FreeBSD/Linux as Fibre Broadband router Part 2

In part one I described how to set up PPP and the pf firewall to provide NAT with port forwarding and other good things. In Part 2 I’ll add DCHP, and as a bonus I’ll add configuration for an IP address blockfor if you have that kind of ISP. If you want that kind of ISP but can’t find one, I can point at a few that do. In Part 3 I’ll cover DNS and BIND.

DHCP

There’s never been a DHCP server in the FreeBSD base, but it’s installed easily by compiling the port or installing the package. Your best bet for FreeBSD is the DHCP daemon written for OpenBSD, AKA the ISC dhcpd. But beware – the OpenBSD one, although called version 6.6, lags behind the other package isc-dhcp44 as it doesn’t have support peer servers. If you’ve only got one DHCP server on your network, it’s fine. If you want to have primary and secondary servers, or load balance them, look at the latest ISC one instead. I’ll deal with that in another post.

pkg install dhcpd

Before you kick it off you really ought to edit the configuration file, /usr/local/etc/dhcpd.conf. There’s usually a second copy of it postfixed with .sample, and it’s pretty self documenting. I’m posting the basics from a real configuration, which I shall annotated to death. But first, something about the network we’re defining:

I’m going to have a LAN with 192.168.1.0/24 – which means IP addresses in the range 192.168.1.1 to 192.168.1.254. This isn’t a tutorial on routing – just leave the first and last address (0 and 255) alone for now. The network will have a domain. This is optional, but if you’re doing your own DNS you’ll want one. You don’t have to register this domain externally – you can make it up (please end it in .local!) – but let’s assume you have a real one: “example.com”. You’ve created an subdomain for this site called mysite.example.com and it has an A record to prove it, and you’ll probably want to delegate the DNS to it later. But if you’re not worried about domain names, don’t worry about all of this.

The router (i.e. the FreeBSD box) is going to be on 192.168.1.2, which is set up in rc.conf. It can’t be assigned automatically by DHCP because, well, we’re also the DHCP server and that would be silly.

Assuming your LAN-side network interface is bge0 (remember the modem is on bge1 in Part 1) the following line would do it:

sysrc ifconfig_bge0="inet 192.168.1.2 netmask 255.255.255.0"

Obviously change bge0 to the name of your actual Ethernet interface! You might wonder why I’m putting the router on 192.168.1.2 instead of 192.168.1.1, which is a common convention. It’s simple: There are so many home user network appliances that come with 192.168.1.1 as their default IP address, and if you plug one in to your LAN the clash will cause merry hell before you’ve been able to go to their web interface to configure it to something else.

I want some devices to have a fixed IP address supplied by DHCP, and other things to have dynamically allocated ones – friends using the guest WiFi, for example. Having network infrastructure like switches and WAPs on a static addressed, defined by DHCP, is a good way to go. Connecting network printers to Windoze is smoother if they’re on a fixed IP too. But going around and setting it on each device is a pain, so do it by DHCP where it’s defined in one place and can be managed in one place. It works by recognising the MAC address in the request and giving back whatever IP address you have chosen.

As a final tip, keep your network address plan as comments in dhcpd.conf – it’s where you want the information anyway. And with that, here’s the sample file:


# This is the domain name that will be supplied to everything on
# the LAN by default. This is the domain that will be searched if you
# enter a host name. For example, if you want to connect to "fred-pc" it
# will look for it as fred-pc.mysite.example.com, which if you have
# your DNS set up correctly, will find it quickly.
option domain-name "mysite.example.com";

# This specifies the DNS server(s) the machines on the LAN
# will use. We're specifying the same as the router, because
# we'll be running DNS there. If you don't want to, just use the
# IP address of DNS server supplied by your ISP.
option domain-name-servers 192.168.1.2;

# These just specify the time a machine on the LAN gets to hold
# on to a dynamic address before it needs to renew it.
default-lease-time 43200;
max-lease-time 86400;

# This defines our pool of dynamically allocated addresses,
# and I've chosen the range 100..199. Options here override the
# options above (outside the {...}) in the way you might expect.
# I've set the default lease time to 900 seconds (15 minutes)
# for testing purposes only. 2h is normal but it's up to you.
# I normally go for 12h.

subnet 192.168.1.0 netmask 255.255.255.0 {
  range 192.168.1.100 192.168.1.199;
  option broadcast-address 192.168.1.255;
  default-lease-time 900;
}

# The next block is assigning a fixed IP address to 
# a switch, because I don't want it to move. This just needs the 
# MAC address of the device and the fixed-address you want to give it.
# You can have as many of these as you like. The name "switch1" is really
# just for your own reference.

host switch1 {
        hardware ethernet 00:02:FC:CB:1E:7D;
        fixed-address 192.168.1.3;
}

For more information see this post about assigning names, and the dhcpd.conf.sample, which has scenarios far more complex than you’ll need on a simple LAN.

