building an internet gateway l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Building an Internet Gateway PowerPoint Presentation
Download Presentation
Building an Internet Gateway

Loading in 2 Seconds...

play fullscreen
1 / 19

Building an Internet Gateway - PowerPoint PPT Presentation


  • 294 Views
  • Uploaded on

Building an Internet Gateway The ABC of NAT on BSD Overview Introduction Equipment Configuration Installation & LAN Internet sharing via POTS/ADSL modem Internet sharing via cable modem Firewall Configuring LAN Machines Caveats & Future Options Introduction Aim is to:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Building an Internet Gateway' - lotus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
building an internet gateway

Building an Internet Gateway

The ABC of NAT on BSD

overview
Overview
  • Introduction
  • Equipment
  • Configuration
    • Installation & LAN
    • Internet sharing via POTS/ADSL modem
    • Internet sharing via cable modem
    • Firewall
  • Configuring LAN Machines
  • Caveats & Future Options
introduction
Introduction
  • Aim is to:
    • Share an Internet connection over a LAN
    • Protect the LAN from the Internet
  • Also hope to:
    • require only minimal maintenance,
    • provide a remote administration capability,
    • provide automatic configuration forLAN, and
    • not interfere with Internet operation.
introduction4
Introduction
  • Why build a PC-based gateway?
    • To run services, such as:
      • a domain name service for local machines,
      • a shared web proxy,
      • a personal or business web server,
      • a mail server to centralise access to your mail,
      • a file server for backup or extra storage.
    • To impress your friends/opposite sex.
    • Because you love FreeBSD.
equipment
Equipment
  • A basic PC
    • CPU & m/b (Pentium 90+ is overpowered)
    • RAM, HDD, FDD, video card, keyboard, etc
    • Newer peripherals are better!
  • A network card for the LAN
  • A hub/switch and cables for the LAN
  • A modem (POTS, ADSL, or cable)
    • Modem may require an extra network card
install configure lan
Install & Configure LAN
  • Install FreeBSD (use handbook)
  • Use sysinstall to activate gateway
    • Or add gateway_enable=“yes” to rc.conf
    • Or run sysctl –w net.inet.ip.forwarding=1
  • Set up network card for LAN
    • Use static IP address from test ranges
    • E.g 192.168.0.1/24 10.0.0.1/24
configure ppp
Configure PPP
  • POTS and ADSL users
    • Config stored in /etc/ppp/ppp.conf
    • Samples in /usr/share/examples/ppp/
  • Can set up multiple profiles in one file
  • Can choose operating mode:
    • ddial – continuous connection
    • auto – on-demand connection
    • background – once-off connection
configure ppp8
Configure PPP
  • Profiles share a default configuration
  • Sample:

default:

ident user-ppp VERSION (built COMPILATIONDATE)

allow users root ppp

set log Phase Chat LCP IPCP CCP tun command

set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0

accept chap

accept pap

add default HISADDR

nat enable yes

enable dns

configure ppp over pots
Configure PPP over POTS
  • Need to specify a basic modem script
  • Sample:

dialup:

set device /dev/cuaa0

set redial 15+30 3

set reconnect 15 3

set speed 115200

set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \

\"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

set login ""

set timeout 0

set phonedialup-phone

set authname dialup-username

set authkeydialup-password

configure ppp over adsl
Configure PPP over ADSL
  • Need to enable netgraph(4)
    • kldload netgraph
  • Sample profile:

adsl:

set device PPPoE:interface-name

set mru 1492

set mtu 1492

set speed sync

enable lqr

set dial ""

set login ""

set redial 15 10000

set timeout 0

set lqrperiod 5

set authname adsl-username

set authkey adsl-password

running ppp
Running PPP
  • PPP invoked with mode and profile
    • E.g. ppp –auto dialup
  • To run at start-up edit rc.conf
    • E.g for ADSL:
      • ppp_enable="YES"
      • ppp_mode="ddial"
      • ppp_profile="adsl"
      • ppp_user="ppp"
      • ppp_nat="YES"
configure for cable
Configure for Cable
  • Use DHCP to configure network card
  • Uses firewall rule to handle NAT
  • Configure natd(8) to run at start-up
    • Add to rc.conf:

natd_enable="YES"

natd_interface="rl0"

natd_flags="-dynamic"

configure for bigpond cable
Configure for BigPond Cable
  • Telstra BigPond users need BPALogin
    • Download FreeBSD port (http://bpalogin.sourceforge.net/)
    • Extract (tar –xvzf bpalogin-port.tar.gz)
    • Build (cd bpalogin ; make)
    • Install (make install)
    • Edit /usr/local/etc/bpalogin.conf
configure for bigpond cable14
Configure for BigPond Cable
  • Sample /usr/local/etc/bpalogin.conf:

# Print some diagnostics

debuglevel 1

# Authentication details

username your-username

password your-password

# You can override the default domain if you do not have

# search vic.bigpond.net.au in your /etc/resolv.conf

authdomain vic.bigpond.net.au

# Use port 5050 on the local machine

localport 5050

# Set the minimum heartbeat interval.

minheartbeatinterval 60

configuring firewall
Configuring Firewall
  • FreeBSD includes simple LAN firewall
  • Allows incoming mail, web, DNS
  • Allows all outgoing traffic
  • Needs minor tweaks to rc.firewall
  • Enable through rc.conf

firewall_enable="YES"

firewall_type="simple"

configuring firewall16
Configuring Firewall
  • Edit rc.firewall (about line 20)

# set these to your outside interface network and netmask and ip

oif="ed0"

onet="192.0.2.0" # delete

omask="255.255.255.240" # delete

oip="192.0.2.1"

# set these to your inside interface network and netmask and ip

iif="ed1"

inet="192.168.0.0"

imask="255.255.255.0"

iip="192.168.0.1"

setup_loopback

# Stop spoofing

${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}

${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # delete

configuring lan machines
Configuring LAN Machines
  • Configure with static IP
    • E.g. 192.168.0.2, 192.168.0.14
    • Netmask is the same (e.g 255.255.255.0)
  • Must manually copy DNS info
  • Gateway IP is often required
    • May sometimes be referred to as a router
caveats
Caveats
  • NAT interferes with traffic
    • Okay for most connections (e.g. TCP)
    • Breaks active FTP (use passive FTP)
    • Creates problems for ICQ (and other UDP)
    • Breaks protocols that embed local IP
  • Firewalls can cause problems
    • Some protocols make incoming connections
      • E.g. identd for IRC, gnutella, other P2P
future
Future
  • Use gateway as a DHCP server
    • Automatically provide IP, DNS, gateway to LAN machines
  • Web proxy (e.g. squid)
  • Web server (e.g apache)
  • Mail server (e.g postfix, qmail)
  • IMAP mail store (e.g. cyrus, courier)