Building an internet gateway l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Building an Internet Gateway PowerPoint PPT Presentation

Building an Internet Gateway The ABC of NAT on BSD Overview Introduction Equipment Configuration Installation & LAN Internet sharing via POTS/ADSL modem Internet sharing via cable modem Firewall Configuring LAN Machines Caveats & Future Options Introduction Aim is to:

Related searches for Building an Internet Gateway

Download Presentation

Building an Internet Gateway

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Building an internet gateway l.jpg

Building an Internet Gateway

The ABC of NAT on BSD


Overview l.jpg

Overview

  • Introduction

  • Equipment

  • Configuration

    • Installation & LAN

    • Internet sharing via POTS/ADSL modem

    • Internet sharing via cable modem

    • Firewall

  • Configuring LAN Machines

  • Caveats & Future Options


Introduction l.jpg

Introduction

  • Aim is to:

    • Share an Internet connection over a LAN

    • Protect the LAN from the Internet

  • Also hope to:

    • require only minimal maintenance,

    • provide a remote administration capability,

    • provide automatic configuration forLAN, and

    • not interfere with Internet operation.


Introduction4 l.jpg

Introduction

  • Why build a PC-based gateway?

    • To run services, such as:

      • a domain name service for local machines,

      • a shared web proxy,

      • a personal or business web server,

      • a mail server to centralise access to your mail,

      • a file server for backup or extra storage.

    • To impress your friends/opposite sex.

    • Because you love FreeBSD.


Equipment l.jpg

Equipment

  • A basic PC

    • CPU & m/b (Pentium 90+ is overpowered)

    • RAM, HDD, FDD, video card, keyboard, etc

    • Newer peripherals are better!

  • A network card for the LAN

  • A hub/switch and cables for the LAN

  • A modem (POTS, ADSL, or cable)

    • Modem may require an extra network card


Install configure lan l.jpg

Install & Configure LAN

  • Install FreeBSD (use handbook)

  • Use sysinstall to activate gateway

    • Or add gateway_enable=“yes” to rc.conf

    • Or run sysctl –w net.inet.ip.forwarding=1

  • Set up network card for LAN

    • Use static IP address from test ranges

    • E.g 192.168.0.1/24 10.0.0.1/24


Configure ppp l.jpg

Configure PPP

  • POTS and ADSL users

    • Config stored in /etc/ppp/ppp.conf

    • Samples in /usr/share/examples/ppp/

  • Can set up multiple profiles in one file

  • Can choose operating mode:

    • ddial – continuous connection

    • auto – on-demand connection

    • background – once-off connection


Configure ppp8 l.jpg

Configure PPP

  • Profiles share a default configuration

  • Sample:

default:

ident user-ppp VERSION (built COMPILATIONDATE)

allow users root ppp

set log Phase Chat LCP IPCP CCP tun command

set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0

accept chap

accept pap

add default HISADDR

nat enable yes

enable dns


Configure ppp over pots l.jpg

Configure PPP over POTS

  • Need to specify a basic modem script

  • Sample:

dialup:

set device /dev/cuaa0

set redial 15+30 3

set reconnect 15 3

set speed 115200

set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \

\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

set login ""

set timeout 0

set phonedialup-phone

set authname dialup-username

set authkeydialup-password


Configure ppp over adsl l.jpg

Configure PPP over ADSL

  • Need to enable netgraph(4)

    • kldload netgraph

  • Sample profile:

adsl:

set device PPPoE:interface-name

set mru 1492

set mtu 1492

set speed sync

enable lqr

set dial ""

set login ""

set redial 15 10000

set timeout 0

set lqrperiod 5

set authname adsl-username

set authkey adsl-password


Running ppp l.jpg

Running PPP

  • PPP invoked with mode and profile

    • E.g. ppp –auto dialup

  • To run at start-up edit rc.conf

    • E.g for ADSL:

      • ppp_enable="YES"

      • ppp_mode="ddial"

      • ppp_profile="adsl"

      • ppp_user="ppp"

      • ppp_nat="YES"


Configure for cable l.jpg

Configure for Cable

  • Use DHCP to configure network card

  • Uses firewall rule to handle NAT

  • Configure natd(8) to run at start-up

    • Add to rc.conf:

      natd_enable="YES"

      natd_interface="rl0"

      natd_flags="-dynamic"


Configure for bigpond cable l.jpg

Configure for BigPond Cable

  • Telstra BigPond users need BPALogin

    • Download FreeBSD port (http://bpalogin.sourceforge.net/)

    • Extract (tar –xvzf bpalogin-port.tar.gz)

    • Build (cd bpalogin ; make)

    • Install (make install)

    • Edit /usr/local/etc/bpalogin.conf


Configure for bigpond cable14 l.jpg

Configure for BigPond Cable

  • Sample /usr/local/etc/bpalogin.conf:

# Print some diagnostics

debuglevel 1

# Authentication details

username your-username

password your-password

# You can override the default domain if you do not have

# search vic.bigpond.net.au in your /etc/resolv.conf

authdomain vic.bigpond.net.au

# Use port 5050 on the local machine

localport 5050

# Set the minimum heartbeat interval.

minheartbeatinterval 60


Configuring firewall l.jpg

Configuring Firewall

  • FreeBSD includes simple LAN firewall

  • Allows incoming mail, web, DNS

  • Allows all outgoing traffic

  • Needs minor tweaks to rc.firewall

  • Enable through rc.conf

    firewall_enable="YES"

    firewall_type="simple"


Configuring firewall16 l.jpg

Configuring Firewall

  • Edit rc.firewall (about line 20)

# set these to your outside interface network and netmask and ip

oif="ed0"

onet="192.0.2.0" # delete

omask="255.255.255.240" # delete

oip="192.0.2.1"

# set these to your inside interface network and netmask and ip

iif="ed1"

inet="192.168.0.0"

imask="255.255.255.0"

iip="192.168.0.1"

setup_loopback

# Stop spoofing

${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}

${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # delete


Configuring lan machines l.jpg

Configuring LAN Machines

  • Configure with static IP

    • E.g. 192.168.0.2, 192.168.0.14

    • Netmask is the same (e.g 255.255.255.0)

  • Must manually copy DNS info

  • Gateway IP is often required

    • May sometimes be referred to as a router


Caveats l.jpg

Caveats

  • NAT interferes with traffic

    • Okay for most connections (e.g. TCP)

    • Breaks active FTP (use passive FTP)

    • Creates problems for ICQ (and other UDP)

    • Breaks protocols that embed local IP

  • Firewalls can cause problems

    • Some protocols make incoming connections

      • E.g. identd for IRC, gnutella, other P2P


Future l.jpg

Future

  • Use gateway as a DHCP server

    • Automatically provide IP, DNS, gateway to LAN machines

  • Web proxy (e.g. squid)

  • Web server (e.g apache)

  • Mail server (e.g postfix, qmail)

  • IMAP mail store (e.g. cyrus, courier)


  • Login