Local Area Network (LAN)
(Local Area Network (LAN)) |
(→DHCP Configuration Instructions) |
||
(3 intermediate revisions by one user not shown) | |||
Line 106: | Line 106: | ||
private networks which will never be connected to the Internet: | private networks which will never be connected to the Internet: | ||
+ | <pre> | ||
10.0.0.0 - 10.255.255.255 | 10.0.0.0 - 10.255.255.255 | ||
172.16.0.0 - 172.31.255.255 | 172.16.0.0 - 172.31.255.255 | ||
Line 114: | Line 115: | ||
172.16.0.0/12 | 172.16.0.0/12 | ||
192.168.0.0/16 | 192.168.0.0/16 | ||
+ | </pre> | ||
Line 124: | Line 126: | ||
The manually way by hand, or | The manually way by hand, or | ||
− | The automatic way using the FBSD port application DHCP. | + | The automatic way using the FBSD port application DHCP. |
− | + | ||
− | + | ||
− | + | ||
== Manually Configuring the Gateway host == | == Manually Configuring the Gateway host == | ||
Line 204: | Line 203: | ||
+ | == DHCP (Dynamic Host Configuration Protocol) == | ||
+ | |||
+ | If you are following the 'incremental install method' recommended in this Installers Guide, you have now completed the basic install of the FBSD Gateway/Firewall server with attached LAN. Everything up to this point has been accomplished using the built in facilities available in the standard FBSD stable release. | ||
+ | |||
+ | In the previous section you manually configured your LAN PC's by hand with the information they needed to communicate with the FBSD gateway. DHCP is used to automate and control the automatic assignment of private IP addresses to your LAN environment. | ||
+ | |||
+ | |||
+ | |||
+ | What function does DHCP perform? | ||
+ | The Dynamic Host Configuration Protocol (DHCP) is most commonly used in the situation where a LAN (local area network) has too many PC workstations for the LAN administrator to manually configuration each workstation with the information it needs to use for access on the LAN. To automate this process, DHCP was developed. DHCP usually runs on the gateway/firewall machine in server mode. It broadcasts its presence through the LAN to all the workstations who have a DHCP client version of DHCP installed. At workstation boot up it asks the DHCP server for the information necessary to configure itself for access to LAN services. | ||
+ | |||
+ | All Microsoft Windows machines have a DHCP client built in that defaults to using DHCP services without any user configuration. FBSD also has a built in DHCP client, but it needs manual user input to activate it. Many ISP's use DHCP on dial up, DSL, and cable access to achieve the same results a LAN administrator wants for his private LAN. | ||
+ | |||
+ | One of DHCP's major strengths is its ability to manage the dynamic assignment of IP addresses from a pool and to reuse any IP address released when a workstation is removed from the LAN or moved to a different location on the LAN, such as what normally happens in a company work place environment. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | == DHCP Server == | ||
+ | |||
+ | To add a DHCP server to FBSD you have to install the port. The best and most commonly used port for this purpose is the isc-dhcpd3 port. | ||
+ | The ISC-DHCP3 server supports three mechanisms for IP address allocation. In "automatic allocation", DHCP assigns a permanent IP address to a client. In "dynamic allocation", DHCP assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address). In "manual allocation", a client's IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client. Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of am address that is no longer needed by the client to which it was assigned. A particular network will use one or more of these mechanisms, depending on the policies of the network administrator. | ||
+ | |||
+ | For our purpose of a simple DHCP server that would fill the needs of the common FBSD user we are going to configure the DHCP server for "dynamic allocation" mode. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | == How DHCP Works == | ||
+ | |||
+ | When the dhcpd daemon starts up at FBSD boot time, it broadcasts its presence through the LAN, then it sleeps and listens for broadcast requests for network configuration information from the LAN workstations. By default, it will listen on UDP port 67. When such a request is received, then the server will reply to the client machine on UDP port 68, providing the details required to connect to the network such as the IP address assigned to the workstation, subnet mask, default gateway and DNS servers names or IP addresses. Also included with this reply is a length of time for which this information can be used by that particular client. This is known as a DHCP "lease" and a new lease must be acquired by the client when it expires. The length of time for which a lease is valid is decided by the administrator of the DHCP server. The DHCP server keeps a database of leases it has issued in /var/db/dhcpd.leases File. This file is written as a log and can be edited. See man dhcpd.leases which gives a slightly longer description. DHCP clients can obtain a great deal of information from the server. An exhaustive list may be found in man dhcp-options & man dhcpd after DHCP is installed. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | == DHCP Configuration Instructions == | ||
