Installing a BSD router isn't much different from installing a server. The network interfaces need to be configured, and gateways, routing, natting, filtering and any services need to be set up. We will install the system, and configure static IPs on the nics, define a gateway, locate a name resolver and enable basic packet controls.
Please be sure to do a workstation install on the row first before you do the router configuration.
Install on a row machine first. Installing from cd takes about 4 minutes :) Please follow the onscreen menu this time, you will need to get used to doing it this way.
Instead of installing perl and lynx from source, we will restore a prebuilt
/usr directory. It is located on the ftp server at 10.100.1.150. The file is
usr_dump. Get an IP and pull the file to /var on your box. Run the command:
cd /var ftp 10.100.1.150 user: ftp pass:cd dumps bin get usr_dump quit cd /usr restore -ruf /var/usr_dump
You need to use (for this lab) the back row server as it is multihomed (has more than 1 network). You can add IPs to single NIC machines, but routing and filtering are limited. Install (from CD again) and restore (from ftp again) from usr_dump.
When your newly installed system boots, it will need two IPs. We need to use the right interface for the internal and external nics, and initially there is business to do in the /etc/ directory (as usual).
You first need to look at the output of /sbin/ifconfig.
Write out the location of the ifconfig binary on the system.
On NetBSD, you must give the command ifconfig -a. Write the names of the
2 interfaces and the status of each.
What is different between how NetBSD organizes its network interfaces and how
Linux organizes its network interfaces?
You will put a static IP on tlp0 next.
Use 10.100.1.row[0], so if you are in row 1 server 10.100.1.10, and row2 10.100.1.20
The gateway for 10.100.1.x is host 254, and this must be set
When configuring a static IP there are 2 possibilities, the ifconfig command,
or a file can contain the IP information.
You also need to put a static IP on tlp1.
We are going to work with the 10.100.row[0].x subnet internally.
The row # will be the 3rd octet, so row 3 is 30, and then a host #, using
a 24 bit mask.
Write out a valid and complete ifconfig command for the wm0 interface that
This interface will be gateway for its row.
gives it an IP on the 10.100.row[0] subnet:
(Syntax is available in the man page for ifconfig :)
The next steps (procedure for using files in /etc) are in the NetBSD Guide
Here
(browse to Chapter 23.2 of the guide)
List the file required by the system to successfully configure
IP for a tlp1 interface.
Write what you put in the file.
List the file required by the system to define its hostname.
Write what you put in the file.
List the file required by the system to define its gateway.
Write what you put in the file.
Reboot and confirm that networking is correct for both interfaces.
Write the commands that you used to confirm networking is working for both
interfaces:
Again, there is a command or a file that can be used, as noted above.
Chapter 7 of the Guide is on the rc files.
Here
It is critical to understand that nothing works on BSD unless it
is present in the file /etc/rc.conf
(remember that rc always stands for runtime commands),<
or is present in the file /etc/defaults/rc.conf.
None of the start scripts in /etc/rc.d/ (see below) will work if
the daemon isn't "turned on" in rc.conf.
To review, to turn on any service, put its name in /etc/rc.conf with =YES after it.
Turn on sshd and reboot.
Confirm that sshd is running - write the pid:
Run the command:
/etc/rc.d/network restart
to restart the network and check interfaces with ifconfig.
To add a static route to BSD, the route add command is used.
Run the command:
/sbin/route add default 10.100.1.254
and then
/sbin/route show|less
The file /etc/mygate is the best place for the default gateway.
Create it and put in the address of the gateway.
echo '10.100.1.254' > /etc/mygate
Always check the result of any change to the system routing table with the
command
/sbin/route show|less
and see that the entry you made is there and works.
There is a name server at 142.222.125.21 which we will use.
The entry goes into the critical system file /etc/resolv.conf.
The entry
nameserver 142.222.125.21
IP addressing, a default gateway and name resolution are set up. We now need
to provide routing for clients.
You must first change a kernel setting. BSD will not route packets whether you
are using NAT or a routing daemon without this.
The tool to do this is a utility called sysctl. Browse the output of
sysctl -a
these are all tunable settings. Read the man page for sysctl, and change
the system so that ip packets are forwarded (they are not by default).
Write the command that successfully turns on ip forwarding:
Confirm that the setting is correct with the command
/sbin/sysctl -a| grep forwarding
Hard code this setting into your system in the config file for sysctl which
is /etc/sysctl.conf. Write the entry you added:
We are now ready to route for clients. Reboot the box.
Use a client on your 10.100.row[0] subnet, and configure it to use your router
as a gateway.
Test your routing configuration.
More advanced routing is possible with the basic RIP routing daemon,
/sbin/routed, which you can enable in rc.conf, giving control to
the /etc/rc.d/routed script, or you can invoke manually from the command line
or from within /etc/rc.local.
Turn routed on in rc.conf and start it:
Write the line you added to rc.conf:
Write the command to start routed:
check if it is running with the command
ps ax
Write out the output of the whole line from ps ax that has the entry for
routed on it:
Since the system will route to the gateway without routed as long as forwarding is on, we will leave it for now. Routed teaches itself about other networks like all RIP routing systems (Cisco for example, which we have seen before). If we wish to have our routers learn about different networks in the lab, we can use routed to do this. All clients will be able to get to all the subnets on the rows.
Kill the /sbin/routed daemon.
What commands did you have to type to do this?
Remove routed from rc.conf. Restart networking.
Add these lines to rc.conf
ipfilter=YES
ipnat=YES
Create the file /etc/ipf.conf and put these lines in it.
pass in log all
pass out log all
Create the file /etc/ipnat.conf and put this line in it.
(Obviously you will map for your subnet).
map vr0 10.100.70.0/24 -> 0.0.0.0/32
You are now natting and packet filtering; you are passing all traffic at
this point, so no filtering is happening yet.
View the output of the commands:
ipfstat -ih
ipnat -l
to confirm this.
Write out the output of ipfstat/ipnat:
Last updated: 2008-01-15
Updated by: Allan Jude
Written by: Allan Jude (2007)