Date: Sun, 11 Apr 2021 19:21:21 +0100 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: freebsd-questions@freebsd.org Subject: Re: pf or ipfw for NAT Message-ID: <3c99a18b-a8c6-acb6-bf4c-03e4783cab88@fjl.co.uk> In-Reply-To: <20210403092058.97c46ba70579026e9bd929a1@sohara.org> References: <50dcf18d-f9c3-71c2-abb0-eed8f1b5e192@fjl.co.uk> <20210402210356.637a3ed714957fb9c5fdfa3a@sohara.org> <1ff607ca-79cc-3072-831c-54659920e9dc@fjl.co.uk> <20210403092058.97c46ba70579026e9bd929a1@sohara.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/04/2021 09:20, Steve O'Hara-Smith wrote:
>> Thanks Steve. Any idea whether I need to enable the gateway when using
>> pf instead?
>>
>> e.g. sysctl net.inet.ip.forwarding=1
>
> I'm pretty sure you do - TBH I've never tried not setting it on
> anything that routes.
I think so too. I set it and it works perfectly. I'm really wondering why I've bothered with natd - just using pf works a treat.
For the sake of anyone reading this thread in the future, this script starts the whole thing off (xxx is the external address):
sysctl net.inet.ip.forwarding=1
ifconfig bge0 inet 192.168.1.210 netmask 0xffffffff alias
ifconfig re0 inet xxx.xxx.xxx.xxx netmask 0xffffffff alias
service dhcpd onestart
service pf onestart
-----------------------------------------------------
This is what I'd put in rc.conf to make it permanent (but not a cut/paste job so may be errors):
gateway_enable=yes
ifconfig_bge0=" inet 192.168.1.210 netmask 0xffffffff alias"
ifconfig re0="inet xxx.xxx.xxx.xxx netmask 255.255.255.248"
dhcpd_enable=yes
pf_enable=yes
-----------------------------------------------------
/usr/local/etc/dhcpd.conf (important part):
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.128 192.168.1.192;
option routers 192.168.1.210;
authoritative;
}
-----------------------------------------------------
/etc/pf.conf
scrub in all
# NAT bit
nat pass on re0 from 192.168.1.0/24 to any -> xxx.xxx.xxx.xxx
# Pass port 25 to mail server on LAN
rdr pass on re0 proto tcp from any to xxx.xxx.xxx.xxx port 25 -> 192.168.1.203
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3c99a18b-a8c6-acb6-bf4c-03e4783cab88>