This is a small report about T-DSL Flatrate setup with Free BSD. This report starts at a fresh installation of the Free BSD 5.0-developer-preview. Later versions may match my setup.
The final goal of this document is to build a router, that connects to the world automatically and serves the connection to the client-hosts on the subnet. Therefore it has two ethernet devices, on for the dsl-modem and the other one for the internal subnet.
Workstation 1 —- \ +————–+ Workstation 2 —-HUB——+ed0 Server vx0+——DSL-Modem—NTBA—Internet / +————–+ Workstation n —- { Local Intranet } { DMZ } { Internet Zone }
Table of Contents
1.T-DSL router with FreeBSD 5.0
3.Setup PPPoe and IP-Forwarding
4.1NAT
5.DNS
8.Warning
Ethernet device’s setup
I started configuring my two ethernet devices. These are two PCI-Cards, a Realtek 8029 based ne2k clone (ed0) and a 3Com Vortex 3c590 (vx0). If you use other’s companies devices these names (ed0,vx0) may differ. If you use ISA-Cards, then you’ll have to setup these devices manually in the kernel. For this purpose just have a look at those several how-tos regarding kernel-configuration and isa-cards.
The 5.0-preview sysinstall is pretty funny and won’t accept any other cards than the first one. So i edited /etc/rc.conf on my own.
ifconfig_ed0="inet 192.168.42.254 netmask 255.255.255.0" ifconfig_vx0="inet 192.168.0.1 netmask 255.255.255.0"
Now restart your network. An ifconfig should look as nice as this one:
gw# ifconfig
vx0: flags=8843 mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
inet6 fe80::220:afff:fef5:dbe4%vx0 prefixlen 64 scopeid 0x1
ether 00:20:af:f5:db:e4
ed0: flags=8843 mtu 1500
inet 192.168.42.254 netmask 0xffffff00 broadcast 192.168.42.255
inet6 fe80::24f:49ff:fe00:b44eí0 prefixlen 64 scopeid 0x2
ether 00:4f:49:00:b4:4e
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
Setup PPPoe and IP-Forwarding
To act as a router the server has to forward ip-packets. The connection itself is done using PPP over ethernet (pppoe). Ok, now back to /etc/rc.conf:
gateway_enable="YES" router="/sbin/routed" router_enable="YES" router_flags="-q"
This starts IP-Forwarding (gateway_enable) and the routing daemon. Then i did some kernel configuration in /boot/loader.conf to activate the netgraph modules and pppoe:
ng_UI_load="YES" ng_ether_load="YES" ng_pppoe_load="YES" ng_socket_load="YES"
Hint: If you’re not using 5.0, perhaps a system before 4.2 you WILL have to build a new kernel!
Now all the lowlevel-thing is done. A system restart is recommended.
PPP connection setup
The dsl-connection is done via the ppp-daemon. We will have to setup a ppp connection. This is pretty easy. Start your favorite editor (vi!) to /etc/ppp/pppd.conf:
default: set device PPPoE:vx0 set MTU 1492 set MRU 1492 set dial set crtscts off set speed sync accept lqr disable deflate disable pred1 disable vjcomp disable acfcomp disable protocomp set log Phase LCP IPCP CCP Warning Error Alert set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0 add default HISADDR set login set authname 1234567890121234567890120001@t-online.de set authkey 12345678
This is a minimalistic configuration. Replace following lines with your data:
- set device PPPoE:(your external ethernet device ie. ed1 or vx0…)
- set authname Careful! This is a pretty nasty number. It’s your T-Online account separated into 4 parts (FAQ in german) – and then joined:
-
- The port-ID, german “Anschlusskennung” (12 digits).
- The T-Online-ID, german “T-Online Nr” (12 digits). If it has less than 12 digits then add a “#” to the end of the number (only in this case!).
- The user-ID, german “Mitbenutzernummer” (4 digits). This one is “0001”.
- The domain name, “@t-online.de”.
- set authkey The password (8 digits).
So now be careful and have at least two more looks at your numbers. T-Online accepts only 5 tries before your account is locked. Then you have to consult the hotline (and send fax) to unlock your account again. It happened to me on another account. That sucked.
Ok, we are not patient and go on by starting ppp. Huuuuh!
gw# ppp ppp> dial PPP>
Yes, “IT JUST WENT THRU” – we’re online! Try pinging an ip-address outside your net with another xterm or console. DNS-Resolution won’t work at this stage. Try pinging an ip-address on the internet from a workstation – it won’t work either, but don’t bother.
NAT
First, take a beer and lay back. The remaining configuration is easy. Do a “quit” to your ppp-shell. The connection dies.
