How to Use FreeBSD as a Router with PF and NAT

Introduction

FreeBSD is a powerful, secure, and highly customizable Unix-like operating system that excels in networking and server environments. One of its most common use cases is as a router, leveraging its built-in Packet Filter (PF) firewall and Network Address Translation (NAT) capabilities.

This guide provides a detailed walkthrough on configuring FreeBSD as a router using PF and NAT, covering essential networking concepts, firewall rules, and best practices. By the end, you will have a fully functional FreeBSD router capable of securely forwarding traffic between networks.

Prerequisites

Before proceeding, ensure you have:

1. A FreeBSD Installation – A fresh or existing FreeBSD system (13.x or later recommended).
2. Two or More Network Interfaces –
   • WAN (Wide Area Network): Connected to the internet (e.g., em0 or igb0).
   • LAN (Local Area Network): Connected to internal devices (e.g., em1 or igb1).
3. Root Access – Administrative privileges are required for configuration.
4. Basic Networking Knowledge – Understanding of IP addressing, subnets, and routing.

Step 1: Network Interface Configuration

First, configure the network interfaces. FreeBSD stores network configurations in /etc/rc.conf.

Edit /etc/rc.conf

# WAN Interface (connected to the internet)
ifconfig_em0="DHCP"  # or use a static IP: ifconfig_em0="inet 203.0.113.2 netmask 255.255.255.0"

# LAN Interface (internal network)
ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"

Enable IP forwarding to allow traffic between interfaces:

sysrc gateway_enable="YES"

Apply the changes:

service netif restart
service routing restart

Verify the interfaces:

ifconfig

Step 2: Enable and Configure PF (Packet Filter)

FreeBSD includes PF, a stateful firewall developed by OpenBSD. Configure it by editing /etc/pf.conf.

Basic PF Configuration

# /etc/pf.conf

# Interfaces
wan = "em0"
lan = "em1"

# Enable NAT (Network Address Translation)
nat on $wan from $lan:network to any -> ($wan)

# Default Deny Policy
block all

# Allow traffic on LAN
pass quick on $lan all

# Allow outbound traffic from LAN to WAN
pass out on $wan from $lan:network to any keep state

# Allow essential services (SSH, ICMP)
pass in on $wan proto tcp to port 22  # SSH
pass in on $wan proto icmp            # Ping

Enable and Start PF

sysrc pf_enable="YES"
service pf start

Check PF status:

pfctl -s rules

Step 3: Configure NAT (Network Address Translation)

NAT allows internal (LAN) devices to share the WAN IP for internet access. PF handles NAT efficiently.

Verify NAT Rules

The earlier nat rule in /etc/pf.conf enables NAT:

nat on $wan from $lan:network to any -> ($wan)

This rule:

• Translates LAN (192.168.1.0/24) traffic to the WAN IP.
• Uses dynamic WAN IP (if DHCP) or a static IP.

Reload PF to apply changes:

pfctl -f /etc/pf.conf

Check NAT translations:

pfctl -s nat

Step 4: DHCP and DNS Setup (Optional)

For automatic IP assignment to LAN clients, install and configure a DHCP server.

Install isc-dhcp44-server

pkg install isc-dhcp44-server

Configure DHCP

Edit /usr/local/etc/dhcpd.conf:

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.100 192.168.1.200;
    option routers 192.168.1.1;
    option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Enable and start DHCP:

sysrc dhcpd_enable="YES"
sysrc dhcpd_ifaces="em1"
service isc-dhcpd start

Step 5: Additional Firewall Rules

Enhance security with stricter PF rules.

Example Advanced Rules

# /etc/pf.conf

# Block brute-force attacks
table <bruteforce> persist
block quick from <bruteforce>

# Rate-limit SSH
pass in on $wan proto tcp to port ssh \
    flags S/SA keep state \
    (max-src-conn 5, max-src-conn-rate 5/60, overload <bruteforce>)

# Allow web traffic (if hosting a server)
pass in on $wan proto tcp to port {80, 443}

Reload PF:

pfctl -f /etc/pf.conf

Step 6: Testing and Troubleshooting

Verify Internet Access from LAN

Connect a device to the LAN and test:

ping 8.8.8.8

If it fails, check:

• Firewall Rules (pfctl -s rules)
• NAT Translation (pfctl -s nat)
• Routing Table (netstat -rn)

Logging PF Activity

Enable logging in /etc/pf.conf:

pass log (all) on $wan proto tcp from any to any port 22

View logs:

tcpdump -n -e -ttt -i pflog0

Conclusion

FreeBSD, combined with PF and NAT, provides a robust, high-performance router solution suitable for home labs, small businesses, and enterprise environments. By following this guide, you’ve configured:

1. Network Interfaces for WAN and LAN.
2. PF Firewall with NAT for secure traffic forwarding.
3. Optional DHCP & DNS for automatic client configuration.
4. Advanced Firewall Rules for enhanced security.

FreeBSD’s flexibility allows further customization, such as VPN integration, traffic shaping, and intrusion detection. For more details, consult the FreeBSD Handbook and man pf.conf.

Final Thoughts

Using FreeBSD as a router is a cost-effective, secure, and efficient alternative to proprietary solutions. With proper configuration, it can handle high traffic loads while maintaining security through PF’s powerful filtering capabilities.

Would you like additional optimizations, such as QoS (Quality of Service) or VPN passthrough? Let me know in the comments!