+ | |||
+ | To install the DHCP software, use the FBSD dhcp package using the following command | ||
+ | |||
+ | pkg_add -rv isc-dhcp3-server | ||
+ | |||
+ | To start the DHCPD server at boot time add the following statements in the /etc/rc.conf file. | ||
+ | |||
+ | ee /etc/rc.conf | ||
+ | |||
+ | <pre> | ||
+ | dhcpd_enable="YES" | ||
+ | dhcpd_conf="/usr/local/etc/dhcpd.conf" | ||
+ | dhcpd_ifaces="xl0" | ||
+ | dhcpd_flags="-q" | ||
+ | </pre> | ||
+ | |||
+ | The -q option will turn off the copyright banner that displays during the FBSD boot up and in the DHCP log every time a broadcast is issued by the DHCP daemon or when a request is received from a workstation DHCP client. | ||
+ | |||
+ | The dc0 is to be replaced with the interface name of the LAN NIC you want DHCP service on from your gateway/firewall FBSD system. | ||
+ | |||
+ | The dhcpd.conf file is delivered as a sample file so you have to make a copy of it without its sample suffix. It contains a lot of comments and commented out statement examples which you can comment out or delete. Edit the main DHCP configuration file and make it look like this. | ||
+ | |||
+ | |||
+ | cp dhcpd.conf.sample dhcpd.conf | ||
+ | |||
+ | ee dhcpd.conf | ||
+ | |||
+ | <pre> | ||
+ | option domain-name "fbsdjones.com"; | ||
+ | option domain-name-servers 208.206.15.11, 208.206.15.12; | ||
+ | # 600=10min, 7200=2 hours, 86400=1 day, 604800=1 week, 2592000=30 days | ||
+ | default-lease-time 86400; | ||
+ | max-lease-time 604800; | ||
+ | authoritative; | ||
+ | ddns-update-style none; | ||
+ | log-facility local1; | ||
+ | # No service will be given on this subnet, but declaring it helps the | ||
+ | # DHCP server to understand the network topology. | ||
+ | subnet 10.152.187.0 netmask 255.255.255.0 { } | ||
+ | |||
+ | # This is the fbsdjones.com subnet declaration. | ||
+ | # Max of 6 pc on LAN 10.0.10.1 - 10.0.10.6 | ||
+ | # 10.0.10.2 is the IP address of the Nic card in FBSD | ||
+ | # 10.0.10.7 is the broadcast IP address | ||
+ | subnet 10.0.10.0 netmask 255.255.255.248 { | ||
+ | range 10.0.10.1 10.0.10.6; | ||
+ | option routers 10.0.10.2;} | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | The option domain-name "fbsdjones.com"; is the user selected domain name from the hostname="gateway.fbsdjones.com" statement of /etc/rc.conf. | ||
+ | |||
+ | |||
+ | The option domain-name-servers contains the DSN server's IP addresses of your ISP from /etc/resolv.conf nameserver statements which get populated automatically when you connect to your ISP. If you have your own private LAN domain DSN server, make it the first one in the list, and in that case you can use full domain names instead of IP address (such as dnslocal.fbsdjones.com, dsn1.isp-domain.com). | ||
+ | |||
+ | The default-lease-time and max-lease-time have values in seconds to set the elapse period for these function. The values I show are good to go with. | ||
+ | |||
+ | The authoritative; options tells the DHCP daemon server that it is the boss and is in control of issuing all the information to the LAN DHCP clients. | ||
+ | |||
+ | |||
+ | The ddns-update-style none; tells DHCP that there is no local LAN DSN server. If you have one, change this from none to interim. In the dhcpd.conf.sample you will see comments saying none and ad-hoc are the two options. This is no longer true for DHCP version 3.0. Ad-hoc has been deactivated and replaced with interim. See man dhcpd.conf for details. | ||
+ | |||
+ | |||
+ | The log-facility allows you to segregate the DHCP messages to a separate log for recording. You are going to use local1 for logging of DHCP server error messages; | ||
+ | |||
+ | <pre> | ||
+ | subnet 10.0.10.0 netmask 255.255.255.248 { | ||
+ | range 10.0.10.1 10.0.10.6; | ||
+ | option routers 10.0.10.2; } | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | The subnet 10.0.10.0 netmask 255.255.255.248 statement declares the maximum subnet IP address range. In this case the last three digits in the netmask, 248 determines the range. This means a total of 8 IP addresses, 10.0.10.0 through 10.0.10.7 are allocated as the subnet range. 10.0.10.0 and 10.0.10.7 are reserved for the broadcast process. | ||
+ | |||
+ | The range 10.0.10.1 10.0.10.6; is saying this range of IP addresses makes up the pool of addresses that are to be used for dynamic IP allocation to DHCP clients. It's a small home LAN with only two MS/Windows boxes and a single FBSD box on it now. That can grow to six machines without making any changes to this statement group. | ||
+ | |||
+ | |||
+ | The option routers 10.0.10.2 statement is a bit miss-leading. What this is referring to is the NIC in the FBSD box the DHCP server runs on and the LAN being configured is cabled to. In our case the NIC has an IP address of 10.0.10.2 which is specified in /etc/rc.conf by the ifconfig_dc0="inet 10.0.10.2 netmask 255.255.255.248" statement. | ||
+ | |||
+ | |||
