUP
> options IPFILTER_DEFAULT_BLOCK
>
> /etc/rc.conf
> ---

> #WAN
> ifconfig_re0="inet 190.92.124.90 netmask 255.255.255.248"

Public IPv4 address space.

> # LAN
> ifconfig_em0="inet 10.170.0.1 netmask 25.255.255.128"

Private IPv4 address space.

Do you plan on setting up NAT44 on this box? You should if you want
this setup to work as expected.

> defaultrouter="190.92.124.89"
> gateway_eanble="YES"
>
> /etc/ipfilter.rules
> ---
> pass out quick lo0 all
> pass in quick lo0 all
>
> pass out quick em0 all
> pass in quick em0 all
>
> pass out quick re0 all
> pass in quick re0 all
>
> Routing tables
> ---
> Destin                  GW                  Flags  Netif
> default                  190.92.124.89   UGS   re0
> 10.170.0.0/25        link#1               U       em0
> 10.170.0.21           link#1               UHS   lo0
> 127.0.0.1               link#3               UH    lo0
> 190.92.124.88/29   link#2               U       re0
> 190.92.124.91       link#2               UHS   lo0
>
> >From inside box I can ping outside world and inside LAN, but from a
> internal PC (IP:10.170.0.11) I cannot reach outside world.
>
> I need help, someone who tell where to look to fix it because I don't
> realize why happens this.
> thanks in advance

--
Trond.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Routing problem

Efren Bravo
In reply to this post by Efren Bravo
@Ian Smith: gateway_enable="YES" I wrote ok, was my mistake when I copy it
into the email and sysctl net.inet.ip.forwarding=1. thanks

@Trond Endrestol

I didn't know about all those NATs (NAT44, NAT444, NAT64, etc), when I
installed a fw box 10 years ago they didn't exist, I think, because I
followed the same config and it worked. Now, the question is, how to make
it work?

thanks

2017-10-24 8:20 GMT-04:00 Ian Smith <[hidden email]>:

> In freebsd-questions Digest, Vol 699, Issue 2, Message: 8
> On Mon, 23 Oct 2017 22:30:26 +0200 (CEST)
> Trond Endrest?l <[hidden email]> wrote:
>  > On Mon, 23 Oct 2017 15:19-0400, Efren Bravo wrote:
>  >
>  > > Hi there,
>  > >
>  > > I installed a FreeBSD 10.1 box and upgraded to 10.4. I tried to
> configure
>  > > this box as a FW but I can't get ping works from inside LAN to outside
>  > > world, neither any tcp/upd connection. Basic configs:
>  > >
>  > > router ip: 190.92.124.89
>  > >
>  > > kernel (recompiled & installed OK):
>  > > a lot of innecesary things disabled before recompilation
>  > > ---
>  > > options IPFILTER
>  > > options IPFILTER_LOG
>  > > options IPFILTER_LOOKUP
>  > > options IPFILTER_DEFAULT_BLOCK
>  > >
>  > > /etc/rc.conf
>  > > ---
>  >
>  > > #WAN
>  > > ifconfig_re0="inet 190.92.124.90 netmask 255.255.255.248"
>  >
>  > Public IPv4 address space.
>  >
>  > > # LAN
>  > > ifconfig_em0="inet 10.170.0.1 netmask 25.255.255.128"
>  >
>  > Private IPv4 address space.
>  >
>  > Do you plan on setting up NAT44 on this box? You should if you want
>  > this setup to work as expected.
>
> Indeed, some variety of NAT daemon.  But also ..
>
>  > > defaultrouter="190.92.124.89"
>  > > gateway_eanble="YES"
>
> .. that needs to be 'gateway_enable'.
>
>  % grep -wA7 gateway_enable /etc/rc.d/routing
>
> After fixing /etc/rc.conf one can just run:
>  # service routing restart
>
> or even (until next boot or routing restart) just:
>  # sysctl net.inet.ip.forwarding=1
>
> cheers, Ian
>



--
----------------
Efren Bravo
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Routing problem

Trond Endrestøl
On Tue, 24 Oct 2017 11:54-0400, Efren Bravo wrote:

> @Ian Smith: gateway_enable="YES" I wrote ok, was my mistake when I copy it
> into the email and sysctl net.inet.ip.forwarding=1. thanks
>
> @Trond Endrestol
>
> I didn't know about all those NATs (NAT44, NAT444, NAT64, etc), when I
> installed a fw box 10 years ago they didn't exist, I think, because I
> followed the same config and it worked. Now, the question is, how to make
> it work?

NAT(44) has been around for more than 20 years, and is partially
responsible for delaying the deployment of IPv6.

Read Section 29.5 on ipf (ipfilter) in the Handbook:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

Subsection 29.5.4 says how to configure NAT(44).

--
Trond.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Routing problem

Efren Bravo
Problem solved!

I didn't realize about the map rule on my ipnat.rules from the old fw box.

Thank again for your support.

2017-10-25 4:07 GMT-04:00 Trond Endrestøl <
[hidden email]>:

> On Tue, 24 Oct 2017 11:54-0400, Efren Bravo wrote:
>
> > @Ian Smith: gateway_enable="YES" I wrote ok, was my mistake when I copy
> it
> > into the email and sysctl net.inet.ip.forwarding=1. thanks
> >
> > @Trond Endrestol
> >
> > I didn't know about all those NATs (NAT44, NAT444, NAT64, etc), when I
> > installed a fw box 10 years ago they didn't exist, I think, because I
> > followed the same config and it worked. Now, the question is, how to make
> > it work?
>
> NAT(44) has been around for more than 20 years, and is partially
> responsible for delaying the deployment of IPv6.
>
> Read Section 29.5 on ipf (ipfilter) in the Handbook:
> https://www.freebsd.org/doc/en_US.ISO8859-1/books/
> handbook/firewalls-ipf.html
>
> Subsection 29.5.4 says how to configure NAT(44).
>
> --
> Trond.
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> [hidden email]"
>



--
----------------
Efren Bravo
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"