Enable it on reboot with:

sysrc dchpd_enable=yes

You can then start it manually with service dhcpd start.

If you want to make changes to dhcpd.conf you can at any time, but they won’t take effect until you restart dhcpd (with service dhcpd restart). There’s no way of having it just do a reload. Details of the leases it has issued are /var/db/dhcpd.leases, which is just a text file and you can easily read it.

Routing a whole subnet

Supposing you have more than one IP address coming down the PPPoE tunnel at you? This is a service you can get from your ISP, giving you multiple IP addresses for various purposes – such as running servers. Other ISPs give you a single dynamic address, or worse, an IP address generated by CG-NAT. I’d argue this ceases to meet the definition of “Internet Service” at this point.

But assuming you have a block of static addresses, how do you get ppp to use them? I haven’t seen this documented ANYWHERE and figuring it out involved a great deal of trial and error. Shout out to shurik for encouraging me to keep going where ppp.linkup was concerned.

The easy way to add an alias to your tunnel (which you’ll recall we called wan0) is to use ifconfig and simply add it. But the trick with tunnels is to add the alias IP address and the remote tunnel address (i.e. HISADDR). You can find out what HISADDR is using ifconfig:

# ifconfig wan0
wan0: flags=1008051<UP,POINTOPOINT,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1492
        options=80000<LINKSTATE>
        inet 1.2.3.4 --> 44.33.22.11 netmask 0xffffffff
        groups: tun
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 658

In the output above, 1.2.3.4 is the IP address supplied by LCP – i.e. your public IP address. 44.33.22.11 is the IP address of the other end of the tunnel. In the parlance of the PPP utility, HISADDR. Earlier we set the default route to HISADDR. There are good reasons why HISADDR is dynamic, not least of which is having a pool of gateways for redundancy, so you have to check what it actually IS today before you assign an alias public address to the tunnel.

Then it’s a simple matter of adding further addresses using ifconfig:

ifconfig wan0 alias 1.2.3.41/32 44.33.22.11

Yes, it’s not quote the same format as adding an alias to an Ethernet interface, as the remote address follows the local one.

You can write a little script to do them automatically:

#!/bin/sh
HISADDR=$(ifconfig wan0 | grep "inet 1.2.3.4" | cut -w -f 5)
ALIASES="1.2.3.41 1.2.3.42 1.2.3.43 1.2.3.44"
for a in $ALIASES
do
    ifconfig wan0 delete $a
    ifconfig wan0 alias $a/32 $HISADDR
done

Note that I’m using grep to find the correct inet address based on the static address I know the interface has. Fiddle this to suit your static address, or if you don’t have one, grep for inet and hope the first it finds is correct. I’m also deleting the old aliases as they might need to be recreated using the new HISADDR.

This is all well and good, but when do you run the script? Automating it is the trick. Fortunately there’s a hook in ppp, where it processes the file /etc/ppp/ppp.linkup when the link comes up. As far as I can tell it’s the same format as ppp.conf, and you have to label the service name in the same way. What’s not documented is how you add alias addresses, but I’ve found a way by getting it to run ipconfig for you. If you start a line with ” !bg “, what follows is run. It’s run without an environment so you have to specify all paths to whatever you want to run in full, but it does work and does expand macros like HISADDR. The space in front of the ! is important! Incidentally, there’s also a ppp.linedown.

Here’s my /etc/ppp/ppp.linkup

cloudscape:
  !bg /sbin/ifconfig wan0 alias 1.2.3.40/32 HISADDR
  !bg /sbin/ifconfig wan0 alias 1.2.3.41/32 HISADDR
  !bg /sbin/ifconfig wan0 alias 1.2.3.42/32 HISADDR
  !bg /sbin/ifconfig wan0 alias 1.2.3.43/32 HISADDR

I would very much like to find the documentation for this, but the author (Brian Somer) has moved on to other things and the documentation that’s out there appears to be all there is. It was written for dial-up connections and wasn’t really designed for fixed lines with multiple public IP addresses.

Meanwhile the other PPP demon, mpd5, which is supposed to be better, was listed in the FreeBSD Handbook as being for PPPoA, pushing user-ppp for PPPoE. This isn’t actually the case, and I may be revisiting this using mpd5 at some point because it’s faster and more efficient, and I don’t need all the extra wonderful NAT and firewall features of user-ppp.