+ | The principle behind bitmasks and netmasks is simple, but often confusing to new users as it requires knowledge of binary numbers. For a quick reference, the following table illustrates what network ranges are indicated by the corresponding bitmasks/netmasks up to a default class C netmask. | ||
+ | |||
+ | Bitmask Netmask Total IP's / Usable IP's | ||
+ | 32 255.255.255.255 1 1 | ||
+ | 31 255.255.255.254 2 1 | ||
+ | 30 255.255.255.252 4 2 | ||
+ | 29 255.255.255.248 8 6 | ||
+ | 28 255.255.255.240 16 14 | ||
+ | 27 255.255.255.224 32 30 | ||
+ | 26 255.255.255.192 64 62 | ||
+ | 25 255.255.255.128 128 126 | ||
+ | 24 255.255.255.0 256 254 | ||
+ | 22 255.255.192.0 16320 16318 | ||
+ | 20 255.255.128.0 32768 32766 | ||
+ | 16 255.255.0.0 65536 65534 | ||
+ | 12 255.128.0.0 8.388608+e6 8.388606+e6 | ||
+ | 8 255.0.0.0 256^3 (256^3)-2 | ||
+ | 0 0.0.0.0 (all IP's) 256^4 (256^4)-2 | ||
+ | |||
+ | |||
+ | As you can see, there is a definite pattern. The number of total IP's always doubles, and the number of usable IP's is always total - 2. This is because for every IP network/subnet there are two IP's reserved for the network and broadcast addresses. The netmask's last octet starts at 255 and constantly decreases by multiples of 2, while the bitmask decreases by multiples of 1, because in binary, each shift over to the left halves the number, not divides by ten like in the decimal number system. This same pattern goes for all possible netmasks and bitmasks. | ||
+ | |||
+ | Since you told DHCPD to use local1 for logging in the dhcpd.conf configuration file above, you now have to complete the logging environment configuration by adding the following statement to /etc/syslog.conf. | ||
+ | |||
+ | |||
+ | |||
+ | ee /etc/syslog.conf | ||
+ | |||
+ | <pre> | ||
+ | local1.notice /var/log/dhcpd.log | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | This log file does not exist, so you must create it. | ||
+ | |||
+ | touch /var/log/dhcpd.log | ||
+ | |||
+ | To activate the changes to /etc/syslog.conf you can reboot or force the syslogd task into re-reading /etc/syslog.conf by issuing this console command | ||
+ | <pre> | ||
+ | /etc/rc.d/syslogd reload | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | |||
+ | Now you must set up log rotation. Add this statement. | ||
+ | |||
+ | |||
+ | ee /etc/newsyslog.conf | ||
+ | |||
+ | <pre> | ||
+ | /var/log/dhcp.log 600 3 100 * B | ||
+ | </pre> | ||
+ | |||
+ | You can change the log rotation triggers to whatever you want. | ||
+ | See man newsyslog for info on what the trigger values mean. | ||
+ | |||
+ | |||
+ | |||
+ | The DHCPD daemon has a start up script located at /usr/local/etc/rc.d/ | ||
+ | |||
+ | This directory location is where FBSD looks for files that end in .sh and executes them at the end of the boot process to start the applications. | ||
+ | |||
+ | |||
+ | |||
+ | You can administer the DHCPD server from the command line using | ||
+ | |||
+ | <pre> | ||
+ | /usr/local/etc/rc.d/isc-dhcp.sh start | ||
+ | stop | ||
+ | restart | ||
+ | </pre> | ||
+ | |||
+ | Restart is used to reread dhcp.conf file after making changes. | ||
+ | |||
+ | |||
+ | Now manually start DHCP by entering this on the command. | ||
+ | |||
+ | /usr/local/etc/rc.d/isc-dhcp.sh start | ||
+ | |||
+ | |||
+ | Issue 'ps ax' command to see the DHCP daemon running in the active task list. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | == Testing the DHCPD Daemon == | ||
+ | |||
+ | To test the DHCPD server you need a PC on the LAN. | ||
+ | |||
+ | First let's check the LAN MS/Windows box network configuration. Click on the following buttons in this order. Start/settings/control panel/network/. Highlight TCP/IP and click on properties button. In the IP address tab the 'obtain IP address automatically' should be to only thing check marked. All the fields in the other tabs must be blank. If this is what you have use the cancel buttons to back yourself out. If you answer ok, you may have to have the windows install CDROM to update the network section. | ||
+ | |||
+ | Windows 98, 2000, ME and XP have a program c:/windows/winipcfg.exe which will show you the DHCP info it's using. Start the winipcfg program by clicking on start, run, and type c:/windows/winipcfg.exe into the run window and then hit the OK button. Click on the more info button to see everything. You should be able to comprehend what you see back to the dhcpd.conf options as explained above. Click on the 'renew all' button to acquire a new DHCP lease. | ||
+ | |||
+ | == FBSD as a DHCP Client == | ||
+ | |||
+ | The isc-dhcp3 port comes with a client. I am not going to cover the isc-dhcp3 port client configuration process, because FBSD comes with a DHCP client built into the basic FBSD system. | ||
+ | |||
+ | To activate the built in dhcp client on a FBSD LAN PC, edit /etc/rc.conf and add the following statement to tell FBSD what interface the client DHCP should use: | ||
+ | |||
+ | ee /etc/rc.conf | ||
+ | |||
+ | <pre> | ||
+ | ifconfig_dc0="DHCP" # Where dc0 is the FBSD Nic card interface name. | ||
+ | </pre> | ||
+ | |||
+ | That's it, configuration complete. Reboot to activate your changes. | ||
