From owner-freebsd-questions@FreeBSD.ORG  Wed Mar 19 23:19:00 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A0DDD1065677
	for <questions@freebsd.org>; Wed, 19 Mar 2008 23:19:00 +0000 (UTC)
	(envelope-from ccowart@rescomp.berkeley.edu)
Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU
	[169.229.70.150])
	by mx1.freebsd.org (Postfix) with ESMTP id 7E9838FC12
	for <questions@freebsd.org>; Wed, 19 Mar 2008 23:19:00 +0000 (UTC)
	(envelope-from ccowart@rescomp.berkeley.edu)
Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225)
	id 91B653C04B8; Wed, 19 Mar 2008 16:18:59 -0700 (PDT)
Date: Wed, 19 Mar 2008 16:18:59 -0700
From: Christopher Cowart <ccowart@rescomp.berkeley.edu>
To: Robert Huff <roberthuff@rcn.com>
Message-ID: <20080319231859.GM39509@hal.rescomp.berkeley.edu>
Mail-Followup-To: Robert Huff <roberthuff@rcn.com>, questions@freebsd.org
References: <18401.29043.824662.173177@jerusalem.litteratus.org>
	<18401.30778.630307.932644@jerusalem.litteratus.org>
	<18401.31783.343088.197533@jerusalem.litteratus.org>
	<20080319205600.GJ39509@hal.rescomp.berkeley.edu>
	<18401.33813.132534.954227@jerusalem.litteratus.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="B9BE8dkJ1pIKavwa"
Content-Disposition: inline
In-Reply-To: <18401.33813.132534.954227@jerusalem.litteratus.org>
Organization: RSSP-IT, UC Berkeley
User-Agent: Mutt/1.5.16 (2007-06-09)
Cc: questions@freebsd.org
Subject: Re: (more) confusion configuring NAT
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2008 23:19:00 -0000


--B9BE8dkJ1pIKavwa
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Robert Huff wrote:
> Christopher Cowart writes:
>=20
>>  > 	2) NAT still doesn't work.  Still connected, but can't surf to
>>  > www.google.com using Firefox.
>> =20
>> My kernel conf:
>> | options IPFIREWALL
>> | options IPFIREWALL_VERBOSE
>> | options IPFIREWALL_VERBOSE_LIMIT=3D100
>> | options IPFIREWALL_FORWARD
>> | options IPFIREWALL_NAT
>> | options LIBALIAS
>=20
> 	I do not have "options IPFIREWALL_FORWARD" (it's commented out)
> because the attached comment says:
>=20
>	enable xparent proxy support
>
>	Since that machine doesn't do proxy ... is this necessary?

Should be fine.

>> My (abbreviated) ipfw.rules script:
>> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports
>> | $CMD allow all from any to any via lo0
>> | $CMD nat 1 ip4 from any to any
>> | $CMD allow icmp from any to any
>> | $CMD deny log ip from any to me
>> | $CMD allow ip4 from any to any
>=20
> 	Not an ipfw guru, but don't see anything that contradicts what
> I have.

Do you have gateway_enable=3D"YES" in your /etc/rc.conf?

$ sysctl -a net.inet.ip.forwarding=20
net.inet.ip.forwarding: 1

Is the interface mentioned in the nat config the interface with the
public IP?

Try putting `$CMD count log ip from any to any' rules to see if traffic
is matching where you expect it to; I have found this incredibly useful
in the past, because interface and direction tags are not always
intuitive (especially once you get fwd rules, which luckily you don't
have).

--=20
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley

--B9BE8dkJ1pIKavwa
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iQIVAwUBR+GfYyPHEDszU3zYAQI8Aw/+N+7hYbQu6cBSBB8HmAHsVQohkkcNbQmS
YAQU74iPThYVmJUsxD1NkV737abhNw7DgDwejuZNynDUSx2p/AHSR4lgffE2JgPh
4/TCfSVLhTNeKshuOh7nXvMRldHuOvqtV5VmzeHzc5jsDVoyKJKqpOBn3lX1yvlo
gmMgHoCr/FbuV9mi/dpN8nFDG6I8qEB8Euhr1wBj2wDGwbYMXtzbfjCZr+QJFzXY
BYjxUaOe7xzpPzydhvUpy+bzS3ZeV5LnPd4Kr1bVnOW2+1ar9oeRQHvM70RyOZlz
tLEoCwehA2z6hdHPGALS28+shW71SzqmcxeG7bbN8PzxawBF+Jb72hjiUrfSGYAY
AZxb8G4l0GyFHf8QkciRxzkr+m0FQ6FOivJIfY1WqS7Pc9rxnpEgyxx4CWTssv0s
pAyYzocO26zf5DwF8zMQQQMLSkgtsYIMrfq0OUwdXAho1z+/KIFog13vXMaJujgX
wfl1Cae+CMVEjE4/SV63TJqM9oBQnO65u2JdltnSQixSt4kS6QTRHBfK5+JJfB59
XQvqMz74e4NK7fezGR2xp15ie4GeDbtjtb+iAnluj/bXjsbuq3EDT3YM+vYHjbA+
wXTKVCeIjoZLzYGU6eNCJBp+p8ph8RIKQVaUEiVvfd5P5eD5K5jRnuDBuiXOMQLE
Ec6DTAddP00=
=6D+P
-----END PGP SIGNATURE-----

--B9BE8dkJ1pIKavwa--