wiki:FreeBSDXS4ALLFTTH

The Fritz!Box 7390 has issues with VAS and icmp forwarding, secondly I feel like the performance of the router is not meeting it's expections, yet no verification possible yet. Hence the switch to a FreeBSD based router/setup. First of all homework. Read the XS4ALL recommendations and some good reading of Roel Traag part 1 and part 2. Cisco examples at KPN forum. Improvements; use PIM to make to more clean.

/etc/dhclient.conf

interface "re0vlan4" {
	request routers,classless-routes;
	send dhcp-class-identifier "IPTV_RG";
}

/etc/rc.conf

hostname="routerZW.vanderzwet.net"
sshd_enable="YES"

gateway_enable="YES"
ipv6_gateway_enable="YES"
ipv6_cpe_wanif="ng0"


ifconfig_re0="up -wol -arp"
vlans_re0="re0vlan4 re0vlan6"
create_args_re0vlan4="vlan 4"
create_args_re0vlan6="vlan 6 -arp"

# IPTV VLAN
ifconfig_re0vlan4="DHCP"

# Internet VLAN
ifconfig_re0_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv"
ifconfig_re0vlan6_ipv6="inet6 ifdisabled -nud -auto_linklocal -accept_rtadv"

# Wireless Leiden
ifconfig_re1="172.17.107.20/24"

# Local Area Network
ifconfig_re2="192.168.178.1/24"
ifconfig_re2_alias0="80.127.152.25/29"
ifconfig_re2_ipv6="inet6 2001:984:ac89:ffff::1"

# Routing Wireless Leiden
static_routes="wleiden"
route_wleiden="-net 172.16.0.0/12 172.17.107.1"

# PPPoE Tunnel for INET
mpd_enable="YES"

# DHCP for IPv6 (started via mpd5 - linkup script)
dhcp6c_enable="NO"
dhcp6c_interfaces="ng0"

# IPv6 on LAN
rtadvd_enable="YES"
rtadvd_interfaces="re2"

# IPv6 on WAN
rtsold_enable="YES"

# IPv4 on LAN
dhcpd_enable="YES"
dhcpd_ifaces="re2"

# Firewall ACL
firewall_type="open"
firewall_enable="YES"
firewall_script="/etc/firewall.sh"

# NAT for LAN
natd_enable="YES"
natd_flags="-f /etc/natd.conf"

# IPTV Multicast proxy
igmpproxy_enable="YES"

# Caching DNS Server
unbound_enable="YES"

/boot/loader.conf

# Force output to run trough the comconsole, no exceptions
console="comconsole"

# PC Engines Alix APU board default serial settings cannot changed so 115200 it is. 
comconsole_speed="115200"

ip_mroute_load="YES"

/usr/local/etc/mpd5/linkup.sh

#!/bin/sh
#

test -z "$1" && exit 1

if [ "$2" = "inet" ]
then
        /usr/bin/renice -n -5 $PPID
fi

if [ "$2" = "inet6" ]
then
        /sbin/ifconfig "$1" inet6 accept_rtadv -nud -no_radr
        (sleep 3; /usr/local/etc/rc.d/dhcp6c onerestart) &


fi

exit 0

/usr/local/etc/mpd5/linkdown.sh

#!/bin/sh
#

test -z "$1" && exit 1

if [ "$2" = "inet" ]
then
        /usr/bin/renice -n +5 $PPID
fi

if [ "$2" = "inet6" ]
then
        /usr/local/etc/rc.d/dhcp6c stop
fi

/usr/local/etc/mpd5/mpd.conf

startup:
        # configure mpd users
        set user foo bar admin
        set user foo1 bar1
        # configure the console
        set console self 127.0.0.1 5005
        set console open
        # configure the web server
        set web self 0.0.0.0 5006
        set web open

#
# Default configuration is "dialup"

default:
        load pppoe_client

pppoe_client:
#
# PPPoE client: only outgoing calls, auto reconnect,
# ipcp-negotiated address, one-sided authentication,
# default route points on ISP's end
#

        create bundle static B1
        set iface   up-script /usr/local/etc/mpd5/linkup.sh
        set iface down-script /usr/local/etc/mpd5/linkdown.sh
        set ipcp ranges 0.0.0.0/0 0.0.0.0/0
        set bundle enable ipv6cp
        set iface route default
        load nat


        create link static P1 pppoe
        set link action bundle B1
        set link latency 1200
        set link bandwidth 100000000
        set link max-redial 0
        set link keep-alive 10 60
        #set link mtu 1492
        #set ppooe max-payload 1500

        set auth authname FB7490@xs4all.nl
        set auth password FB7490

        set pppoe iface re0vlan6
        set pppoe service ""
        open

/etc/rtadvd.conf

re2:\
        :addr="2001:984:ac89:ffff::":prefixlen#64:\
        :rdnss="2001:984:ac89:ffff::1":\
        :dnssl="vanderzwet.net":

/usr/local/etc/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

authoritative;

log-facility local7;

subnet 192.168.178.0 netmask 255.255.255.0 {
  range 192.168.178.50 192.168.178.200;
  option routers 192.168.178.1;
  option domain-name "thuis.vanderzwet.net";
  option domain-name-servers 192.168.178.1;
  option vendor-class-identifier "IPTV_RG";
  option broadcast-address 192.168.178.255;
}

