Under pages, FreeBSD, IPv6, a DMZ, and you.

In the event I, or other folks, want to rebuild their FreeBSD-based router/firewall, this guide explains the configuration to provide the following characteristics:
• IPv4 via DHCP
• IPv6 (/48) provided via tunnel from Hurricane Electric
• A unique IPv6 prefix (/64) provided to each L3 subnet on the local network.
• An IPv4/v6 DMZ, which can only access the Internet and not the other LAN segments.
◦ DNS provided by Google’s public DNS servers, and not local servers.

/etc/rc.conf

cloned\_interfaces\_sticky="gif0 vlan10 vlan11 vlan12 vlan13 vlan254"
gateway\_enable="YES"
ifconfig\_igb0="DHCP group egress"
ifconfig\_igb0\_ipv6="inet6 accept\_rtadv"
dhclient\_program="/usr/local/sbin/dhclient"
dhclient\_flags="-pf /var/run/dhclient/dhclient.igb0.pid -q"

ifconfig\_igb1="up"
ifconfig\_igb2="up"
ifconfig\_igb3="up"

ifconfig\_vlan10="inet 10.10.0.2 netmask 255.255.255.0 vlan 10 vlandev igb1 group zone\_secure"
ifconfig\_vlan11="inet 10.10.1.2 netmask 255.255.255.0 vlan 11 vlandev igb1 group zone\_secure"
ifconfig\_vlan12="inet 10.10.2.2 netmask 255.255.255.0 vlan 12 vlandev igb2 group zone\_secure"
ifconfig\_vlan13="inet 10.10.3.2 netmask 255.255.255.0 vlan 13 vlandev igb2 group zone\_secure"
ifconfig\_vlan254="inet 10.10.254.2 netmask 255.255.255.0 vlan 254 vlandev igb3 group zone\_dmz"

ipv6\_prefix\_vlan10="2001:470:abcd:1100"
ipv6\_prefix\_vlan12="2001:470:abcd:1102"
ipv6\_prefix\_vlan13="2001:470:abcd:1130"
ipv6\_prefix\_vlan254="2001:470:abcd:11f1"
ipv6\_gateway\_enable="YES"

create\_args\_gif0="tunnel MY.IPV4.IP MY.IPV6.TUNNEL.IPV4.IP"
ifconfig\_gif0\_ipv6="inet6 2001:470:9876:1df::2 2001:470:9876:1df::1 prefixlen 128"
ipv6\_privacy="YES"
ipv6\_defaultrouter="2001:470:9876:1df::1"
rtadvd\_enable="YES"
rtadvd\_interfaces="vlan10 vlan12 vlan13 vlan254"
pf\_enable="YES"
pf\_rules="/etc/pf/pf.conf"

dhcpd\_enable="YES"
dhcpd\_flags="-q"
dhcpd\_conf="/usr/local/etc/dhcpd/dhcpd.conf"
dhcpd\_ifaces="vlan10 vlan11 vlan12 vlan254"
dhcpd\_withumask="022"
dhcpd\_chuser\_enable="YES"
dhcpd\_withuser="dhcpd"
dhcpd\_withgroup="dhcpd"
dhcpd\_chroot\_enable="YES"
dhcpd\_devfs\_enable="YES"
dhcpd\_rootdir="/var/db/dhcpd"
dhcpd\_includedir="/usr/local/etc/dhcpd/"

/usr/local/etc/dhcpd/dhcpd.conf

INSERT DHCPD.CONF HERE

/etc/pf/pf.conf

table persist
ext\_tcp\_services = "{ 22 }"
set skip on lo0
scrub in all no-df random-id max-mss 1440
nat on egress inet from ! (egress) to any -> (egress)
block log inet all
block in quick inet from
pass out quick inet
pass in on zone\_secure inet
pass in on egress inet proto tcp from any to (egress) port $ext\_tcp\_services \\
flags S/SA keep state \\(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)
pass in on egress inet proto icmp to (egress)
pass in log on zone\_dmz inet proto icmp to (zone\_dmz)
pass in log on zone\_dmz inet from zone\_dmz:network to !(zone\_secure:network)

####################
# IPv6 Rules
####################

block log inet6

pass out inet6
pass in on gif0 inet6 proto ipv6-icmp to (gif0)
pass in on zone\_secure inet6
pass in log on zone\_dmz inet6 from zone\_dmz:network to !(zone\_secure:network)
pass in on gif0 inet6 proto tcp from any to (gif0) port $ext\_tcp\_services \\
flags S/SA keep state \\(max-src-conn 15, max-src-conn-rate 5/3, overload flush global)

/etc/rtadvd.conf

vlan10:\\
:addrs#1:addr="2001:470:abcd:1100::"\\
:prefixlen#64\\
:tc=default
vlan12:\\
:addrs#1:addr="2001:470:abcd:1102::"\\
:prefixlen#64\\
:tc=default
vlan13:\\
:addrs#1:addr="2001:470:abcd:1103::"\\
:prefixlen#64\\
:tc=default
vlan254:\\
:addrs#1:addr="2001:470:abcd:11f1::"\\
:prefixlen#64\\
:tc=default