DHCP Router

Introduction:

Providing DHCP Routing to your network is a very effective and efficient way of managing and distributing IP addresses to the client machines. There are several ways to accomplish this in FreeBSD but listed below is a sample of one method. We will discuss configuring your server to run wide-dhcp services so the network workstations can be dynamically assigned IP's throught a protected firewall.

Special thanks goes out to Aaron Heck who wrote this article for us.

In order to configure your server with using the following services you will need to customized your kernel, install the appropriate ports, configure your installed ports, and start the service.

Customizing the Kernel:

  1. Read over Kernel Customization for instructions
  2. Add the following options:

    options IPFILTER #Enable ipnat
    options IPFILTER_LOG #log the ipnat stuff
    options IPFIREWALL
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_FORWARD
    options IPV6FIREWALL
    options IPV6FIREWALL_VERBOSE
    options IPV6FIREWALL_VERBOSE_LIMIT=100
    options IPV6FIREWALL_DEFAULT_TO_ACCEPT
    options IPFIREWALL_VERBOSE_LIMIT=100

  3. Change the Max users to appropriate value:
    ie Maxusers - set to 64

Configure NICs and IPNAT:

  1. Find out which nic is doing what:
    # ifconfig -a

  2. Your outside nic will be the one that connects you to the internet (it has an ip address)
  3. Configure the other nic manually and modify the /etc/rc.conf file
    # vi /etc/rc.conf

    Make sure your network_interfaces line lists both nics and your loopback
    network_interfaces="xl0 xl1 lo0"

    Two ifconfig lines, one per nic.
    External nic:

    ifconfig_xl1="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"

    Either create a new line for the second nic, or copy and paste.
    On the new line, give the inside nic a valid address:
    ifconfig_xl1="inet 10.0.0.254 netmask 255.255.255.0"
    Add:

    firewall_enable="YES" # Set to YES to enable firewall functionality
    firewall_type="OPEN" # Firewall type (see /etc/rc.firewall)
    firewall_quiet="YES" # Set to YES to suppress rule display
    gateway_enable="YES"
    router_enable="YES"
    router="routed"
    router_flags="-q"

  4. Create /usr/local/etc/ipnat.conf
    # vi /usr/local/etc/ipnat.conf

    Add a line that reads:
    map (outside nic) (inside ip)/(netmask in digital form) -> (outside ip)/(outside netmask in digital form)
    eg: map xl0 10.0.0.254/24 -> 0/32

  5. Link the file to /etc/ipnat.conf
    # ln -s /usr/local/etc/ipnat.conf /etc/ipnat.conf

  6. Lastly, let's make the demon start every time we boot.
    # vi /usr/local/etc/rc.d/ipnat.sh

    Add:

    #script to start the ip NAT daemon
    /sbin/ipnat -f /usr/local/etc/ipnat.conf
    echo -n ' ipnat'

  7. Set the ipnat.sh to be executable
    # chmod +x-w /usr/local/etc/rc.d/ipnat.sh

  8. Reboot the server!
  9. This will work if you statically assign ip's to internal machines in the range 10.0.0.1 - 10.0.0.253 netmask 255.255.255.0 (you will also have to statically assign DNS server addresses)

| 2 | 20020410194033 | 2 | 20020410161420 |
| 59 | 5 | 14 | Installing Wide-Dhcps |

  1. You will need to install a DHCP server - I'll cover using wide-dhcp.

    # cd /usr/ports/net/wide-dhcp
    # make all install clean

  2. Build your dhcp pools and stuff
    # vi /usr/local/etc/dhcpdb.pool

    Add this: (edit intelligently)

    # global entry which specifies the stuff every host uses.
    global:!snmk=255.255.255.0:tmof=32400:rout=10.0.0.254:dht1=500:\
    :dht2=850:brda=10.0.0.255:dnsv=(dns server 1) (dns server 2 - check /etc/resolv.conf):\
    dnsd=(domain name - eg whatever.com)