[[Category:Common Tasks]] | [[Category:Common Tasks]] | ||
[[Category:FreeBSD for Servers]] | [[Category:FreeBSD for Servers]] |
Latest revision as of 19:09, 13 August 2012
[edit] Setting up Local Area Network (LAN)
A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). Usually, the server has applications and data storage that are shared in common by multiple LAN computer users. A local area network may serve as few as two or three users (for example, in a home network) or as many as thousands of users (for example, in an FDDI network). Typically, a suite of application programs can be kept on the LAN server. Users who need an application frequently can download it once and then run it from their local hard disk. A user can share files with others at the LAN server.
There are many technical limitations and options to how a LAN is configured depending on if you are a non-commercial user or commercial user and how many of the MS/Windows and/or Unix network server sharing facilities you want to enable.
Basically what determines if you are commercial user or not is how you are known to the public Internet. A commercial user has a permanent, dedicated, high-speed leased Internet line connecting them to their ISP and one or more static IP addresses assigned by their ISP. A static IP address is always the same number; it never changes between logins to the ISP. They have an official registered domain name that points to one of the static IP address which points to their PC that is acting as their gateway. If the commercial user pays for a large block of static IP addresses then they can use these IP address for the computers on the LAN and not need to use NAT (network address translation). Their email will arrive at the gateway PC and is processed by their mail server directly. They do not use their ISP to receive and hold their email for them.
An non-commercial user, like the home user, uses a phone line dial in login to their ISP on a limited speed connection or has a 24/7 cable or DSL high speed connection and gets assigned a single dynamic IP address which changes every time they login. Their ISP receives and holds all their email for them. The only way a public Internet user can find them is if that know the dynamic IP address currently in use by them. From the ISP viewpoint a non-commercial user uses a very small amount of its overall resources and so charges much less for a single user account.
The FBSD system that is acting as the gateway can also be configured to provide different levels of network sharing depending on what kind of operating systems are running on the PCs connected to the LAN. For Unix-like operating systems NFS provides network file and device sharing, while the FBSD port application Samba does the same thing for MS/Windows PCs on the LAN. These facilities, NFS and Samba are not covered in this guide as they are more applicable to commercial users who have large LANs.
See this link for Samba details http://us1.samba.org/samba/samba.html
See the following links for details on FBSD NFS:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-nfs.html
http://www.onlamp.com/pub/a/bsd/2000/07/26/FreeBSD_Basics.html
[edit] Home User LANs
Normally each family member would have to have their own phone line and unique ISP account to connect all of the family PCs to the Internet simultaneously. This is a costly way of doing this. The alternative is to have a single FBSD system gateway connect to an ISP and then network the other family members PC's behind the gateway using private IP addresses and NAT (Network Addressing Translation) so everything leaving the gateway system looks like it came from the single dynamic IP address assigned by the ISP. Your ISP can not tell if the packet passing through them has been NATed or not.
Installer Note: When you sign up for service with your ISP you have to sign a user agreement that basically says you are not allowed to do NAT on your PC or run email services or web servers. If you are caught, it's grounds for them to terminate your account. Never tell your ISP tech support people what you are doing. Most ISP's leave open all the ports except the port used by an email server, which they block. More recently some ISPs have started to also block the web server port number.
Another simple to configure facility is an anonymous FTP server on the FBSD gateway so LAN users can post files there that they want to pass to other LAN users. This allows them to pass large files between LAN users.
The LAN can be populated with both MS/Windows boxes and FBSD boxes and not cause any problems. ISP's usually allow 5 email address per dial in account. Each family member can have their own email address and using the email client on their PC get their email directly from the ISP email server. Or you can run a task on the FBSD gateway box to download the email from the ISP account on a recurring schedule and store it in the FBSD built in email server called sendmail, and then have all the LAN users get their email from the sendmail server without having the FBSD gateway connected to the Internet.
