Date: Wed, 19 Mar 2008 16:18:59 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Robert Huff <roberthuff@rcn.com> Cc: questions@freebsd.org Subject: Re: (more) confusion configuring NAT Message-ID: <20080319231859.GM39509@hal.rescomp.berkeley.edu> In-Reply-To: <18401.33813.132534.954227@jerusalem.litteratus.org> References: <18401.29043.824662.173177@jerusalem.litteratus.org> <18401.30778.630307.932644@jerusalem.litteratus.org> <18401.31783.343088.197533@jerusalem.litteratus.org> <20080319205600.GJ39509@hal.rescomp.berkeley.edu> <18401.33813.132534.954227@jerusalem.litteratus.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Robert Huff wrote: > Christopher Cowart writes: > >> > 2) NAT still doesn't work. Still connected, but can't surf to >> > www.google.com using Firefox. >> >> My kernel conf: >> | options IPFIREWALL >> | options IPFIREWALL_VERBOSE >> | options IPFIREWALL_VERBOSE_LIMIT=100 >> | options IPFIREWALL_FORWARD >> | options IPFIREWALL_NAT >> | options LIBALIAS > > I do not have "options IPFIREWALL_FORWARD" (it's commented out) > because the attached comment says: > > enable xparent proxy support > > Since that machine doesn't do proxy ... is this necessary? Should be fine. >> My (abbreviated) ipfw.rules script: >> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports >> | $CMD allow all from any to any via lo0 >> | $CMD nat 1 ip4 from any to any >> | $CMD allow icmp from any to any >> | $CMD deny log ip from any to me >> | $CMD allow ip4 from any to any > > Not an ipfw guru, but don't see anything that contradicts what > I have. Do you have gateway_enable="YES" in your /etc/rc.conf? $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; I have found this incredibly useful in the past, because interface and direction tags are not always intuitive (especially once you get fwd rules, which luckily you don't have). -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBR+GfYyPHEDszU3zYAQI8Aw/+N+7hYbQu6cBSBB8HmAHsVQohkkcNbQmS YAQU74iPThYVmJUsxD1NkV737abhNw7DgDwejuZNynDUSx2p/AHSR4lgffE2JgPh 4/TCfSVLhTNeKshuOh7nXvMRldHuOvqtV5VmzeHzc5jsDVoyKJKqpOBn3lX1yvlo gmMgHoCr/FbuV9mi/dpN8nFDG6I8qEB8Euhr1wBj2wDGwbYMXtzbfjCZr+QJFzXY BYjxUaOe7xzpPzydhvUpy+bzS3ZeV5LnPd4Kr1bVnOW2+1ar9oeRQHvM70RyOZlz tLEoCwehA2z6hdHPGALS28+shW71SzqmcxeG7bbN8PzxawBF+Jb72hjiUrfSGYAY AZxb8G4l0GyFHf8QkciRxzkr+m0FQ6FOivJIfY1WqS7Pc9rxnpEgyxx4CWTssv0s pAyYzocO26zf5DwF8zMQQQMLSkgtsYIMrfq0OUwdXAho1z+/KIFog13vXMaJujgX wfl1Cae+CMVEjE4/SV63TJqM9oBQnO65u2JdltnSQixSt4kS6QTRHBfK5+JJfB59 XQvqMz74e4NK7fezGR2xp15ie4GeDbtjtb+iAnluj/bXjsbuq3EDT3YM+vYHjbA+ wXTKVCeIjoZLzYGU6eNCJBp+p8ph8RIKQVaUEiVvfd5P5eD5K5jRnuDBuiXOMQLE Ec6DTAddP00= =6D+P -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080319231859.GM39509>