Difference between pages "Network" and "Netbsd vpn gateway basic setup"

From ENTS
(Difference between pages)
Jump to: navigation, search
 
m (Basic setup after a vanilla install of NetBSD 5.2)
 
Line 1: Line 1:
[[File:Ents_rack_20110301.jpg|left|The rewired rack as it stood Feb 27, 2011]]
 
  
The ENTS network is currently being rebuilt, until things are stabilized what is listed here should not be taken as gospel.
+
== Basic setup after a vanilla install of NetBSD 5.2 ==
  
  
  
{| align="left" style="text-align:left;" border=1
+
==== Set up pkgsrc repository ====
! Network
+
! 802.1q tag
+
! Subnet
+
! Description
+
|-
+
| [[Network:Default|Default Network]]
+
| 1
+
| 192.168.1.0/24
+
|
+
|-
+
| [[Network:Infrastructure|Infrastructure]]
+
| 15
+
| 172.16.15.0/24
+
|
+
|-
+
| Tenant 1
+
| 51
+
| 192.168.51.0/24
+
|
+
|-
+
| Tenant 2
+
| 52
+
| 192.168.52.0/24
+
|
+
|-
+
| Tenant 3
+
| 53
+
| 192.168.53.0/24
+
|
+
|-
+
|-
+
| Cipherkey WAN
+
| 101
+
|
+
| PPPoE from DSL ISP
+
|-
+
| Shaw WAN
+
| 102
+
|
+
| DHCP from Cable ISP
+
|-
+
| Vlan of the damned
+
| 666
+
| 192.168.66.0/24
+
| vlan for unused switch ports that isn't routed anywhere
+
|}
+
  
{| align="left" style="text-align:left;" border=1
+
Edit the file '''''/root/.profile'''''<br />
  ! Printer
+
! IP
+
! Location
+
! Description
+
|-
+
| General Use
+
| 192.168.1.24
+
| Electronics Bench
+
| Brother HL-2270DW
+
|-
+
| HP Large Format
+
| 192.168.1.25
+
| Back upstairs NE corner
+
| HP Colorlaserjet 5M
+
|}
+
  
[[File:Drop_map.jpg|500px|link=http://ents.ca/wiki/images/b/b3/Drop_map.jpg|Network drop map]]
+
Change the path for the pkgsrc repo to:<br />
 +
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/
 +
 
 +
The file will be read-only, use ''':wq!'''
 +
 
 +
 
 +
==== Set up network interfaces ====
 +
 
 +
Edit the file  '''''/etc/ifconfig.fxp0'''''
 +
 
 +
This will the the external (wan) interface.
 +
 
 +
Insert the contents:
 +
192.168.0.201 netmask 255.255.255.0
 +
 
 +
 
 +
Edit the file  '''''/etc/ifconfig.fxp1'''''
 +
 
 +
This will be the internal network (lan) interface.
 +
 
 +
Insert the contents:
 +
10.100.44.1 netmask 255.255.255.0
 +
 
 +
==== Ensure IP forwarding is set up ====
 +
 
 +
Edit the file  '''''/etc/sysctl.conf '''''
 +
 
 +
Insert the contents:
 +
 
 +
net.inet.ip.forwarding=1
 +
 
 +
 
 +
==== Specify your DNS server ====
 +
 
 +
 
 +
Edit the file  '''''/etc/resolv.conf'''''
 +
 
 +
Insert the contents:
 +
 
 +
nameserver 64.59.184.13
 +
 
 +
 
 +
==== Specify basic settings in rc.d to set up networking ====
 +
 
 +
Edit the file  '''''/etc/rc.conf'''''
 +
 
 +
Append the following to the end of the file:
 +
 
 +
hostname=chaosvpn.440bx.net
 +
defaultroute=192.168.0.1
 +
sshd=yes
 +
 
 +
 
 +
==== Create a new user to do tasks that don't require root ====
 +
 
 +
# useradd -m -G wheel chaosvpn_user
 +
# passwd chaosvpn_user
 +
 
 +
 
 +
==== Continue with the installation of ChaosVPN ====
 +
 
 +
continue with the steps at:
 +
 
 +
https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto
 +
 
 +
 
 +
---
 +
 
 +
===Recompile the kernel===
 +
 
 +
make directories
 +
 
 +
# mkdir /usr/src
 +
# chown chaosvpn_user /usr/src
 +
 
 +
get the actual source
 +
 +
$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
 +
  mget *.tgz
 +
 +
extract
 +
 
 +
$ for i in *.tgz
 +
  do
 +
  tar -xzf $i
 +
  done
 +
 
 +
after you realize youve extracted to the wrong dir
 +
 
 +
$ mv /usr/src/usr/src/* /usr/src
 +
 
 +
copy config stuff
 +
 
 +
$ cd /usr/src/sys/arch/i386
 +
$ cp GENERIC i686_CVPN_x300
 +
 
 +
 
 +
vi ./i686_CVPN_x300
 +
 
 +
<pre>
 +
CFLAGS:
 +
 
 +
  #use whatever is applicable
 +
  #see:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
 +
  #
 +
  CPUFLAGS="-march=pentium3m -mtune=pentium3m"
 +
 
 +
Uncommented:
 +
 
 +
  PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
 +
  GATEWAY
 +
  IPSEC
 +
  IPSEC_ESP
 +
  IPSEC_NAT_T
 +
  pseudo-device carp
 +
  pseudo-device pf
 +
  pseudo-device pflog
 +
</pre>
 +
 
 +
Might dig more into "tuning" later.
 +
 
 +
Time to start building the new kernel
 +
 
 +
$ config ./i686_CVPN_x300
 +
$ cd ../compile/i686_CVPN_x300
 +
$ make clean && make depend && make
 +
 
