Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 19 Nov 1998 14:45:50 -0500
From:      Forrest Aldrich <forrie@forrie.com>
To:        freebsd-net@FreeBSD.ORG
Subject:   Ip_masquerading, NATD & Internet (more questions)
Message-ID:  <4.1.19981119144046.00a562c0@206.25.93.69>

next in thread | raw e-mail | index | archive | help
It seems my posting to FreeBSD-Questions was either censored or rejected. 
There's no
charter listing for freebsd-net, but this is very technical in nature, so I
hope someone here
will be able to help.


=============================

I have a few things to add to this, after having toyed with building this
configuration all day
yesterday (and losing some hair in the process).

The manpage for natd could be better.  And I'm hoping that somewhere there is
an IP_MASQUERADING doc
that applies to using FreeBSD, natd, and ipfw (Darren Reed's IPFIlter is yet
another possibility).

There are lots of other caveats involved here, especially when your IP address
is dynamically
allocated from, say, a cable modem service.

Below is some detail of my questions....


(fasten your seatbelts)

STAGE 1 
======================================
I have 2 NICs on my FreeBSD system:  xl0 and xl1.  xl0 is the outbound
interface (connected to the
cable modem), xl1 is the private network (hooked to a hub)

I imported in some firewall rules and added, at the beginning of them:

$fwcmd add divert natd all from any to any via xl0

This was tried with the firewall rules and as an OPEN system (yes, I have
DIVERT and all
the rest of the definitions in /usr/src/sys/i386/conf).

 From what I was able to gleen from the manpage (3.0-RELEASE), I used:

/usr/sbin/natd -dynamic -interface xl0

Which I'm not clear is correct.  I did toy around with the firewall rules and
natd, eventually 
I was able to get out to the internet, but not through the hub I had connected
to xl1.   I think
that failed because I didn't hook in a straight-through cable from xl1 to the
uplink port on the hub.

It's not clear about whether you need to add specific IPFW rules for the
internal interface (in this
case 10.0.0.3). 


STAGE 1.5 :-)
=======================================

I have been able to get the dhclient to work properly when booting to obtain
the IP address.  But
don't screw with it afterwards, as you'll hose everything.

Aside from not being able to get a carrier on xl1 (again, I think due the cable
type, I'll try it again),
I wasn't able to get isc-dhcpd2 to work.  It complained that I had no subnet
declaration for my
ISP's address (the host) -- even though I've told it only to run on xl1.  This
part is particularly important,
as the Windoze hosts I have hooked in the hub are used on other nets and need
dhcpd.


STAGE 2
=======================================

While using the dhclient for your IP address does work, using this with a
firewall presents
a few gotchyas.   As I recall:    You need to somehow obtain the network,
netmask, host IP, etc. 
for use in /etc/rc.firewall.  I would imagine you could obtain variables from
/etc/dhclient-script 
and save them to a file on bootup.

There was a point where I could ping the external networks, but could not get
to 127.0.0.1... I got
a /kernel error (damn, didn't write it down) regarding inability to
arp<something>ret.  But ifconfig
showed that it was okay... this happened with f/w rules and an "OPEN" f/w.

There were surely a few other issues I ran into that I can't recall here.   It
was a LONG day and
I had everything ripped apart.  I will surely be grateful if someone can shed
light on this.  I suppose
the other option is to use Darren Reed's IPFilter (this is all on
FreeBSD-3.0-RELEASE) which uses
a different ACL format and approach.    How about Linux ipfwadm?  :) :)


Thanks.........

 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19981119144046.00a562c0>