Newbie Success Story - FreeBSD LAN/WAN Gateway Setup

[James A. Coulter]

Even though I discovered and installed FreeBSD for the first time over two
years ago, I was never able to figure out how to get a computer running
FreeBSD to act as a gateway to the WAN for my small home LAN.

Like many people raised on Windows, I was impatient and never researched the
technical data fully, instead searching the mailing lists in the hopes of
finding an easy answer.

Even after purchasing Greg Lehey's excellent "The Complete FreeBSD" and
Annelise Anderson's "FreeBSD: An Open-Source Operating System for your
Personal Computer" I was still getting nowhere and still getting frustrated.
Finally, I asked the FreeBSD-questions list what I was doing wrong and got
almost instant feedback: turn Network Address Translation on.

In other words, your FreeBSD box must not only act as a gateway to the
internet, but as a router, too.

All these years of letting Windows wizards do the heavy lifting for me had
left me dumb and lazy.  I thought that enabling the gateway
(gateway_enable="YES") in the rc.conf was all I needed to do.

Well, it's not and in case another newbie, making the transition from
Windows to FreeBSD gets here after typing "FreeBSD gateway" into google,
here's a very quick list of what you'll need to do to get your new FreeBSD
box to pass packets back and forth between the Internet and your home LAN:

1.  You'll need two nics in your FreeBSD gateway/router box - one connected
to your modem (the WAN) and one connected to your hub (the LAN)

1.  Build a custom kernel with the following options included:

	options IPFIREWALL
	options IPDIVERT

You can find instructions on building a custom kernel in Chapter 8 of the
FreeBSD Handbook
(http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html).  (A
word to the wise - if it doesn't work the first time, start over and make
only a few changes to the GENERIC kernel at a time, re-compiling and
re-installing after each change until you get it where you want it)

2.  Create a file in /etc and name it rc.nat.  Put the following lines in
it:

	/sbin/ipfw -f flush
	/sbin/ipfw add divert natd all from any to any via (your WAN nic,
i.e. dc0 or maybe ed1)
	/sbin/ipfw add pass all from any to any

3. Add (or change) the following in /etc/rc.conf

	ifconfig_(WAN nic) = "DHCP"	(assuming your ISP provides you with
a dynamic IP address)			
	ifconfig_(LAN nic) = "inet XXX.XXX.X.XXX netmask 255.255.255.0"  (I
used 192.168.1.1)
	gateway_enable="YES"
	firewall_enable="YES"
	firewall_script="/etc/rc.nat"
	firewall_type="OPEN"
	natd_enable="YES"
	natd_interface="(WAN nic)"
	natd_flags="-dynamic"

(WARNING: All though this configuration enables your firewall, it also sets
it wide open which means in effect it is not operating and you're not
getting any protection.  Firewall configuration is my next FreeBSD goal. .
.)

4. Execute the following (as a superuser):
	/etc/netstart

5. Check connectivity to the Internet by running ifconfig and ensuring both
your nics are up and your ISP has assigned an IP address to your WAN nic.
PING www.freebsd.org to make sure you're REALLY connected to the internet. .
.

6. Configure the other computers on you LAN with static IP addresses in the
same subnet as your LAN nic (my LAN nic's IP address is 192.168.1.1, the
WinXP machine I am typing this e-mail on is 192.168.1.101).  Make sure you
specify Domain Name Servers (DNS) addresses!

6. Check connectivity between your other computers and the FreeBSD
gateway/router by pinging it.

7.  Finally try pinging www.freebsd.org - congrats if you get a response!
If not, all I can say is keep reading the man pages and if all else fails
send an e-mail to the freebsd-questions mailing list with the contents of
your rc.conf and output of ifconfig and netstat -rn and almost certainly
somebody will help you out like they helped me out.

Good luck and thanks again to the FreeBSD community for all your help - I'm
sure it won't be long before I'm asking for help configuring my firewall.

Jim C.