Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Dec 2000 10:02:43 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        Sean Peck <speck@newsindex.com>
Subject:   Re: Configuring Gateway/NAT on Freebsd
Message-ID:  <20001213100243.A32372@rfx-64-6-211-1.users.reflexcom.>
Resent-Message-ID: <200012131812.eBDIC1S32488@rfx-64-6-211-1.users.reflexcom.com>
In-Reply-To: <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>; from speck@newsindex.com on Wed, Dec 13, 2000 at 04:00:17AM -0800
References:  <20001212231103.H96105@149.211.6.64.reflexcom.com> <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 13, 2000 at 04:00:17AM -0800, Sean Peck wrote:
> > 
> > OK, one more time. What _exactly_ are your configs? What _exactly_ is
> > and is not working? Saying "you have a machine running natd" and
> > giving us the IP is not enough. You ask what natd(8) "flags" to
> > use. Well, let's get the ones you are using now. All you really should
> > need are the entries to start it and provide the interface or
> > address.
> 
> here are settings in rc.conf:

OK, now we are getting somewhere,

> natd_enabled="YES"
> natd_interface="172.16.0.1"  (I have tried this with public ip and with
>                               private ip)

This is wrong. It needs to be your public address.

> natd_program="/sbin/natd"
> natd_flags="-a xxx.xxx.xxx.xxx" (public space address)

This is not needed and actually confuses things. The 'natd_interface'
value is used to provided the '-a' or '-n' argument to natd(8). Neither
should ever appear in the 'natd_flags' value.

> gateway_enabled="YES"

You are missing,

  firewall_enable="YES"
  firewall_type="<whatever>"
  
> in rc.local I have the alias command to force nic in this box to also
> listen at 172.16.0.1 as follows
> 
> ifconfig xl0 alias 172.16.0.1 netmask 0xffffff00

So you are saying you have,

  ifconfig_xl0_alias0="172.16.0.1 netmask 0xffffff00"

In rc.conf to do this, right?

> Network looks like this
> 
> ISP
> 
>   1 Machine, in my network listening as both a public IP and to 172.16.0.1
> This is the machine that natd is running on, and I wish to be the gateway
> to my network.
> 
> other machines behind this all in 172.16.0.x space, with their default
> router set to 172.16.0.1 and netmask of 255.255.255.0
> 
> ifconfig -a :
> 
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet xx.xx.xx.xxx netmask 0xffffff00 broadcast 64.2.61.255
>         inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
>         ether 00:01:02:34:0b:61 
>         media: 10baseT/UTP <half-duplex>
>         supported media: 10baseT/UTP <full-duplex> 10baseT/UTP
> <half-duplex> 10baseT/UTP

It has already been pointed out in the thread that using a single
interface with natd(8) is not a really good idea. Some people have
reported problems, others have had none. You have not got far enough
yet to determine if you are OK or not.

I see ISA 10BaseT NICs at the store for less than $10. You can get a
PCI one for less than $20. Since (1) you can't really firewall with
one NIC, (2) you might leak traffic onto your public LAN, and (3)
natd(8) may not work right, I would make the investment. 

[snip]

> ipfw sh 
> ipfw: getsockopt(IP_FW_GET): Protocol not available
> (OBVIOUSLY THIS ISN'T RIGHT... )

It looks like you have not rebuilt the kernel with firewalling and
divert(4) enabled. I guess you skipped over point (1) in the 'RUNNING
NATD' section of the natd(8) manpage. Go back and do it or this just
won't get anywhere.

> grep natd is not showing the process running either...very weird.

Nope, still lots of problem.

But you see how much easier this is when you provide the real
technical details?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001213100243.A32372>