Category: FreeBSD

While I now use Fedora as my main desktop and Rocky Linux as my server OS, there are some things which aren’t in the EPEL. That combined with me not having really used Debian since high school means I set up homelab Samba domain controllers on FreeBSD.

To set one up, you need a static IPv4 address, and a static IPv6 address if your network is dual-stack. You’ll also need to forward your domain’s DNS zone or set the DC as the DNS server, which is out of the scope for this article.

When you’re ready, if your DC uses UFS (versus ZFS), you’ll first need to edit /etc/fstab:

/dev/vtbd0s1a / ufs rw,acls 1 1

Note, you need the ,acls in order to run a Samba DC, as Samba requires this.

If you haven’t rebooted, run this:

mount -a

Now, install Samba:

pkg install samba422

Note: newer versions of Samba may have come out. At the time of posting it’s samba422.

Next, create the domain:

samba-tool domain provision --use-rfc2307 --realm=SC.LAN --domain=SC --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=PASSWORD

Replace SC.LAN with the DC’s realm, and SC with the domain’s NetBIOS name.

Then, enable samba_server and winbindd:

sysrc samba_server_enable=YES
sysrc winbindd_enable=YES

Now, enable Samba:

service samba_server start

Keep in mind you’ll need your DNS server set to the AD DC’s static IP, or forward DNS zones. I use a MikroTIk core router, and forward DNS there.

If your DNS server or forwarding is set, check if you can resolve it:

# host sc.lan
sc.lan has address 172.20.0.6
sc.lan has IPv6 address 2602:XXX:2::6
#

Now, you can add users and groups, and join client machines.

While I don’t run an ISP (unless you consider my hosting company Fourplex an “ISP”), one project I’ve wanted to try in my homelab is implementing Carrier Grade NAT with Port Block Allocation.

Yes, we all know Carrier Grade NAT sucks. It makes it hard to host services and use console gaming and such. And yes, I haven’t daily driven FreeBSD in years. But FreeBSD is still a good network appliance even if it’s no longer my desktop.

Note: I won’t describe other parts of the network, like rc.conf IP assignments, IPv6 and routing protocols.

Ranting aside, first off you need this in /etc/rc.conf:

gateway_enable="YES"
pf_enable="YES"

Subsequently, you need something like this in /etc/pf.conf:

nat on $ext_if from 100.64.0.0 to any -> 1.2.3.4 port 1000:2999
nat on $ext_if from 100.64.0.1 to any -> 1.2.3.4 port 3000:5999

What do these lines mean? I’ll explain:

• $ext_if is the external interface, which has the public IPs CGNAT will use.
• 100.64.0.X is the CGNAT IPv4 which will be allocated to a client.
• 1.2.3.4 is the public IPv4 used by CGNAT.
• After the port is the start and end IPv4 port ranges respectively, separated by :. For instance, 1000:2999 will assign a start port of 1000 and end port of 2999 to a client.

You will need a nat line for each CGNAT customer, and can use multiple public IPv4s for different clients.

What about automating generation?

I should do it eventually. But since I’m not running a broadband ISP (only a VPS/VPN host) it’s not a priority to script it.

Yes, I’d love to be an ISP. But only if the FCC would actually mandate “line sharing” rules neither party wants. Or NYC builds an “open access” fiber network which they won’t. I won’t do a WISP for various reasons.

You could also use VyOS for CGNAT instead of FreeBSD which has CGNAT syntax.