Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Jul 2004 12:44:32 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        bkhl@elektrubadur.se (=?ISO-8859-1?Q?Bj=F6rn_Lindstr=F6m?=)
Cc:        freebsd-questions@freebsd.org
Subject:   Re: NAT trouble
Message-ID:  <20040718124432.56a7b923.wmoran@potentialtech.com>
In-Reply-To: <s38smbpxrov.fsf@numerus.ling.uu.se>
References:  <s38smbpxrov.fsf@numerus.ling.uu.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
bkhl@elektrubadur.se (Bj=F6rn Lindstr=F6m) wrote:
> I'm having some trouble to get NAT working on the Internet gateway of my
> home LAN.
>=20
> Here's my setup:
>=20
> I have compiled a kernel with the following options added:
>=20
> options IPFIREWALL
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=3D10
> options IPDIVERT
>=20
> I have these relevant settings in my rc.conf:
>=20
> gateway_enable=3D"YES"
> firewall_enable=3D"YES"
> firewall_type=3D"OPEN"
> natd_enable=3D"YES"
> natd_interface=3D"tun0"
> natd_flags=3D"-f /etc/natd.conf"
>=20
> (Where tun0 is the interface of my ADSL connection.)

Is tun0 the real interface?

> My natd.conf only contains this line:
>=20
> redirect_port tcp 192.168.0.2:15000 15000
>=20
> Now, when I reboot, ipfw show shows this:
>=20
> 00050   0      0 divert 8668 ip from any to any via tun0
> 00100   182   15680 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to 127.0.0.0/8
> 00300     0       0 deny ip from 127.0.0.0/8 to any
> 65000 11015 3073646 allow ip from any to any
> 65535     4     236 deny ip from any to any
>=20
>=20
> Here are the problems:
>=20
> * ps ax|grep natd shows that natd is not running.

What happens if you start it manually?  Are there any entries in
/var/log/messages to tell you why it didn't start automatically?  Looking
at the output at system startup, there should be some indication of why
natd didn't start.

> * While I still cat get to the gateway from the inside, connections to
>   the Net doesn't work, until I 'ipfw delete 00050'.

Are you saying that your internal machines _can_ get to the net when you
delete that rule?  If so, then you don't need nat, and you need to
reconsider your configuration.

--=20
Bill Moran
Potential Technologies
http://www.potentialtech.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040718124432.56a7b923.wmoran>