/usr/local/etc/unbound.conf

server:

	verbosity: 1

	interface: 127.0.0.1
	interface: ::1
	interface: 192.168.178.1
	interface: 2001:984:ac89:ffff::1
	interface: 172.17.107.20

	access-control: 192.168.178.0/24 allow
	access-control: 172.16.0.0/12 allow
	access-control: 2001:984:ac89::/48 allow

	

python:

remote-control:

include: /usr/local/etc/unbound/forward.conf
include: /usr/local/etc/unbound/lan-zones.conf

/etc/resolv.conf

search vanderzwet.net
nameserver 127.0.0.1

nameserver 194.109.6.66
nameserver 194.109.9.99
nameserver 194.109.104.104
nameserver 2001:888:0:6::66
nameserver 2001:888:0:9::99

/etc/firewall.sh

case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
	case ${natd_enable} in
	[Yy][Ee][Ss])
		${fwcmd} add 50 divert natd ip4 from not 80.127.152.25/29 to not 80.127.152.25/29 via ng0

		${fwcmd} add 51 divert 8669 ip4 from 10.201.184.0/22 to me via re0vlan4
		${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 10.201.184.0/22 via re0vlan4

		${fwcmd} add 51 divert 8669 ip4 from 192.168.178.0/24 to 213.75.112.0/21 via re0vlan4
		${fwcmd} add 51 divert 8669 ip4 from 213.75.112.0/21 to me via re0vlan4

		${fwcmd} add 52 divert 8670 ip4 from 192.168.178.0/24 to 172.16.0.0/12 out via re1
		${fwcmd} add 52 divert 8670 ip4 from 172.16.0.0/12 to me in via re1

		;;
	esac

	# Allow DHCPv6
	${fwcmd} add pass udp from fe80::/10 to me 546

	# Allow TCP through if setup succeeded
	${fwcmd} add pass tcp from any to any established
	${fwcmd} add pass ipv6 from any to any established

	# Allow IP fragments to pass through
	${fwcmd} add pass all from any to any frag

	# Wireless Leiden Special
	${fwcmd} add pass tcp from any to 80.127.152.27/32 dst-port 9000-9100 in via ng0 setup

	# Allow setup of incoming TCP stuff to VAS
	for i in 25 53 80 443 465 993 1022; do 
		${fwcmd} add pass tcp from any to 80.127.152.24/29 dst-port ${i} in via ng0 setup
		${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 setup proto tcp
	done
	# Allow setup of incoming UDP stuff to VAS
	for i in 53 123; do 
		${fwcmd} add pass udp from any to 80.127.152.24/29 dst-port ${i} in via ng0
		${fwcmd} add pass ip6 from any to 2001:984:ac89::/48 dst-port ${i} in via ng0 proto udp
	done

	# TCP Access to Router
	for i in 1022; do
		${fwcmd} add pass tcp from any to me dst-port ${i} in via ng0 setup
		${fwcmd} add pass ip6 from any to me dst-port ${i} in via ng0 setup proto tcp
	done

	# Allow UDP on VAS
	${fwcmd} add check-state
	${fwcmd} add pass udp from 80.127.152.24/29 to any out via ng0 proto udp keep-state
	${fwcmd} add pass ip6 from 2001:984:ac89::/48 to any out via ng0 proto udp keep-state

	# Allow UDP on Router
	${fwcmd} add pass udp from me to any out via ng0 proto udp keep-state
	${fwcmd} add pass ip6 from me to any out via ng0 proto udp keep-state

	# Reject&Log all setup of incoming connections from the outside
	${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 setup proto tcp
	${fwcmd} add deny log ip4 from any to 80.127.152.24/29 in via ng0 proto udp
	${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 setup proto tcp
	${fwcmd} add deny log ip6 from any to 2001:984:ac89::/48 in via ng0 proto udp

	# Access limit to Router
	${fwcmd} add deny log ip4 from any to me in via ng0 setup proto tcp
	${fwcmd} add deny log ip4 from any to me in via ng0 proto udp
	${fwcmd} add deny log ip6 from any to me in via ng0 setup proto tcp
	${fwcmd} add deny log ip6 from any to me in via ng0 proto udp

	# Allow setup of any other TCP connection
	${fwcmd} add pass tcp from any to any setup

	# Allow DNS queries out in the world
	#${fwcmd} add pass udp from me to any 53 keep-state

	# Allow NTP queries out in the world
	#${fwcmd} add pass udp from me to any 123 keep-state

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	case ${firewall_nat_enable} in
	[Yy][Ee][Ss])
		if [ -n "${firewall_nat_interface}" ]; then
			if echo "${firewall_nat_interface}" | \
				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
			else
				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
			fi
			${fwcmd} nat 123 config log ${firewall_nat_flags}
			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
		fi
		;;
	esac
esac

/etc/natd.conf

# default instance
port 8668
dynamic
redirect_port udp 192.168.178.3:5060 5060
interface ng0

# second instance
instance iptv
port 8669
dynamic
interface re0vlan4

# thirth instance
instance wleiden
port 8670
dynamic
interface re1
Last modified 4 months ago Last modified on Jun 14, 2017, 8:43:11 PM