I want to setup a LAN for experimental use in my office. However, for the security policy, I have only one MAC (my laptop) authenticated to connect to wired network. Usually, I have to fake the MAC for my desktop so that I can connect my desktop to network. Now, I have several physical machines to connect network.
Here is the approach: I use one machine with two NIC as a gateway to setup NAT, so that all other machines can connect to network via a switch and this machine.
Two interfaces in Gateway: re0, re1
Arrange: re0 connect to company network; re1 connect to LAN
1. Setup re0,
#ifconfig re0 lladdr xx:xx:xx:xx:xx:xx
#ifconfig re0 up
Or permanently, edit /etc/hostname.re0 by adding the following lines
lladdr xx:xx:xx:xx:xx:xx # change MAC
dhcp # use DHCP to request IP
Comment: this configure is for enabling re0 to connect corporate network when system starts.
(When I reboot the system, there is no DHCPREQUEST responding to DHCPDISCOVERY via ra0. Whatever I tried, it doesn’t work until I run tcpdump synchronously. Finally, I found the reason. Before this experiment, I create the bridge between re0 and re1, however, I did not destroy the bridge properly. So the above issue happened. So, I create the bridge0 back, added re0, re1, up the bridge, and then, remove re0, re1, destroy the bridge sequentially.
if I run #tcpdump -e -i re0, then it will make re0 work well. If I run #tcpdump -p -e -i re0, then re0 does not work. The -p means does not put the interface work intro promiscuous mode. So the reason, I guess, is that re0 still holds its original MAC address to filter packets, so all packets sent to the fake mac address are discarded intentionally, or it uses fake mac address to filter but sends packets using original mac address.
That’s all right. I always need to run tcpdump or other packets capture in this interface. I leave this problem unsolved and move forward.
2. Start dhcpd service in the gateway
edit /etc/rc.conf to set dhcpd_flags=YES
3. Set re1 as the gateway of LAN
create /etc/hostname.re1 and add the following line:
inet 192.168.1.1 255.255.255.0 192.168.1.0
or use ifconfig for temporary but take effect immediately:
#ifconfig re1 192.168.1.1 netmask 255.255.255.0
4. Connect the gateway at re1 from my laptop, run dhclient. My laptop successfully get a ip address 192.168.1.32
5. Enable ftp service in gateway, test ftp from my laptop
edit /etc/rc.conf, set inetd=YES,
edit /etc/inetd.conf, uncomment the ftp line
if you want take effect immediately, exec #/etc/rc.d/inetd restart
(same problem here, I must run tcpdump on the interface re1 so that it can properly receive packets from my laptop)
6. enable ip forwarding (for forwarding between re0 and re1)
# sysctl net.inet.ip.forwarding=1
Error – sysctl: fourth level name forward in net.inet.ip.forward is invalid. I do not know what exact reason is. I guess it may be because of my security level. Instead to fix it, I turn to edit /etc/rc.conf (permanently) to enable it. (I need reboot the system)
For permanent configuration:
edit /etc/pf.conf, add the following lines
pass out on re0 from re1:network to any nat-to (re0)
Save the file, run ‘#pfctl -s state’ to check the NAT status
8. Then, I successfully ping 22.214.171.124 from my laptop (192.168.1.32). 126.96.36.199 is the IP address of google.com, since I don’t setup any DNS server.