You are on page 1of 4

FreeBSD Network Tutorial/How-To Guide Page 1

A Network Tutorial/How-To Guide


for the FreeBSD OS
by Nick Rogness

FreeBSD Gatewya/Router
Nick Rogness nick@rogness.net

Introduction

This guide takes takes you through the steps of setting up your FreeBSD box to be your gateway/
router. Some fundamentals of routing and networks is required by the reader. I won't get into too
much detail about the routing but you'd be better off at least knowing the concpets.

FreeBSD Gateway Concepts

One of the most popular things to do is to use your PC and FreeBSD to be the router for your home
network. The concept is fairly straight forward. You have 2 ethernet cards one for your 'inside'
network and one for your 'internet connection' or 'outside' network. You enable routing and wallah!
Conceptually, here is a map of how your network will look when you are done:

http://freebsd.rogness.net/redirect.cgi?basic/gateway.html 06/23/2004 11:22:01 PM


FreeBSD Network Tutorial/How-To Guide Page 2

Adding a local network

First off, let's add a local network. This is sometimes called an 'inside' or 'private' network. This do
to the fact that the IP space (IPs used on the network) are private and reserved (see RFC1918).
Anyhow, In order to add a 'private' network you need to add another ethernet card to your FreeBSD
machine. You need at least 2 ethernet cards to use this setup. Make sure you install the both cards.
Bring the machine up with both network cards installed. In my example I use the xl0 interface as the
'outside' or 'public' ethernet card. This xl0 card connects to my internet connection. In this example,
I'm using ethernet cards but they could be ANY interface (ppp, tun, gif, etc). I'm using xl1 as my
'private' ethernet connection. The ordering is irrelevant. I could have just as easily chosen xl0 to be
my private and xl1 to be my public. Make no difference.

Once you have both cards installed and they show up in ifconfig output, you are set and ready to go.
Configure the inside address as some IP in your private IP space. In my example I chose to use
192.168.0.0/24 as my RFC1918 private IP space. In reality it doesn't matter what IP range is used.
But for simplicity, I'm using 192.168.0.0 through 192.168.0.254. I assign an ip to my xl1 card. I
chose to use 192.168.0.1 as my BSD machines interface (once again pick anyone out of your range
of private IP space). If you don't know how to set up the interfaces, please visit my Interfaces page.
Remember what IP you assign to the xl0 interface as you will need it later. xl0 will have an IP from
my ISP. Basically, leave xl0 alone. We will be doing work on xl1 only.

Enabling gateway routing

http://freebsd.rogness.net/redirect.cgi?basic/gateway.html 06/23/2004 11:22:01 PM


FreeBSD Network Tutorial/How-To Guide Page 3
Now time to tell BSD that it is OK to let packets get forwarded or 'routed' between interfaces. This
is accomplished by a sysctl variable: net.inet.ip.forwarding. To set this:

# sysctl -w net.inet.ip.forwarding=1

This flag (when set to 1 meaning ON) tells the kernel it is OK to forward packets between interfaces.
Of course, this won't set it permanently. You need to add an option to /etc/rc.conf:

gateway_enable="YES"

You just turned your machine into a ROUTER!!!

Client setups

Setting options in the clients TCP/IP settings is crucial for this to work right. The idea is to have the
client machines on the private network (192.168.0.0/24) point the gateway to the IP you assigned to
xl1 (In my case it is 192.168.0.1). To do this, edit the client machine TCP/IP settings. Add an IP from
the range of 192.168.0.2 through 192.168.0.254, set the netmask to 255.255.255.0 (/24), set the
gateway address to the IP you assigned to your xl1 interface (192.168.0.1). Add the DNS servers. If
you setup DNS on your BSD machine like shown in the DNS section, you can use your DNS server
on your machine by putting the IP assigned to xl1 in as the DNS server (In my case 192.168.0.1). If
you didn't setup DNS on your BSD machine, just use your ISP's DNS server. Although, I would
recommend setting up a caching-only nameserver for several reasons (all of which are out of scope
for this).

Before you go any further, make sure you can 'ping 192.168.0.1' from ALL YOUR CLIENT
MACHINES! Nothing irritating more than troubleshooting complex problems when there is a simple
problem.

NAT

At this point if you try to ping or goto an internet address nothing will work. The reason for this is
that when you send traffic to a machine outside your private network, the packet gets sent to your
default gateway. The default gateway, in this case its your FreeBSD machine, sends the packet
unchanged out the xl0 interface to the internet (through your ISP). Well, the problem with that is the
IP space your are running on your inside network is what they call 'nonrouteable'. In simple terms, it
means that those IPs can't be routed across the backbone of the internet. See RFC1918 for more
detail.

So, we have a solution. It is called NAT. It changes your private IP's to a public IP, sends it out, and
when the packet comes back it changes it back to the private IP that originally sent it. NAT is very
complex which is why I wrote a whole how-to on it. To set it up please read the Nat Section

Testing your Solution

http://freebsd.rogness.net/redirect.cgi?basic/gateway.html 06/23/2004 11:22:01 PM


FreeBSD Network Tutorial/How-To Guide Page 4
Testing is fairly straight forward. Try surfing with your clients, checking mail, etc. If you run into
problems, turn on logging on both natd and with the firewall. Most of the time you missed something
real straight forward.

Another problem with NAT is that somethings just won't work through NAT. Noteably, IPSEC
VPNs, H323, and some chat/transfer programs. This has to do with the stupidity of Microsoft and
others but there are workarounds...all of which are difficult to implement.

http://freebsd.rogness.net/redirect.cgi?basic/gateway.html 06/23/2004 11:22:01 PM