Topography of a LAN
__________ ________ _____ | | | | | | | FBSD/GW | | switch |<--------->| LAN | | | | or | | PC1 | _____ | NIC |<----->| hub |<--| |_____| | | |__________| |________| | | LAN | |<--------------->| PC2 | |_____|
The above diagram shows a simple single LAN circuit. Your FBSD gateway box needs a NIC for each separate LAN circuit. Each circuit must use a unique IP address subnet. You cable the LAN NIC from the back of the FBSD gateway PC to a network switch or hub. A small cheap switch normally has 5 plugs. One plug for each PC on the LAN including the FBSD gateway. You run a cable from the switch to the NIC of each PC you want on the LAN. A LAN circuit can handle many PC's and many downstream switches as long as the max distance of the cable is not exceeded. To add more LAN users you create another circuit by adding another NIC in the FBSD box connected to another switch which has more LAN PC's connected to it. Please note, this is a very simplified LAN description and layout, but is adequate for basic understanding of how the physical parts of the LAN are cabled together.
For the home user with just two PCs, you can cable your FBSD LAN NIC directly to the other PC's NIC with a special crossover cable.
[edit] Installing the LAN
Your PC should have two NIC already installed. During the boot of FBSD review the /var/run/dmesg.boot log to verify that your PCI NIC were found.
This is what you are looking for. This means that FBSD GENERIC kernel found your NIC. The dc0 name will be different depending on the manufacture of your NIC.
dc0: <Macronix 98715/98715A 10/100BaseTX> port 0xdc00-0xdcff mem 0xe3000000-0xe30000ff irq 3 at device 19.0 on pci0 dc0: Ethernet address: 00:80:c6:f2:2e:3b miibus0: <MII bus> on dc0> dcphy0: <Intel 21143 NWAY media interface> on miibus0 dcphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, auto
dc0 is the NIC FBSD internal interface name.
The generic kernel contains device statements for most of the NIC currently on the market. If the /var/run/dmesg.boot log shows your NIC as
pci0: <unknown card> (vendor=0x1274, dev=0x5000) at 19.0
or no message to indicate the probe of the BOIS found any PCI devices, then you may have an older BOIS on your PC which does not handle PCI cards very well. On older (IE: pre Y2K) PC BOIS, it's very common for the system probe process of the bio's to be unable to find one or more PCI cards. If this happens to you, you have to do some research to determine the problem.
Try the pciconf -lv command to see if it gives you any useful info. Then review the GENERIC source at /usr/src/sys/i386/conf/GENERIC to see if it contains any device statement comments about your NIC based on the manufacturer or chips used. If you do find a device statement in the GENERIC source for your NIC, then add this statement to your kernel source and recompile your kernel.
device pun
This device has additional code to probe your system's BIOS using different methods which in most cases results in your PCI NIC being found.
If the review of the GENERIC kernel source produces no results, them review the kernel source file named LINT at /usr/src/sys/i386/conf/ for comments that describe your NIC by manufacturer name or chips used. Copy the appropriate device statements to the GENERIC kernel source file and then follow the instructions at Kernel Customizing. You will have to create a custom kernel from the GENERIC source including the device statement from the LINT source.
If you find no kernel device statements for your NIC, then it's not supported and you have to get one that is.
[edit] LAN private IP address
There are ranges of special IP addresses reserved for use on private LANs. These special IP address ranges are non-routable on the public Internet. They are listed in the /etc/hosts file.
According to RFC 1918, you can use the following IP address ranges for private networks which will never be connected to the Internet:
10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 These can also be written as 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
To communicate with the LAN PC's the FBSD system needs to know what the IP address range of the PC's on the LAN is and the LAN PC's needs to be configured with LAN network information so they know how to perform their part in the communication process.
There are two ways to accomplish this:
The manually way by hand, or
The automatic way using the FBSD port application DHCP.
[edit] Manually Configuring the Gateway host
Before you can manually configure each PC on the LAN by hand, you first have to collect some information from your FBSD gateway box. It's assumed you already have your gateway PC connection to the public Internet already working.
The configuration file /etc/resolv.conf is automatically populated with the IP address of your ISP's primary and secondary domain name servers every time you log in to your ISP. Write down these IP addresses you will need them to configure your LAN PCs.
Now you decide on the private IP address range to use for your LAN. This guide uses a very small portion of the 10.0.0.0/8 range for the private Lan, which is 10.0.10.0/29. This gives 10.0.10.0 through 10.0.10.7. The usable portion of the range is 10.0.10.1 through 10.0.10.6, the 10.0.10.0 and 10.0.10.7 is the reserved pair for broadcasting.