    # entries for manual allocation (DHCP, BOOTP)
    3001: :ipad=10.0.0.1:hstn="pc1.whatever.com":tblc=global:clid="1:0x(mac address)":
    3002: :ipad=10.0.0.2:hstn="pc2.whatever.com":tblc=global:clid="1:0x(mac address)":

    # entries for dynamic allocation (DHCP)
    3010: :ipad=10.0.0.10:dfll=3600:maxl=7200:tblc=global:
    3011: :ipad=10.0.0.11:dfll=3600:maxl=7200:tblc=global:
    3012: :ipad=10.0.0.12:dfll=3600:maxl=7200:tblc=global:

    # entries for automatic allocation (BOOTP)
    30050: :ipad=10.0.0.50:albp=true:tblc=global:

  3. Create an empty file called /usr/local/etc/dhcpdb.relay
    # touch /usr/local/etc/dhcpdb.relay

    While you're at it:
    # touch /var/db/dhcpdb.bind

  4. Create links to those files in /etc

    # ln -s /usr/local/etc/dhcpdb.pool /etc/dhcpdb.pool
    # ln -s /usr/local/etc/dhcpdb.relay /etc/dhcpdb.relay

  5. Copy and Edit the /usr/local/etc/rc.d/wide-dhcps.sh

    # cp /usr/local/etc/rc.d/wide-dhcps.sh.sample /usr/local/etc/rc.d/wide-dhcps.sh
    # vi /usr/local/etc/rc.d/wide-dhcps.sh

    Alter the nic name to point to your INTERNAL nic.
    line looks like: {PREFIX}/sbin/dhcps ep1
    Also, if you see the setting {PREFIX} or something, take it out and replace with /usr/local/... or whatever and remove the whole if {PREFIX} stuff.

  6. Set the wide-dhcp.sh to be executable
    # chmod +x-w /usr/local/etc/rc.d/wide-dhcps.sh

  7. Try running it manually to get it up and running

    # /usr/local/etc/rc.d/wide-dhcps.sh start
    # ps -ax | grep dhcp

    If it doesn't run, check /var/log/messages

    # tail /var/log/messages

  8. Reboot the system.

Additional Information and Tips:

Connect your systems to the internal nic

  1. If you are connecting a system directly or have a hub that does not switch into cross connect you will need to purchase a cross connect cable for this to work
  2. Enjoy your new network.

FTP Issues

  1. If you are going to be using ftp from behind your firewall you will have to to set your ftp client to use passive mode. That is the only way that you can pass through the firewall with ftp

Port Mapping

  1. Some of you may want to pass through some of your ports such as port 5800 for vnc, 21 for ftp, etc
  2. Edit the /usr/local/etc/ipnat.conf file
    # vi /usr/local/etc/ipnat.conf

    Add the following lines and edit as needed

    rdr (external nic) (external ip)/32 port (port) -> (dest internal ip) port (port) tcp

    Example for VNC ports 5800 and 5900:

    rdr xl0 192.231.64.48/32 port 5800 -> 10.0.0.1 port 5800 tcp
    rdr xl0 192.231.64.48/32 port 5900 -> 10.0.0.1 port 5900 tcp

  3. Please note that you must specify your ip address for this to work. If you are using dynamic ip assignments you may want to try using the following to build you ipnat.conf in your /usr/local/etc/rc.d/ipnat.sh

    # vi /usr/local/etc/rc.d/ipnat.sh
    ip_add=`ifconfig ep0 | grep "netmask" | cut -f 2 -d \ `
    echo 'map xl0 10.0.0.254/24 -> 0/32' > /usr/local/etc/ipnat.conf
    echo 'rdr xl0 '${ip_add}'/32 port 5800 -> 10.0.0.1 port 5800 tcp' >> /usr/local/etc/ipnat.conf
    echo 'rdr xl0 '${ip_add}'/32 port 5900 -> 10.0.0.1 port 5900 tcp' >> /usr/local/etc/ipnat.conf