2

This question was asked by me on serverfault.com. It was closed as off-topic, with a suggestion to ask here, on superuser. The OS is FreeBSD 13.0.

The setup that I need to establish is simple. In human terms, in simple words, I can describe the setup is below.

  1. My laptop is connected to ISP through Ethernet cable.
  2. I want it(my lap) to transmit WiFi signal, to act as a WiFi router to other devices. So my laptop will be an AP, or a router, you name it.

The result that i want is that my guests, and me, can use the internet through my laptop.

I had followed some forums and FreeBSD handbook, but my cell-phone still refuses to go online. Though I can ping it from my laptop.

My idea was to use dhcpd on a wlan0 network interface. After that, I was taught to not to reinvent a bicycle, but use a NAT. In FreeBSD pf terms it will be something like(taken from the forums): nat on re0 inet from ! (re0) to any -> (re0). So I want everything from !re0, re0 being my cable to ISP, to be translated to re0. My humble thinking is that, that some device connects to AP, gets an IP of a wlan0 subnet, and traffic gets routed through a NAT to the re0 cable connection.

Now the cell-phone gets an IP. I can ping the cell-phone. But no internet on a cell-phone.

I will update the information about my actual setup per request.

Please, if anyone has some working config, or step-by-step guide, as of how to make a simple thing come to life... How to make my laptop to act as a typical WiFi router?

UPDATE

This is my pf config. As I mentioned earlier, I have DHCP service that works on wlan0. The external interface, re0, configured with static address.

# The name of our network interface as seen in `ifconfig`
ext_if="re0"
usb_if="ue0"
wlan_if="wlan0"

all_ifs = "{" $ext_if $usb_if $wlan_if "}"

# Macros to define the set of TCP and UDP ports to open.
# Add additional ports or ranges separated by commas.
# UDP 60000-60010 is mosh control http://mosh.mit.edu/
tcp_services = "{ssh, http, https}"
udp_services = "{60000:60010}"

# If you block all ICMP requests you will break things like path MTU
# discovery. These macros define allowed ICMP types. The additional
# ICMPv6 types are for neighbor discovery (RFC 4861)
icmp_types = "{echoreq, unreach}"
icmp6_types="{echoreq, unreach, 133, 134, 135, 136, 137}"

# Modulate the initial sequence number of TCP packets.
# Broken operating systems sometimes don't randomize this number,
# making it guessable.
tcp_state="flags S/SA keep state"
udp_state="keep state"

# send RST
set block-policy return

# Exempt the loopback interface to prevent services utilizing the
# local loop from being blocked accidentally.
set skip on lo0

# all incoming traffic on external interface is normalized and fragmented
# packets are reassembled.
scrub in on $all_ifs all fragment reassemble

# set a default deny policy.
block in log all

# This is a desktop so be permissive in allowing outgoing connections.
pass out quick modulate state

# Enable antispoofing on the external interface
antispoof for $all_ifs

# block packets that fail a reverse path check. we look up the routing
# table, check to make sure that the outbound is the same as the source
# it came in on. if not, it is probably source address spoofed.
block in from urpf-failed to any

# drop broadcast requests quietly.
block in quick on $all_ifs from any to 255.255.255.255

# Allow the services defined in the macros at the top of the file
pass in on $all_ifs inet proto tcp from any to any port $tcp_services $tcp_state
pass in on $all_ifs inet6 proto tcp from any to any port $tcp_services $tcp_state

pass in on $all_ifs inet proto udp from any to any port $udp_services $udp_state
pass in on $all_ifs inet6 proto udp from any to any port $udp_services $udp_state

# Allow ICMP
pass inet proto icmp all icmp-type $icmp_types keep state
pass inet6 proto icmp6 all icmp6-type $icmp6_types keep state

# forward packets from wlan0 to re0(cable)
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

To be honest, I copy-pasted the above from some FreeBSD forum. With the above setup, I can ping my cell-phone, but that's all.

UPDATE

I've tidied pf.conf to

...
nat on $ext_if from $int_network to any -> $ext_if
pass out all
pass in all
...

Nevertheless, tcpdump on pflog0 interface shows no activity at all. I do not know a simple way to test network packet traffic that goes from $int_if. The internal network gets addresses assigned, but the packets that should go to default gateway are missed somewhere.

Update

tcpdump on "internal network" interface showed that the gateway for this interface, 192.168.0.1, is asking for the route to the default gateway. The default gateway is on different network, and no routes were added to the routing table. So the cell-phone just keeps broadcasting for the default(cable) gateway.

I made changes to dhcpd.conf with a DNS'es being of ISP's network, gateway(router) is 192.168.0.1 and the rest is as usual for the file.

The command route add -net <ISP gateway> <192.168.0.1> made a difference.

Mark as semi-closed, for myself

Update

Because the nature of my LAN, WI-FI dongle can be plugged out at any time, I had to add some scripts with devd.conf to dynamically add/delete route from internal network default gateway to the ISP default gateway.

Simply put two scripts(rtwn0_up.sh and rtwn0_down.sh) into /usr/local/sbin/. The possible action for notify(calling those scripts), when the network interface is UP/DOWN is :

# rtwn0.conf
# /etc/usr/local/devd/

 1 notify 100 {                                                                                                          
 2     match       "system"     "IFNET"
 3     match       "subsystem"  "rtwn0" # name of the interface for my WI-FI dongle
 4     match       "type"       "LINK_UP"
 5     media-type  "802.11"
 6     action      "/usr/local/sbin/rtwn0_up.sh"
 7 };
 8
 9 notify 100 {
10     match       "system"     "IFNET"
11     match       "subsystem"  "rtwn0" # name of the interface for my WI-FI dongle
12     match       "type"       "LINK_DOWN"
13     media-type  "802.11"
14     action      "/usr/local/sbin/rtwn0_down.sh"
15 };

I searched through SO web, and can not find a similar problem. Just had to admit, that reading FreeBSD documentation about useful services, could had saved me a lot of time. I just start to getting myself familiarized with devd. But even at this point, I feel that it is a great way to gather all scripting burden in one place.

user14063792468
  • 131
  • 1
  • 6

1 Answers1

0

The NAT part of the setup boils down to

/etc/rc.conf:

ifconfig_re0="..."
ifconfig_wlan0="..."


gateway_enable="YES"
pf_enable="YES"

/etc/pf.conf:

ext_if="re0"
int_if="wlan0"

nat on $ext_if from $int_if:network to any -> ($ext_if)
pass from { lo0, $int_if:network } to any keep state

You'll have to add DHCP on top of that.

arrowd
  • 288
  • 2
  • 9
  • I think I have a somewhat similar setup. Care to look at? Also, my `sysctl net.inet.ip.forwarding is {0}`. I read somewhere that this is no longer relevant with more recent setup. Still, documentation from 199x mention it as a first step. Do I need to turn it on? – user14063792468 Apr 20 '22 at 09:39
  • @user14063792468 Setting `gateway_enable="YES"` should turn it on. – Richard Smith Apr 20 '22 at 09:59
  • @RichardSmith Thank you. For now, I have no access to my setup. As soon as I do, I will update on the question and accept answer per result. – user14063792468 Apr 20 '22 at 10:41
  • @arrowd with the above config added to `pf.conf`, still no internet with a cell-phone. – user14063792468 May 02 '22 at 17:41
  • The `$int_if:network` causes an error at `pf` startup. It is a WI-FI network and the interface could be up/down at any time. – user14063792468 May 31 '22 at 10:36