The IP address of the NIC in the FBSD gateway will be 10.0.10.2. The IP address of the first LAN PC to be manually configured will be 10.0.10.3.
On the FBSD gateway system add these two statements to /etc/rc.conf to manually assign the FBSD LAN NIC an IP address and tell FBSD to act as a gateway for the LAN.
ifconfig_dc0="inet 10.0.10.2 netmask 255.255.255.248"
gateway_enable="YES"
The dc0 is the gateway interface name of the NIC the LAN is cabled to.
[edit] Manually configuring LAN FBSD PC
For a FBSD workstation PC on the LAN, add these statements to /etc/rc.conf to manually assign the FBSD LAN NIC an IP address. Be sure to change dc0 to the interface name of the Nic card in the FBSD LAN PC.
ifconfig_dc0="inet 10.0.10.3 netmask 255.255.255.248"
defaultrouter="10.0.10.2"
Copy the FBSD gateway /etc/resolv.conf file to the FBSD LAN PC, replacing the one that's there. Or edit the FBSD LAN PC's /etc/resolv.conf so it's the same as the one from the FBSD gateway. Reboot system to enable your changes.
To test, ping the gateway server:
ping -c 4 10.0.10.2
Then test DNS by pinging:
ping -c 4 freebsd.org
[edit] Manually config MS/Windows LAN PC
This procedure has been tested on MS/Windows 98, ME and XP.
Click on start, settings, control panel, networking. In the window the installed network components are displayed. Scroll through them and click to highlight the TCP/IP line for the NIC you are going to use to connect this box to your LAN. When it's highlighted, the properties button below the window becomes enabled. Click on the properties button and a window pops up which is where you manually configure the NIC TCP/IP network settings.
Under the IP address tab, click on specify IP address. For IP address enter 10.0.10.4
Under the gateway tab, new gateway window enter the IP address of the FBSD gateway
10.0.10.2 and click the add button.
Under the DNS configuration tab, click on enable DNS. In the DNS server search order window enter the first of the two IP addresses you got from the FBSD gateway /etc/resolv.conf file. Click on the add button, then do same thing over again for the second IP address. When you're finished click on the OK button at the bottom of the pop up window, and click OK again. The system will reboot to activate your changes.
To test, click on start, run.
Enter C:\windows\command.com
When a native DOS window opens, ping the gateway server:
Ping 10.0.10.2
Then test DNS:
ping freebsd.org
The DNS servers will convert this domain name to an IP address and then send four pings to it. When this has completed, enter exit to leave native DOS mode.
For each additional FBSD or MS/Windows LAN PCs you want to add, just increment the last digit of the last assigned IP address by 1. You may have to keep a log book so you know what LAN IP addresses you have assigned. All LAN PCs connected to the FBSD gateway 10.0.10.2 NIC have to use the same IP address sub-net, (IE: 10.0.10.x) where in this example x can be 1 through 6.
[edit] DHCP (Dynamic Host Configuration Protocol)
If you are following the 'incremental install method' recommended in this Installers Guide, you have now completed the basic install of the FBSD Gateway/Firewall server with attached LAN. Everything up to this point has been accomplished using the built in facilities available in the standard FBSD stable release.
In the previous section you manually configured your LAN PC's by hand with the information they needed to communicate with the FBSD gateway. DHCP is used to automate and control the automatic assignment of private IP addresses to your LAN environment.
What function does DHCP perform? The Dynamic Host Configuration Protocol (DHCP) is most commonly used in the situation where a LAN (local area network) has too many PC workstations for the LAN administrator to manually configuration each workstation with the information it needs to use for access on the LAN. To automate this process, DHCP was developed. DHCP usually runs on the gateway/firewall machine in server mode. It broadcasts its presence through the LAN to all the workstations who have a DHCP client version of DHCP installed. At workstation boot up it asks the DHCP server for the information necessary to configure itself for access to LAN services.
All Microsoft Windows machines have a DHCP client built in that defaults to using DHCP services without any user configuration. FBSD also has a built in DHCP client, but it needs manual user input to activate it. Many ISP's use DHCP on dial up, DSL, and cable access to achieve the same results a LAN administrator wants for his private LAN.
One of DHCP's major strengths is its ability to manage the dynamic assignment of IP addresses from a pool and to reuse any IP address released when a workstation is removed from the LAN or moved to a different location on the LAN, such as what normally happens in a company work place environment.
[edit] DHCP Server
To add a DHCP server to FBSD you have to install the port. The best and most commonly used port for this purpose is the isc-dhcpd3 port. The ISC-DHCP3 server supports three mechanisms for IP address allocation. In "automatic allocation", DHCP assigns a permanent IP address to a client. In "dynamic allocation", DHCP assigns an IP address to a client for a limited period of time (or until the client explicitly relinquishes the address). In "manual allocation", a client's IP address is assigned by the network administrator, and DHCP is used simply to convey the assigned address to the client. Dynamic allocation is the only one of the three mechanisms that allows automatic reuse of am address that is no longer needed by the client to which it was assigned. A particular network will use one or more of these mechanisms, depending on the policies of the network administrator.
