FreeBSD, IPv6, a DMZ, and you.

In the event I, or other folks, want to rebuild their FreeBSD-based router/firewall, this guide explains the configuration to provide the following characteristics:
• IPv4 via DHCP
• IPv6 (/48) provided via tunnel from Hurricane Electric
• A unique IPv6 prefix (/64) provided to each L3 subnet on the local network.
• An IPv4/v6 DMZ, which can only access the Internet and not the other LAN segments.
◦ DNS provided by Google’s public DNS servers, and not local servers.

/etc/rc.conf

cloned_interfaces_sticky="gif0 vlan10 vlan11 vlan12 vlan13 vlan254"
gateway_enable="YES"
ifconfig_igb0="DHCP group egress"
ifconfig_igb0_ipv6="inet6 accept_rtadv"
dhclient_program="/usr/local/sbin/dhclient"
dhclient_flags="-pf /var/run/dhclient/dhclient.igb0.pid -q"

ifconfig_igb1="up"
ifconfig_igb2="up"
ifconfig_igb3="up"

ifconfig_vlan10="inet 10.10.0.2 netmask 255.255.255.0 vlan 10 vlandev igb1 group zone_secure"
ifconfig_vlan11="inet 10.10.1.2 netmask 255.255.255.0 vlan 11 vlandev igb1 group zone_secure"
ifconfig_vlan12="inet 10.10.2.2 netmask 255.255.255.0 vlan 12 vlandev igb2 group zone_secure"
ifconfig_vlan13="inet 10.10.3.2 netmask 255.255.255.0 vlan 13 vlandev igb2 group zone_secure"
ifconfig_vlan254="inet 10.10.254.2 netmask 255.255.255.0 vlan 254 vlandev igb3 group zone_dmz"

ipv6_prefix_vlan10="2001:470:abcd:1100"
ipv6_prefix_vlan12="2001:470:abcd:1102"
ipv6_prefix_vlan13="2001:470:abcd:1130"
ipv6_prefix_vlan254="2001:470:abcd:11f1"
ipv6_gateway_enable="YES"

create_args_gif0="tunnel MY.IPV4.IP MY.IPV6.TUNNEL.IPV4.IP"
ifconfig_gif0_ipv6="inet6 2001:470:9876:1df::2 2001:470:9876:1df::1 prefixlen 128"
ipv6_privacy="YES"
ipv6_defaultrouter="2001:470:9876:1df::1"
rtadvd_enable="YES"
rtadvd_interfaces="vlan10 vlan12 vlan13 vlan254"
pf_enable="YES"
pf_rules="/etc/pf/pf.conf"

dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd/dhcpd.conf"
dhcpd_ifaces="vlan10 vlan11 vlan12 vlan254"
dhcpd_withumask="022"
dhcpd_chuser_enable="YES"
dhcpd_withuser="dhcpd"
dhcpd_withgroup="dhcpd"
dhcpd_chroot_enable="YES"
dhcpd_devfs_enable="YES"
dhcpd_rootdir="/var/db/dhcpd"
dhcpd_includedir="/usr/local/etc/dhcpd/"

/usr/local/etc/dhcpd/dhcpd.conf

INSERT DHCPD.CONF HERE

/etc/pf/pf.conf

table persist
ext_tcp_services = "{ 22 }"
set skip on lo0
scrub in all no-df random-id max-mss 1440
nat on egress inet from ! (egress) to any -> (egress)
block log inet all
block in quick inet from 
pass out quick inet
pass in on zone_secure inet
pass in on egress inet proto tcp from any to (egress) port $ext_tcp_services \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)
pass in on egress inet proto icmp to (egress)
pass in log on zone_dmz inet proto icmp to (zone_dmz)
pass in log on zone_dmz inet from zone_dmz:network to !(zone_secure:network)

####################
# IPv6 Rules
####################
block log inet6

pass out inet6
pass in on gif0 inet6 proto ipv6-icmp to (gif0)
pass in on zone_secure inet6
pass in log on zone_dmz inet6 from zone_dmz:network to !(zone_secure:network)
pass in on gif0 inet6 proto tcp from any to (gif0) port $ext_tcp_services \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)

/etc/rtadvd.conf

vlan10:\
:addrs#1:addr="2001:470:abcd:1100::"\
:prefixlen#64\
:tc=default
vlan12:\
:addrs#1:addr="2001:470:abcd:1102::"\
:prefixlen#64\
:tc=default
vlan13:\
:addrs#1:addr="2001:470:abcd:1103::"\
:prefixlen#64\
:tc=default
vlan254:\
:addrs#1:addr="2001:470:abcd:11f1::"\
:prefixlen#64\
:tc=default
%d bloggers like this: