First of all, I would like to warmly thank 'jperkin' for his tutorial on this subject howto which set me on the right path, as well as 'hadfl' on the OmniOS IRC channel for providing the link!
Finally, thanks to the OmniOSce team for the firewall rule reminders for IPF OmniOSce-IPF
The goal here is to turn an OmniOSce server into a router/firewall placed directly in front of the internet. This is not a very common practice, I believe, but why not give it a try.
For this, we will need to configure a PPPoE connection, configure the IPFilter firewall, and set up a DHCP server for potential client computers in the LAN.
We will also configure a DNAT (port forwarding) to be able to access a web server in the LAN from the internet.
The router thus has at least 2 network interfaces, one for the WAN and another for our local LAN network.
The installation must be done in 2 steps if you are on physical hardware:
- First step: Install OmniOSce, allowing the server to access the internet for potential updates, configure NTP, and install ppp and ppp/tunnel.
- Second step: Place the server in its final location or simply make the final connections (if it is in a rack) and connect it to the internet cable linked to your modem/ONT/fiber box etc.
Once connected and powered on, you can configure PPPoE.
You must be root throughout the entire configuration process.
STEP 1:
- Install OmniOSce (choose BASH when creating your admin user - or another shell if you are more comfortable, I'll keep it simple here)
- Power on the server, log in as root, and perform any necessary system image updates on the first boot:
pkg refresh --full ; pkg update && reboot
- If you are using a time zone different from the standard, you must configure NTP to retrieve the correct time: (here is an example for the French time zone):
pkg install ntpsec && /usr/bin/ntpdate 0.fr.pool.ntp.org && date && svcadm enable svc:/network/ntp:default
- Install ppp and ppp/tunnel :
pkg install pkg:/system/network/ppp pkg:/system/network/ppp/tunnel
- Before shutting down your server, you must be certain of the name of the interface that will be connected to the internet.
- Check your current IP configuration:
ipadm
- Look at the actual network interfaces to see other unused interfaces:
dladm show-phys
- Shut down your server.
STEP 2:
- You have now placed your router in its final location and connected it to the internet cable linked to your modem/ONT/fiber box...). (And if you don't have a rack, you are clever, you have also arranged for the screen and keyboard to continue the configuration! :-D).
- Power on your server, log in as root.
- Retrieve the name of the network interface that you have directly connected to the internet (not the LAN!)
dladm show-phys
(let's take "rge0" as an example)
- We need to "plumb" this interface with the virtual "sppptun" interface.
In my case, and this is where this tutorial differs slightly from jperkin's, creating the file /etc/ppp/pppoe.if with the interface name inside did not work).
sppptun plumb pppoed rge0
sppptun plumb pppoe rge0
- You can check at any time if your interfaces are properly "plumbed":
sppptun query
- Configuration of CHAP credentials:
(replace with your actual ISP credentials then copy/paste the block)
cat <<EOL > /etc/ppp/chap-secrets
# Secrets for authentication using CHAP
# client server secret IP addresses
"YOUR-ISP-USER" * "ASSOCIATED-PASSWORD" *
EOL
- Create the script to start the PPPoE connection:
(Replace with your ISP username - not the password, which will be automatically read from chap-secrets
- copy/paste the block below to create the configuration file)
cat <<EOL > /etc/ppp/peers/myisp
# PPPoE Configuration
sppptun
plugin "/usr/lib/inet/ppp/pppoe.so"
connect "/usr/lib/inet/pppoec -v rg0"
user "YOUR-ISP-USER"
defaultroute
noipdefault
usepeerdns
persist
noauth
#debug
#logfile "/var/log/pppd.log"
EOL
I left the debug and logfile lines commented out, but if it doesn't work later, you will need to uncomment them to see what is happening in the logs.
Create the file /etc/ppp/options to be able to start the connection with a less privileged user (other than root):
(no need to fill in anything else inside other than what is already there... the options file just needs to exist... so we simply make a copy and rename it)
cp /etc/ppp/options.tmpl /etc/ppp/options
You can now exit root and become a standard admin user to start the connection.
- Start the connection:
pppd call myisp
- Check the connection:
ifconfig spppO
You should see the sppp0 interface appear and configured with your automatically retrieved public IP address.
Also, check the /var/log/pppd.log file if you had uncommented #debug and #logfile to see how everything is going.
- Test your internet connection:
ping 1.1.1.1
From now on, I assume you are connected to the internet from the server.
So we will quickly set up the firewall, NAT, DNAT, and DHCP server for the LAN clients.
- Configure the LAN network interface (if you haven't already done so).
rge0 is the WAN interface (as a reminder).
rge1 is the LAN gateway and will have IP 10.10.10.1/24
ipadm delete-ip rge1
ipadm create-ip rge1
ipadm create-addr -T static -a local=10.10.10.1/24 rge1/v4
- Configure NAT with IPFilter.
My public IP address on the "sppp0" interface is : 45.56.67.78.
Here is the configuration of the /etc/ipf/ipnat.conf file:
# NAT for LAN
map sppp0 10.10.10.0/24 -> 0.0.0.0/32
# DNAT for a web server:
rdr sppp0 45.56.67.78 port 443 -> 10.10.10.210 port 443
- Configure the IPFilter firewall:
Here is the configuration of the /etc/ipf/ipf.conf file:
The goal here is:
--- to allow traffic from LAN to the internet statefully,
--- to allow incoming connections statefully to the web server,
--- to block everything else.
--- CAUTION, there is a rule that may block the automatic assignment of the public IP address by your ISP. You may need to adapt it.
# Block packets from non-routable or reserved address spaces
block in quick on sppp0 from 192.168.0.0/16 to any # RFC 1918 private IP
block in quick on sppp0 from 172.16.0.0/12 to any # RFC 1918 private IP
block in quick on sppp0 from 10.0.0.0/8 to any # RFC 1918 private IP
block in quick on sppp0 from 127.0.0.0/8 to any # loopback
block in quick on sppp0 from 0.0.0.0/8 to any # loopback
block in quick on sppp0 from 169.254.0.0/16 to any # DHCP auto-config
block in quick on sppp0 from 192.0.2.0/24 to any # reserved for docs
block in quick on sppp0 from 204.152.64.0/23 to any # Sun cluster interconnect
block in quick on sppp0 from 224.0.0.0/3 to any # Class D & E multicast
# Block fragments and too short TCP packets
block in quick on sppp0 all with frags
block in quick on sppp0 proto tcp all with short
# Block source routed packets
block in quick on sppp0 all with opt lsrr
block in quick on sppp0 all with opt ssrr
# Block OS fingerprint attempts and log first occurrence
block in log first quick on sppp0 proto tcp from any to any flags FUP
# Block anything with special options
block in quick on sppp0 all with ipopts
# Block public pings and ident
block in quick on sppp0 proto icmp all icmp-type 8
block in quick on sppp0 proto tcp from any to any port = 113
# Allow on loopback
pass in quick on lo0 all
pass out quick on lo0 all
# Allow DHCP traffic on the LAN (rge1)
pass in quick on rge1 proto udp from any port = 68 to any port = 67
pass out quick on rge1 proto udp from any port = 67 to any port = 68
# Allow all stateful traffic from LAN to INTERNET
pass in quick on rge1 all keep state
pass out quick on sppp0 all keep state
# Allow DNAT traffic to SFTP server
pass in quick on sppp0 proto tcp from any to 10.10.10.210 port = 443 keep state
# Block any connection from the WAN to this server
block in quick on sppp0 all
- Start IPF, load the firewall rules as well as the NAT/DNAT rules
svcadm enable svc:/network/ipfilter:default
ipf -Fa -f /etc/ipf/ipf.conf
ipnat -CF -f /etc/ipf/ipnat.conf
- Enable IPv4 forwarding
(I am only dealing with IPv4 here as you can see... but feel free to add IPv6)
svcadm enable ipv4-forwarding
- Configure the DHCP service:
pkg install pkg:/network/service/isc-dhcp
- Specify the configuration: /etc/dhcpd.conf:
subnet 10.10.10.0 netmask 255.255.255.0 {
option domain-name-servers 1.1.1.1;
option routers 10.10.10.1;
authoritative;
range 10.10.10.2 10.10.10.200;
}
- Start the DHCP server:
/usr/sbin/dhcpd
Now your clients will receive an IP configuration via DHCP and will automatically access the internet.