Date: Wed, 4 Jan 2006 20:39:20 -0800 From: perikillo <perikillo@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: ipnat -CF -f /etc/ipnat.rules Message-ID: <51d7a5160601042039s2fdae70h2f5e53a261b3832f@mail.gmail.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMEAEHLAA.fbsd_user@a1poweruser.com> References: <51d7a5160601021511m23e82acn3c3fecd94895d030@mail.gmail.com> <MIEPLLIBMLEEABPDBIEGMEAEHLAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/3/06, fbsd_user <fbsd_user@a1poweruser.com> wrote: > > On 1/2/06, fbsd_user <fbsd_user@a1poweruser.com> wrote: > > I see "tun" in your ipnat rule. > > That means you are using ppp for phone dialup connection. > > Every time you lose your phone connection you get different IP > from > > your ISP. > > Use NAT function of PPP and not ipnat and your problem will go > away. > > > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of caleb > > Sent: Friday, December 30, 2005 9:16 PM > > To: freebsd-questions@freebsd.org > > Subject: ipnat -CF -f /etc/ipnat.rules > > > > > > Hi everyone, > > I have just put together a router/firewall using 5.4 > > RELEASE > > and IPFILTER. Everything is working fine except I have to manually > > flush > > the NAT table every time the router boots. below is my rc.conf and > > ipnat.rules, I have used rc.conf to start everything at boot; > > > > /* rc.conf */ > > > > gateway_enable=3D"YES" > > sshd_enable=3D"YES" > > ifconfig_rl1=3D"inet 10.0.0.1 netmask 255.255.255.0" > > ifconfig_rl0=3D"inet 192.168.0.1 netmask 255.255.255.0" > > hostname=3D"tweak" > > ipfilter_enable=3D"YES" > > ipfilter_rules=3D"/etc/ipf.rules" > > ipmon_enable=3D"YES" > > ipmon_flags=3D"-Ds" > > ipnat_enable=3D"YES" > > ipnat_rules=3D"/etc/ipnat.rules" > > ppp_enable=3D"YES" > > ppp_mode=3D"ddial" > > ppp_nat=3D"NO" > > ppp_profile=3D"netspace" > > ppp_user=3D"root" > > > > /* ipnat.rules */ > > > > map tun0 192.168.0.0/24 -> 0/32 > > > > > > Is there something I am missing? I do not think it is ipf, as I > have > > configured it to allow everything in and out. Could you please CC > me > > if > > you decide to help. > > > > Thankyou, > > > > caleb > > -- > > > > > > Well i use PPPoE protocol, i have never try the same ppp program > to > handle the NAT thing, them i disable ipnat or what...? I need to > understand this very clear. > > Thanks for your tip. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > You are not configured correctly. This statement > ifconfig_rl0=3D"inet 192.168.0.1 netmask 255.255.255.0" > is forceing that ip addr to be used and its wrong. > you have to get ip assigned by your isp. > Follow this example. Which means you can use ipnat or ppp nat. > > #################### start of ppp.conf ################### > default: > > set log Phase tun #use to avoid excessive log sizes > set timeout 0 # no idle time out, will not > disconnect > > dialisp: > set device PPPoE:XXX # replace xxx with your NIC device > name > set authname YOURLOGINNAME # Replace with your ISP account > username > set authkey YOURPASSWORD # Replace with your ISP account > password > add default HISADDR # Add a (sticky) default route > (Mandatory) > enable dns # Gets the ISP's DNS IP address & places > them > # in resolv.conf for reference by FBSD box. > > ############### End of ppp.conf > ################################# > > > Replace the XXX in the [set device PPPoE:XXX] statement with the > NIC's FBSD interface name. Sometimes it will be necessary to use a > service tag to establish your connection depending on how your ISP > and/or the phone company has its DSL network configured. Service > tags are used to distinguish between different PPPoE servers > attached to a given network. You should have been given any required > service tag information in the documentation provided by your ISP. > If you cannot locate it there, ask your ISP's tech support > personnel. This is the format of the command with the service tag > added: > > set device PPPoE:xxxx:service_tag (in your case xxxx =3D rl0) > > The xxxx is the FBSD interface name used by PPPoE. The interface > must be UP (IE: enabled). It is only used as a transport, and does > not need to be assigned an IP address. This can be done > automatically at boot time by updating the /etc/rc.conf file. The > format of the statement to add is ifconfig_xxxx=3Dup where xxxx is the > NIC's FBSD interface name used by PPPoE that you specified in the > /etc/ppp/ppp.conf file. > > > ee /etc/rc.conf # add following statements > > ifconfig_xxxx=3Dup # (in your case xxxx =3D rl0) > > ifconfig_tun0=3D"DHCP" # get your ISP assigned IP address > > > > To setup user ppp to dial your ISP automatically at FBSD boot time, > you have to add the following statements to the rc.conf file. The > ddial option means to redial every time the connection to the ISP > gets dropped. > > ee /etc/rc.conf > > > # Activate user ppp auto start at boot time > ppp_enable=3D"YES" # Start User PPP task > ppp_mode=3D"ddial" # ddial, auto, background > ppp_profile=3D"dialisp" # section in ppp.conf to exec > > #ppp_nat=3D"YES" # only if you have LAN behind this PC. > > # deactivate ipfilter Nat function (comment statements out) > > #ipnat_enable=3D"YES" > #ipnat_rules=3D"/etc/ipnat.rules" > > Ok fbsd_user. /etc/ppp.conf----> default: set log Phase tun command set timeout 0 prodigy: set device PPPoE:fxp1 set MRU 1472 #tested set MTU 1472 #tested set authname ***** set authkey ***** set dial set login add default HISADDR #i know the dns of my isp this why i dont use the dns tag here, hardcopy on /etc/resolv.conf /etc/ppp/ppp.linkup---> prodigy: !bg /sbin/ipf -y /etc/rc.conf----> ipfilter_enable=3D"YES" # Set to YES to enable ipfilter functiona= lity ipfilter_program=3D"/sbin/ipf" # where the ipfilter program lives ipfilter_rules=3D"/etc/ipf.rules" # rules definition file for ipfilter, see ipfilter_flags=3D"" # additional flags for ipfilter ipnat_enable=3D"YES" # Set to YES to enable ipnat functionalit= y ipnat_program=3D"/sbin/ipnat" # where the ipnat program lives ipnat_rules=3D"/etc/ipnat.rules" # rules definition file for ipnat ipnat_flags=3D"" # additional flags for ipnat ipmon_enable=3D"YES" # Set to YES for ipmon; needs ipfilter or= ipnat ipmon_program=3D"/sbin/ipmon" # where the ipfilter monitor program live= s ipmon_flags=3D"-Dvn /var/log/firewall.log" network_interfaces=3D"lo0 fxp0 fxp1" # List of network interfaces (or "auto"). ifconfig_lo0=3D"inet 127.0.0.1" # default loopback device configuration. ifconfig_fxp0=3D"inet 192.168.0.1 netmask 255.255.255.0" #Internal LAN for = NAT ifconfig_fxp1=3D"UP" ifconfig_tun0=3D"DHCP" # User ppp configuration. ppp_enable=3D"YES" # Start user-ppp (or NO). ppp_mode=3D"ddial" # Choice of "auto", "ddial", "direct" or = "dedica ppp_nat=3D"NO" # Use PPP's internal network address translation = or NO. ppp_profile=3D"prodigy" # Which profile to use from /etc/ppp/ppp.conf. ppp_user=3D"root" # Which user to run ppp as They are correct...? I already made the changes, but my situation is that i have one small network on my home, this is the reason i have enable the NAT module of IPFILTER to server the clients. I see that i have the module of ppp that can do the NAT thing, but IPFILTER can comunicate with ppp_nat? I have all the possible rules of IPNAT on ppp_nat..? One of the big problems i have is that sometimes the connection goes down and if i look on my link appear up but no answer, someone from this list give one tip, he say that i can try setting up the MTU and MRU on the /etc/ppp.conf and give the example how to get that value, this way i put that info on the file. It supposes that this setup will bring the connection up again, but i still have this problem, i hope with this changes will help me. fbsd_user thanks for your great help and if you see something wrong settings please tell me. Thanks for time and help!!! Greetings all. (Sorry for my english :-) )
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51d7a5160601042039s2fdae70h2f5e53a261b3832f>