 +
And install
 +
 
 +
$ su
 +
# cp /netbsd /netbsd.orig
 +
# cp netbsd /
 +
 
 +
Reboot using the new kernel.
 +
 
 +
 
 +
 
 +
===ipfilter setup. routery stuff.===
 +
 
 +
 
 +
 
 +
ipfilter is installed by default on Netbsd 5.2 No special packages are required.
 +
 
 +
---
 +
 
 +
'''remove this next bit later if testing shows that statically linking in kernel actually works'''<br />
 +
Set ipfilter to run by default
 +
 
 +
vi /etc/rc.conf
 +
 
 +
ipfilter_enable="YES"
 +
#ipfilter_rules="/etc/ipf.rules"
 +
ipmon_enable="YES"
 +
ipmon_flags="-Ds"
 +
gateway_enable="YES"
 +
ipnat_enable="YES"
 +
ipnat_rules="/etc/ipnat.rules" . create the log file.
 +
 
 +
 
 +
---
 +
 
 +
 
 +
for now, we want ipfilter to log
 +
 
 +
# touch /var/log/ipfilter.log
 +
 
 +
vi /etc/syslog.conf
 +
 
 +
local0.* /var/log/ipfilter.log
 +
 
 +
---
 +
 
 +
 
 +
vi /etc/ipnat.rules
 +
 
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
 +
map fxp1 10.100.0.0/16 -> 0.0.0.0/32
 +
 
 +
 
 +
===Misc Non-essential Setup===
 +
 
 +
 
 +
====Optional: Install some convenience packages====
 +
 
 +
# pkg_add lynx
 +
# pkg_add pico
 +
# pkg_add screen

Revision as of 13:30, 1 August 2013

Contents

Basic setup after a vanilla install of NetBSD 5.2

Set up pkgsrc repository

Edit the file /root/.profile

Change the path for the pkgsrc repo to:
ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/i386/5.0/All/

The file will be read-only, use :wq!


Set up network interfaces

Edit the file /etc/ifconfig.fxp0

This will the the external (wan) interface.

Insert the contents:

192.168.0.201 netmask 255.255.255.0 


Edit the file /etc/ifconfig.fxp1

This will be the internal network (lan) interface.

Insert the contents:

10.100.44.1 netmask 255.255.255.0

Ensure IP forwarding is set up

Edit the file /etc/sysctl.conf

Insert the contents:

net.inet.ip.forwarding=1


Specify your DNS server

Edit the file /etc/resolv.conf

Insert the contents:

nameserver 64.59.184.13


Specify basic settings in rc.d to set up networking

Edit the file /etc/rc.conf

Append the following to the end of the file:

hostname=chaosvpn.440bx.net
defaultroute=192.168.0.1
sshd=yes


Create a new user to do tasks that don't require root

# useradd -m -G wheel chaosvpn_user
# passwd chaosvpn_user


Continue with the installation of ChaosVPN

continue with the steps at:

https://wiki.hamburg.ccc.de/ChaosVPN:NetBSDHowto


---

Recompile the kernel

make directories

# mkdir /usr/src
# chown chaosvpn_user /usr/src

get the actual source

$ ftp -i ftp://ftp.NetBSD.org/pub/NetBSD/NetBSD-5.2/source/sets/
  mget *.tgz

extract

$ for i in *.tgz
  do
  tar -xzf $i 
  done

after you realize youve extracted to the wrong dir

$ mv /usr/src/usr/src/* /usr/src

copy config stuff

$ cd /usr/src/sys/arch/i386
$ cp GENERIC i686_CVPN_x300


vi ./i686_CVPN_x300

CFLAGS:

   #use whatever is applicable
   #see:  http://gcc.gnu.org/onlinedocs/gcc/i386-and-x86_002d64-Options.html
   #
   CPUFLAGS="-march=pentium3m -mtune=pentium3m"

Uncommented:

   PERFCTRS #since this is going to be non-smp kernel (may or may not ever use this)
   GATEWAY
   IPSEC
   IPSEC_ESP
   IPSEC_NAT_T
   pseudo-device carp
   pseudo-device pf
   pseudo-device pflog

Might dig more into "tuning" later.

Time to start building the new kernel

$ config ./i686_CVPN_x300
$ cd ../compile/i686_CVPN_x300
$ make clean && make depend && make

And install

$ su 
# cp /netbsd /netbsd.orig
# cp netbsd /

Reboot using the new kernel.


ipfilter setup. routery stuff.

ipfilter is installed by default on Netbsd 5.2 No special packages are required.

---

remove this next bit later if testing shows that statically linking in kernel actually works
Set ipfilter to run by default

vi /etc/rc.conf

ipfilter_enable="YES"
#ipfilter_rules="/etc/ipf.rules" 
ipmon_enable="YES" 
ipmon_flags="-Ds"
gateway_enable="YES" 
ipnat_enable="YES" 
ipnat_rules="/etc/ipnat.rules" . create the log file.


---


for now, we want ipfilter to log

# touch /var/log/ipfilter.log

vi /etc/syslog.conf

local0.* /var/log/ipfilter.log

---


vi /etc/ipnat.rules

map fxp1 10.100.0.0/16 -> 0.0.0.0/32 portmap tcp/udp 00000:65000
map fxp1 10.100.0.0/16 -> 0.0.0.0/32


Misc Non-essential Setup

Optional: Install some convenience packages

# pkg_add lynx
# pkg_add pico
# pkg_add screen
Personal tools
Namespaces

Variants
Actions
Navigation
Members
Toolbox