Internet access gateway on the Raspberry Pi running FreeBSD

Sometimes we get an Internet access by wire but want to get by WiFi (some hotels do this).
Sometimes we can get an Internet access by WiFi only for one device, but we want to use a few devices (other hotels do this).
So, we need a device which will work as Internet access gateway.
Here is a description how to setup such device on the Raspberry Pi running FreeBSD.

We will get an Internet on the Ethernet interface “ue0”. It will be an external interface.
We also can get an Internet by WiFi. Here is a description how to setup USB WiFi on the Raspberry Pi. It will slightly changes the further description.

We will provide an Internet by WiFi to clients connected to our device. Here is a description how to setup Wireless Access Point on the Raspberry Pi

Setting up Wireless Access Point is a necessary condition but not a sufficient for this.

Routing

When we have more than one network interfaces and we want to communicate from one of them to another, we need to setup a packets forwarding.
To do that we need to add this string to the file /etc/rc.conf:

gateway_enable="YES"

To enable routing now, set the sysctl(8) variable net.inet.ip.forwarding to 1:

# sysctl net.inet.ip.forwarding=1

NAT

Now we need to setup Network Address Translation (NAT).
FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER, also known as IPF.
We can use any of them for NAT.
I decide to use PF. PF comes from OpenBSD. PF is a complete, full-featured firewall.

To enable PF we need to add this two strings to the file /etc/rc.conf:


pf_enable="YES"
pf_rules="/etc/pf.conf"

For our goal we can use simple rules:

  • setup nat
  • block unwanted incoming packets
  • setup ftp proxy
  • managing ICMP
  • setup traffic normalization

This is our /etc/pf.conf:


ext_if = "ue0"          # external interface
int_if = "wlan0"        # internal interface
localnet = $int_if:network

scrub in all

nat on $ext_if from $localnet to any -> ($ext_if)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

block in all
block return

anchor "ftp-proxy/*"

pass out on $ext_if proto { tcp, udp } to any keep state
pass from { lo0, $localnet } to any keep state

icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state

IG01

To enable the FTP proxy, we need to add this line to /etc/rc.conf:

ftpproxy_enable="YES"

To check pf.conf for errors we can use this command:

# pfctl -vnf /etc/pf.conf

IG02

To start PF we can use this command:

# service pf start

Let’s check network connectivity from a client connected to our new Internet access gateway.

IG03

It works!

DNS

But there is one more thing we need to set up. This is Domain Name System (DNS).
Our Internet access gateway should provide a domain name resolving.
In FreeBSD 10, the Berkeley Internet Name Domain (BIND) has been removed from the base system and replaced with Unbound. Unbound is a validating caching resolver only.
We need to setup Unbound to provide resolution services.

To enable Unbound, we need to add the following string to /etc/rc.conf:

local_unbound_enable="YES"

To start Unbound we can use this command:

# service local_unbound onestart

It create a config file. By default it located in /var/unbound/unbound.conf.
But we need to set up an interface and to allow access from the local side of our Internet access gateway:


server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
        interface: 127.0.0.1
        interface: 192.168.1.1
        access-control: 192.168.1.0/24 allow

include: /var/unbound/forward.conf

IG04

Let’s check DNS resolution and network connectivity from a client connected to our new Internet access gateway one more time:

IG05

IG06

That’s all!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s