For our purpose of a simple DHCP server that would fill the needs of the common FBSD user we are going to configure the DHCP server for "dynamic allocation" mode.
[edit] How DHCP Works
When the dhcpd daemon starts up at FBSD boot time, it broadcasts its presence through the LAN, then it sleeps and listens for broadcast requests for network configuration information from the LAN workstations. By default, it will listen on UDP port 67. When such a request is received, then the server will reply to the client machine on UDP port 68, providing the details required to connect to the network such as the IP address assigned to the workstation, subnet mask, default gateway and DNS servers names or IP addresses. Also included with this reply is a length of time for which this information can be used by that particular client. This is known as a DHCP "lease" and a new lease must be acquired by the client when it expires. The length of time for which a lease is valid is decided by the administrator of the DHCP server. The DHCP server keeps a database of leases it has issued in /var/db/dhcpd.leases File. This file is written as a log and can be edited. See man dhcpd.leases which gives a slightly longer description. DHCP clients can obtain a great deal of information from the server. An exhaustive list may be found in man dhcp-options & man dhcpd after DHCP is installed.
[edit] DHCP Configuration Instructions
To install the DHCP software, use the FBSD dhcp package using the following command
pkg_add -rv isc-dhcp3-server
To start the DHCPD server at boot time add the following statements in the /etc/rc.conf file.
ee /etc/rc.conf
dhcpd_enable="YES" dhcpd_conf="/usr/local/etc/dhcpd.conf" dhcpd_ifaces="xl0" dhcpd_flags="-q"
The -q option will turn off the copyright banner that displays during the FBSD boot up and in the DHCP log every time a broadcast is issued by the DHCP daemon or when a request is received from a workstation DHCP client.
The dc0 is to be replaced with the interface name of the LAN NIC you want DHCP service on from your gateway/firewall FBSD system.
The dhcpd.conf file is delivered as a sample file so you have to make a copy of it without its sample suffix. It contains a lot of comments and commented out statement examples which you can comment out or delete. Edit the main DHCP configuration file and make it look like this.
cp dhcpd.conf.sample dhcpd.conf
ee dhcpd.conf
option domain-name "fbsdjones.com"; option domain-name-servers 208.206.15.11, 208.206.15.12; # 600=10min, 7200=2 hours, 86400=1 day, 604800=1 week, 2592000=30 days default-lease-time 86400; max-lease-time 604800; authoritative; ddns-update-style none; log-facility local1; # No service will be given on this subnet, but declaring it helps the # DHCP server to understand the network topology. subnet 10.152.187.0 netmask 255.255.255.0 { } # This is the fbsdjones.com subnet declaration. # Max of 6 pc on LAN 10.0.10.1 - 10.0.10.6 # 10.0.10.2 is the IP address of the Nic card in FBSD # 10.0.10.7 is the broadcast IP address subnet 10.0.10.0 netmask 255.255.255.248 { range 10.0.10.1 10.0.10.6; option routers 10.0.10.2;}
The option domain-name "fbsdjones.com"; is the user selected domain name from the hostname="gateway.fbsdjones.com" statement of /etc/rc.conf.
The option domain-name-servers contains the DSN server's IP addresses of your ISP from /etc/resolv.conf nameserver statements which get populated automatically when you connect to your ISP. If you have your own private LAN domain DSN server, make it the first one in the list, and in that case you can use full domain names instead of IP address (such as dnslocal.fbsdjones.com, dsn1.isp-domain.com).
The default-lease-time and max-lease-time have values in seconds to set the elapse period for these function. The values I show are good to go with.
The authoritative; options tells the DHCP daemon server that it is the boss and is in control of issuing all the information to the LAN DHCP clients.
The ddns-update-style none; tells DHCP that there is no local LAN DSN server. If you have one, change this from none to interim. In the dhcpd.conf.sample you will see comments saying none and ad-hoc are the two options. This is no longer true for DHCP version 3.0. Ad-hoc has been deactivated and replaced with interim. See man dhcpd.conf for details.
The log-facility allows you to segregate the DHCP messages to a separate log for recording. You are going to use local1 for logging of DHCP server error messages;
subnet 10.0.10.0 netmask 255.255.255.248 { range 10.0.10.1 10.0.10.6; option routers 10.0.10.2; }
The subnet 10.0.10.0 netmask 255.255.255.248 statement declares the maximum subnet IP address range. In this case the last three digits in the netmask, 248 determines the range. This means a total of 8 IP addresses, 10.0.10.0 through 10.0.10.7 are allocated as the subnet range. 10.0.10.0 and 10.0.10.7 are reserved for the broadcast process.