For the client-hosts (workstations) we’ll have to configure NAT. The NAT (Network Address Translation) is formerly known as IP-Masquerading to i.e. linux users. NAT is simple. The client-hosts connect via the router to a machine on the internet. The router changes every packet from the client-host, so that the originating ip is not the client host’s, but the router ip. This is pretty useful in several circumstances:
- Noone outside your subnet knows about your workstations.
- Your router does not have to route packets from the bad outside into your subnet. This is a security issue.
- The DSL-Modem will only route one ethernet device. So we’ll must use NAT.
To enable NAT on your server just add a flag to your ppp-shell next time you start it:
gw# ppp -nat
Now dial and the connection is up again, – now with NAT. Your workstations can now ping ips on the internet. See also shared DSL-Flatrate access with more users (german version).
Dialing at boot
Because you are cool and don’t want to manually dial the connection, just put the dialer parameters into /etc/rc.conf:
ppp_enable="YES" ppp_profile="default" ppp_mode="ddial" ppp_nat="YES"
DNS
Now a local primary nameserver has to be configured. Edit /etc/namedb/named.conf:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
forward only;
forwarders {
194.25.0.60; // resolv-h.dtag.de (Hannover)
};
notify no;
listen-on { 192.168.42.254 ; } ;
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
};
The forwarders list contains T-Online nameservers. Ask your shop for the nearest ns or just use this one in hannover (194.25.0.60).
Now we’ll have to do the localhost zone. Fire your vi to /etc/namedb/localhost.rev:
$TTL 3600
@ IN SOA gw.mydomain.org. root.gw.mydomain.org. (
20021201 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
IN NS gw.mydomain.org.
1 IN PTR gw.mydomain.org.
This is your localhost zone. Replace following lines with correspondig data:
- @ IN SOA … gw.mydomain.org. has to be replaced by your HOSTNAME (gw) + ‘.’ + your domainname (mydomain.org) + ‘.’, this is called the fully qualified domainname (FQDN). If you don’t have a domainname, then don’t bother choosing a fantasy name like “mysub.net”. Be careful. Your net will think it’s beeing integrated under this domain. If you ever try to point your webbrowser to www.mysub.net it might not reach the real internets mysub.net. So don’t choose for instance yahoo.com. Just a fantasy domainname.
- The serial line. This is a timestamp for your zone. Fill in todays date – backwards. I.e.: January 4th, 2003 looks like “20030104”.
- IN NS Put your FQDN here + ‘.’
- 1 IN PTR Put your FQDN here + ‘.’
Now tell your server to resolv dns by asking your own DNS-Server (remember your server just forwards). Your own server will listen to localhost and to the internal subnet. Edit /etc/resolv.conf:
domain mydomain.org nameserver 192.168.42.254
Do a /etc/rc.d/named start and try pinging a domainname.
gw# /etc/rc.d/named start named gw# ping www.t-online.de PING www.t-online.de (212.185.47.89): 56 data bytes 64 bytes from 212.185.47.89: icmp_seq=0 ttl=250 time=65.138 ms 64 bytes from 212.185.47.89: icmp_seq=1 ttl=249 time=62.952 ms 64 bytes from 212.185.47.89: icmp_seq=2 ttl=250 time=63.779 ms 64 bytes from 212.185.47.89: icmp_seq=3 ttl=249 time=62.657 ms 64 bytes from 212.185.47.89: icmp_seq=4 ttl=250 time=63.585 ms ^C --- www.t-online.de ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 62.657/63.622/65.138/0.861 ms gw#
Yeah. DNS is working and can be enabled in /etc/rc.conf for next boot:
named_enable="YES"
What’s next?
A rudimental connection gateway is now up. Your workstations have to be configured to use your server as gateway and DNS-Server.
- At this point it put up a DHCP-Server, so all setup information is managed by the server and broadcastet to the workstations which are DH-Clients. For this purpose I used the ISC-DHCPD from the ports collection. See /usr/ports/net/isc-dhcpd.
- I put up a mailserver, so that the server itself manages all email and spam/virus filtering. Take a look at sendmail, qpopper for SMTP and POP3.
- I put up a paranoid firewall ruleset so that your server is protected against portscans, spoofed ips and breakin attempts. Have a look at the BSD firewalling system and the howtos. This is strongly recommended since there are permanent portscans on the T-Online DIPs!
- Do a portscan to your external interface to see, what ports are opened to the bad world. See /etc/services for port – number hashing. Close these ports!
My problems during setup
- My loopback interface lo0 lost its ip 127.0.0.1 in 5.0 developer preview. I hat to reset it manually in the bootscripts by:
ifconfig lo0 127.0.0.1
- I had came familiar with PAM. I had to edit the /etc/pam.d/* files to enable several logins like pop3, ssh …
Warning
This configuration is a minimalistic setup of a t-dsl connection. A firewall is strongly recommended, – but not discussed here! See those howtos and USE a firewall.