From owner-freebsd-net Thu Nov 19 12:07:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA13891 for freebsd-net-outgoing; Thu, 19 Nov 1998 12:07:39 -0800 (PST) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from spook.navinet.net (spook.navinet.net [206.25.93.69]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA13884 for ; Thu, 19 Nov 1998 12:07:35 -0800 (PST) (envelope-from forrie@forrie.com) Received: from forrie (black.navinet.net [206.25.93.86]) by spook.navinet.net (8.9.1a/8.9.1) with SMTP id PAA25195 for ; Thu, 19 Nov 1998 15:08:01 -0500 (EST) Message-Id: <4.1.19981119144046.00a562c0@206.25.93.69> Message-Id: <4.1.19981119144046.00a562c0@206.25.93.69> X-Sender: forrie@206.25.93.69 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Thu, 19 Nov 1998 14:45:50 -0500 To: freebsd-net@FreeBSD.ORG From: Forrest Aldrich Subject: Ip_masquerading, NATD & Internet (more questions) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems my posting to FreeBSD-Questions was either censored or rejected. There's no charter listing for freebsd-net, but this is very technical in nature, so I hope someone here will be able to help. ============================= I have a few things to add to this, after having toyed with building this configuration all day yesterday (and losing some hair in the process). The manpage for natd could be better. And I'm hoping that somewhere there is an IP_MASQUERADING doc that applies to using FreeBSD, natd, and ipfw (Darren Reed's IPFIlter is yet another possibility). There are lots of other caveats involved here, especially when your IP address is dynamically allocated from, say, a cable modem service. Below is some detail of my questions.... (fasten your seatbelts) STAGE 1 ====================================== I have 2 NICs on my FreeBSD system: xl0 and xl1. xl0 is the outbound interface (connected to the cable modem), xl1 is the private network (hooked to a hub) I imported in some firewall rules and added, at the beginning of them: $fwcmd add divert natd all from any to any via xl0 This was tried with the firewall rules and as an OPEN system (yes, I have DIVERT and all the rest of the definitions in /usr/src/sys/i386/conf). From what I was able to gleen from the manpage (3.0-RELEASE), I used: /usr/sbin/natd -dynamic -interface xl0 Which I'm not clear is correct. I did toy around with the firewall rules and natd, eventually I was able to get out to the internet, but not through the hub I had connected to xl1. I think that failed because I didn't hook in a straight-through cable from xl1 to the uplink port on the hub. It's not clear about whether you need to add specific IPFW rules for the internal interface (in this case 10.0.0.3). STAGE 1.5 :-) ======================================= I have been able to get the dhclient to work properly when booting to obtain the IP address. But don't screw with it afterwards, as you'll hose everything. Aside from not being able to get a carrier on xl1 (again, I think due the cable type, I'll try it again), I wasn't able to get isc-dhcpd2 to work. It complained that I had no subnet declaration for my ISP's address (the host) -- even though I've told it only to run on xl1. This part is particularly important, as the Windoze hosts I have hooked in the hub are used on other nets and need dhcpd. STAGE 2 ======================================= While using the dhclient for your IP address does work, using this with a firewall presents a few gotchyas. As I recall: You need to somehow obtain the network, netmask, host IP, etc. for use in /etc/rc.firewall. I would imagine you could obtain variables from /etc/dhclient-script and save them to a file on bootup. There was a point where I could ping the external networks, but could not get to 127.0.0.1... I got a /kernel error (damn, didn't write it down) regarding inability to arpret. But ifconfig showed that it was okay... this happened with f/w rules and an "OPEN" f/w. There were surely a few other issues I ran into that I can't recall here. It was a LONG day and I had everything ripped apart. I will surely be grateful if someone can shed light on this. I suppose the other option is to use Darren Reed's IPFilter (this is all on FreeBSD-3.0-RELEASE) which uses a different ACL format and approach. How about Linux ipfwadm? :) :) Thanks......... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message