IP Routing with FreeBSD and PF

I was needing to quickly setup a router in a spot with 1 laptop and 1 desktop, and only the laptop had network access, via WiFi, and the desktop was needing access. The laptop is running FreeBSD. I was able to quickly configure pf to NAT the wired interface on the laptop through its WiFi interface. In this case, converting a FreeBSD system into a router can be a cost-effective and efficient way to manage network traffic.

First, it's essential to ensure that the FreeBSD system has multiple network interfaces (either physical or virtual). The system should have at least two NICs, one for the internal network and one for the external network. Once the NICs are installed, the system needs to be configured to recognize them.

The next step is to configure the network interfaces. This can be done by editing the /etc/rc.conf file, which is the primary configuration file for FreeBSD. The file should be updated to include the necessary settings for the network interfaces, such as the IP addresses & subnet masks. For example, here is what I have for my two NICs:

ifconfig_wlan0="WPA DHCP"
ifconfig_em0="inet 192.168.2.1 netmask 255.255.255.0"

In this example, em0 is the internal network interface using the address 192.168.2.1, and wlan0 is the external network interface, which is configured using DHCP.

After configuring the network interfaces, the system needs to be configured to enable routing. This can be done by adding the following line to the /etc/rc.conf file:

gateway_enable="YES"

However, I like to add this line to the /etc/sysctl.conf file instead:

net.inet.ip.forwarding=1

Then you can enable forwarding immediately by running:

doas sysctl net.inet.ip.forwarding=1

This line enables the system to act as a gateway and forward packets between the internal and external networks.

In addition to enabling routing, the system also needs to be configured to perform Network Address Translation (NAT). NAT is a technique used to translate private IP addresses into "public" IP addresses, allowing multiple devices on the internal network to share a single "public" IP address. FreeBSD has a couple firewall choices, but I've stuck with pf. So you'll want to ensure that's enabled:

doas sysrc pf_enable="YES"
doas service pf start

The following lines can be added to the /etc/pf.conf file to enable NAT:

wired_if="em0"
ext_if="wlan0"
wired_net="192.168.2.0/24"

...

# NAT from em0
nat on $ext_if from $wired_net to any -> ($ext_if)

I put the ... in there to indicate that you might have other rules within this pf.conf file, but I'm just posting the relevant ones for the task.

Finally, reload the pf.conf file so the NAT takes effect:

doas pfctl -f /etc/pf.conf

In conclusion, converting a FreeBSD system into a router is a relatively straightforward process that involves configuring the network interfaces, enabling routing, and configuring NAT and the firewall. With its robust and secure features, FreeBSD is an ideal operating system for building a router. By following the steps outlined in this article, users can create a cost-effective and efficient routing solution for their network.

Share