Date: Wed, 19 Mar 2008 16:18:59 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Robert Huff <roberthuff@rcn.com> Cc: questions@freebsd.org Subject: Re: (more) confusion configuring NAT Message-ID: <20080319231859.GM39509@hal.rescomp.berkeley.edu> In-Reply-To: <18401.33813.132534.954227@jerusalem.litteratus.org> References: <18401.29043.824662.173177@jerusalem.litteratus.org> <18401.30778.630307.932644@jerusalem.litteratus.org> <18401.31783.343088.197533@jerusalem.litteratus.org> <20080319205600.GJ39509@hal.rescomp.berkeley.edu> <18401.33813.132534.954227@jerusalem.litteratus.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--B9BE8dkJ1pIKavwa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Robert Huff wrote: > Christopher Cowart writes: >=20 >> > 2) NAT still doesn't work. Still connected, but can't surf to >> > www.google.com using Firefox. >> =20 >> My kernel conf: >> | options IPFIREWALL >> | options IPFIREWALL_VERBOSE >> | options IPFIREWALL_VERBOSE_LIMIT=3D100 >> | options IPFIREWALL_FORWARD >> | options IPFIREWALL_NAT >> | options LIBALIAS >=20 > I do not have "options IPFIREWALL_FORWARD" (it's commented out) > because the attached comment says: >=20 > enable xparent proxy support > > Since that machine doesn't do proxy ... is this necessary? Should be fine. >> My (abbreviated) ipfw.rules script: >> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports >> | $CMD allow all from any to any via lo0 >> | $CMD nat 1 ip4 from any to any >> | $CMD allow icmp from any to any >> | $CMD deny log ip from any to me >> | $CMD allow ip4 from any to any >=20 > Not an ipfw guru, but don't see anything that contradicts what > I have. Do you have gateway_enable=3D"YES" in your /etc/rc.conf? $ sysctl -a net.inet.ip.forwarding=20 net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; I have found this incredibly useful in the past, because interface and direction tags are not always intuitive (especially once you get fwd rules, which luckily you don't have). --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --B9BE8dkJ1pIKavwa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBR+GfYyPHEDszU3zYAQI8Aw/+N+7hYbQu6cBSBB8HmAHsVQohkkcNbQmS YAQU74iPThYVmJUsxD1NkV737abhNw7DgDwejuZNynDUSx2p/AHSR4lgffE2JgPh 4/TCfSVLhTNeKshuOh7nXvMRldHuOvqtV5VmzeHzc5jsDVoyKJKqpOBn3lX1yvlo gmMgHoCr/FbuV9mi/dpN8nFDG6I8qEB8Euhr1wBj2wDGwbYMXtzbfjCZr+QJFzXY BYjxUaOe7xzpPzydhvUpy+bzS3ZeV5LnPd4Kr1bVnOW2+1ar9oeRQHvM70RyOZlz tLEoCwehA2z6hdHPGALS28+shW71SzqmcxeG7bbN8PzxawBF+Jb72hjiUrfSGYAY AZxb8G4l0GyFHf8QkciRxzkr+m0FQ6FOivJIfY1WqS7Pc9rxnpEgyxx4CWTssv0s pAyYzocO26zf5DwF8zMQQQMLSkgtsYIMrfq0OUwdXAho1z+/KIFog13vXMaJujgX wfl1Cae+CMVEjE4/SV63TJqM9oBQnO65u2JdltnSQixSt4kS6QTRHBfK5+JJfB59 XQvqMz74e4NK7fezGR2xp15ie4GeDbtjtb+iAnluj/bXjsbuq3EDT3YM+vYHjbA+ wXTKVCeIjoZLzYGU6eNCJBp+p8ph8RIKQVaUEiVvfd5P5eD5K5jRnuDBuiXOMQLE Ec6DTAddP00= =6D+P -----END PGP SIGNATURE----- --B9BE8dkJ1pIKavwa--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080319231859.GM39509>