Moving your wireless gateway

Moving your wireless gateway

IPsec is a smart way to secure communications. It prevents others from sniffing
your traffic. I like using it for my wireless network.
To be fair, my WLAN consists of one laptop. But that’s so far. More may join later.

I first wrote about Wireless IPsec late last year.
In that article, I describe how to create a gateway for your WLAN and implement IPsec
to secure the communications. Since then, it’s been working flawlessly.
However, it’s time to move the gateway to a new box. The existing gateway is a
Pentium P150. It’s a fine machine. Never had a problem with it! However, I have too
many machines. I recently got my hands on a Dell Optiplex GX-260.
This box will replace two other boxes: the WLAN gateway box and my FreeBSD 5.4 box
that I use to build world for my laptop. It will also be used for a test box for
the Bacula project. I put a SCSI card into it
and plan to attach an external DLT drive.

Functions to be moved

The following services need to be implemented on this box:

  • Gateway – /etc/ipnat.rules
  • DNS Server – named – /etc/namedb/named.conf
  • IPsec – /etc/ipsec.conf
  • racoon – /usr/local/etc/racoon/{psk.txt|racoon.conf}
  • DHCP server – /usr/local/etc/dhcpd.conf
  • For the most part, this will be a copying of files and installing of
    ports. No other changes are required.

    I will assume you know how to install the ports in question. This article is
    more about the problems I encountered when moving the configuration files
    over and setting up the services.

    Gateway

    Not much to do here. Just ensure that /etc/rc.conf
    contains gateway_enable="YES". You’ll also need support
    for ipf in your kernel (I used ipf, you may want to use ipfw or pf):

    options     IPFILTER                #ipfilter support
    options     IPFILTER_LOG            #ipfilter logging
    options     IPFILTER_DEFAULT_BLOCK  #block all packets by default
    

    Since I’m using ipf, I also added ipfilter_enable="YES"
    to /etc/rc.conf.

    In order to do NAT, I needed /etc/ipnat.rules. I needed to
    amend the network interfaces as the new gateway had different names for the NICs.
    Remember to add ipnat_enable="YES" to
    /etc/rc.conf.

    DNS Server

    I added these entries to /etc/namedb/named.conf:

    forward only;
    forwarders {
       10.55.0.18;
       10.55.0.23;
    };
    

    I also commented out the following line:

    listen-on       { 127.0.0.1;};
    

    Commenting out that line ensures that named listens on
    all available IP addresses. You can restrict it if you need. See the comments in
    the configuration file for details.

    IPsec

    An easy move. I copied /etc/ipsec.conf
    to the new system. A chown root:wheel was done.
    I also added
    ipsec_enable="YES" to /etc/rc.conf.

    racoon

    A bit trickier. I failed to set the owner right on the files and so racoon
    did not start up properly. The file I needed where in
    /usr/local/etc/racoon/. I copied over
    psk.txt and racoon.conf. You'll also
    need racoon_enable="YES".

    DHCP Server

    No problems here. I copied
    /usr/local/etc/dhcpd.conf from one system to the other
    and ensured it was chown root:wheel. Remember to add
    dhcpd_enable="YES" to /etc/rc.conf.

    Debugging

    For debugging purposes, you might want to
    review the steps I went through when doing my first
    IPsec setup.

Leave a Comment

Scroll to Top