No talk from TalkTalk

Charles Dunston’s budget ISP TalkTalk has been hacked again. Yawn. This time it’s big news on TV; the headline story in fact. Their website has been KOed for a couple of days, but it’s back online with a front page showing a different news agenda. They get their feed from AOL (also part of the Carphone Warehouse family), who probably just missed the kerfuffle; there’s no celebrity connection after all. Not yet, anyway.

If you’re a TalkTalk retail customer (or possibly a business customer – who knows how their systems interrelate and what data’s been pilfered), and you’ve used the same password with TalkTalk as any other sites, change your password on those sites NOW. The popular media is full of speculation as to what’s been compromised but they’re not mentioning passwords, presumably because TalkTalk will have told them that any passwords would have been encrypted. But if the criminals have got hold of the hashes, which is likely, it’s only a matter of time before they crack them.

How worried should customers of other ISPs be? Pretty worried, as on the serious side of the business they’re known as Opal Telecom, a significant LLU operator providing the link between the last time and the data centre for a large number of Broadband providers.

I can, of course, only speculate as to why this keeps happening to them. One reason might be related to several conversations I’ve had with people from ISPs TalkTalk has taken over along the way. Apparently they really don’t like hard stuff like UNIX/Linux, and within months of a takeover they force a switch to Microsoft before making all the UNIX people redundant. Any fool can use Microsoft – low levels of technical understanding are required, meaning cheap engineers and lower costs. But do their Microsofties actually know what they’re doing? I dare say that some of them do, and some of them don’t. But the bar for a point-and-click Microsoft house going to be lower.

David Cameron on Google Porn

I’ve been watching with dismay David Cameron’s statements on the Andrew Marr show at the weekend; he’s attacked Google and other big companies for not blocking illegal pornography. Let’s be clear: Google et al, already do, as far as is possible. The Prime Minister is simply playing politics, and in doing so is exposing his complete lack of understanding about matters technological and social.

It’s not just the coalition government; Edward Miliband trumped him in stupidity by saying that the proposed plans “didn’t go far enough”, which is his usual unthinking response to anything announced by the government that’s might be popular.

Cameron’s latest announcement is to force ISPs to turn on “no porn” filters for all households (optionally removed, so it’s not State censorship). I’d be fascinated to hear him explain how such a filter could possibly work, but as my understanding of quantum mathematics isn’t that good it I may yet be convinced. Don’t hold your breath waiting.

The majority of the population won’t be able to understand why this is technical nonsense, so let’s look at it from the social point-of-view. People using the Internet to distribute child-abuse images do not put them on web sites indexed by Google. If Google finds any, they will remove them from search results and tell the police, as would everyone else. Paedophiles simply don’t operate in the open – why would they? They’re engaged in a criminal activity and don’t want to be caught, and therefore use hidden parts of the Internet to communicate, and not web sites found by Google!

Examining the illegal drugs trade is a useful model. It’s against the law, harmful and regarded as “a bad thing” by the overwhelming majority. The police and border security spend a lot of time and money tackling it, but the demand remains and criminal gangs are happy to supply that demand. So how successful has 100 years of prohibition been? Totally ineffective, by any metric. With 80% of the prison population on drugs IN PRISON it should be obvious that criminals will continue to supply drugs under any circumstances, if there’s a demand. If anything, proscribing drugs has made it more difficult to deal with the collateral effects by making the trade and users much more difficult to track.

So, if we can’t stop drugs (a physical item) getting in to prisons (presumably amongst most secure buildings in the country) , does anyone seriously think it’s possible to beat the criminals and prevent illegal porn being transmitted electronically to millions of homes across  the country? David Cameron’s advisors don’t appear to have been able get him to understand this point.

Another interesting question is whether I should opt to have the porn filter removed from my connection. The only way such a filter could possibly be effective is if it banned everything on its creation, and then only allowed what was proven safe through. There are generally considered to be over 500 million web sites out there, with 20,000 being added every month. That’s sites; not individual pages. The subset that can realistically be examined and monitored to make sure they are safe is going to be quite small, and as a security researcher, I need to retrieve everything. So am I going to have to ‘phone my ISP and say “yes please, want to look at porn”? Actually, that won’t be a problem for me because I am my own ISP. The government doesn’t even know I exist; there is no register of ISPs (or even a definition of the term). There are probably tens of thousands in the country. So I shall await a call from Mr Cameron’s office with a full technical explanation of this filtering  scheme with interest.

Fortunately for the Prime Minister, his live speech on the subject scheduled for 11am has been displaced by a load of royal reporters standing outside a hospital and Buckingham Palace saying “no news yet” on the supposed imminent arrival of the Duke and Duchess of Cambridge’s first child.