The range 10.0.10.1 10.0.10.6; is saying this range of IP addresses makes up the pool of addresses that are to be used for dynamic IP allocation to DHCP clients. It's a small home LAN with only two MS/Windows boxes and a single FBSD box on it now. That can grow to six machines without making any changes to this statement group.
The option routers 10.0.10.2 statement is a bit miss-leading. What this is referring to is the NIC in the FBSD box the DHCP server runs on and the LAN being configured is cabled to. In our case the NIC has an IP address of 10.0.10.2 which is specified in /etc/rc.conf by the ifconfig_dc0="inet 10.0.10.2 netmask 255.255.255.248" statement.
The principle behind bitmasks and netmasks is simple, but often confusing to new users as it requires knowledge of binary numbers. For a quick reference, the following table illustrates what network ranges are indicated by the corresponding bitmasks/netmasks up to a default class C netmask.
Bitmask Netmask Total IP's / Usable IP's
32 255.255.255.255 1 1 31 255.255.255.254 2 1 30 255.255.255.252 4 2 29 255.255.255.248 8 6 28 255.255.255.240 16 14 27 255.255.255.224 32 30 26 255.255.255.192 64 62 25 255.255.255.128 128 126 24 255.255.255.0 256 254 22 255.255.192.0 16320 16318 20 255.255.128.0 32768 32766 16 255.255.0.0 65536 65534 12 255.128.0.0 8.388608+e6 8.388606+e6 8 255.0.0.0 256^3 (256^3)-2 0 0.0.0.0 (all IP's) 256^4 (256^4)-2
As you can see, there is a definite pattern. The number of total IP's always doubles, and the number of usable IP's is always total - 2. This is because for every IP network/subnet there are two IP's reserved for the network and broadcast addresses. The netmask's last octet starts at 255 and constantly decreases by multiples of 2, while the bitmask decreases by multiples of 1, because in binary, each shift over to the left halves the number, not divides by ten like in the decimal number system. This same pattern goes for all possible netmasks and bitmasks.
Since you told DHCPD to use local1 for logging in the dhcpd.conf configuration file above, you now have to complete the logging environment configuration by adding the following statement to /etc/syslog.conf.
ee /etc/syslog.conf
local1.notice /var/log/dhcpd.log
This log file does not exist, so you must create it.
touch /var/log/dhcpd.log
To activate the changes to /etc/syslog.conf you can reboot or force the syslogd task into re-reading /etc/syslog.conf by issuing this console command
/etc/rc.d/syslogd reload
Now you must set up log rotation. Add this statement.
ee /etc/newsyslog.conf
/var/log/dhcp.log 600 3 100 * B
You can change the log rotation triggers to whatever you want. See man newsyslog for info on what the trigger values mean.
The DHCPD daemon has a start up script located at /usr/local/etc/rc.d/
This directory location is where FBSD looks for files that end in .sh and executes them at the end of the boot process to start the applications.
You can administer the DHCPD server from the command line using
/usr/local/etc/rc.d/isc-dhcp.sh start stop restart
Restart is used to reread dhcp.conf file after making changes.
Now manually start DHCP by entering this on the command.
/usr/local/etc/rc.d/isc-dhcp.sh start
Issue 'ps ax' command to see the DHCP daemon running in the active task list.
[edit] Testing the DHCPD Daemon
To test the DHCPD server you need a PC on the LAN.
First let's check the LAN MS/Windows box network configuration. Click on the following buttons in this order. Start/settings/control panel/network/. Highlight TCP/IP and click on properties button. In the IP address tab the 'obtain IP address automatically' should be to only thing check marked. All the fields in the other tabs must be blank. If this is what you have use the cancel buttons to back yourself out. If you answer ok, you may have to have the windows install CDROM to update the network section.
Windows 98, 2000, ME and XP have a program c:/windows/winipcfg.exe which will show you the DHCP info it's using. Start the winipcfg program by clicking on start, run, and type c:/windows/winipcfg.exe into the run window and then hit the OK button. Click on the more info button to see everything. You should be able to comprehend what you see back to the dhcpd.conf options as explained above. Click on the 'renew all' button to acquire a new DHCP lease.
[edit] FBSD as a DHCP Client
The isc-dhcp3 port comes with a client. I am not going to cover the isc-dhcp3 port client configuration process, because FBSD comes with a DHCP client built into the basic FBSD system.
To activate the built in dhcp client on a FBSD LAN PC, edit /etc/rc.conf and add the following statement to tell FBSD what interface the client DHCP should use:
ee /etc/rc.conf
ifconfig_dc0="DHCP" # Where dc0 is the FBSD Nic card interface name.
That's it, configuration complete. Reboot to activate your changes.