Date: Thu, 23 Mar 2000 23:34:46 -0800 From: Eric Hampshire <ehampshire@scu.edu> To: freebsd-doc@FreeBSD.ORG Cc: jim@freebsd.org Subject: NAT Documentation Message-ID: <00f701bf9563$6e0b52c0$0301000a@yourmom.dhs.org>
index | next in thread | raw e-mail
[-- Attachment #1 --]
Okay, here it is... the documentation for setting up a gateway under FreeBSD. I wrote in as Thomas Hargrove earlier (he's my roommate) because he was on my computer using my burner. Anyways, here it is:
Setting up a Gateway
Step 1:
Note: The following steps assume you have a PCI network card that you are adding to your machine. If you plan on adding an ISA network card you are going to have to recompile your kernel after adding the IRQ and port number (ex. 0x280) to the proper place in your kernel source. If you already have two PCI network cards installed skip down to the part that starts "Pick a range.".
Install two network cards in a machine running FreeBSD. One network card should have an IP assigned by your ISP (a static IP) or by DHCP (a dynamic IP), also assigned by your ISP. This network card is the external interface and you should have instructions on what to set the IP and netmask to. Now you have some choices for the other network card which will be the internal interface. The following IP ranges are available for private networks:
10.0.0.1 - 10.255.255.254 mask 255.0.0.0
172.16.0.1 - 172.16.255.254 mask 255.240.0.0
192.168.0.1 - 192.168.255.254 mask 255.255.0.0
Pick a range and then an IP for your gateway. This IP will the default gateway you set on all the machines on your internal network. Add a line in your rc.conf (located in /etc) so this network card is configured and set up on bootup.
In the following example the network is set up with a FreeBSD machine connected via Pacbell DSL to the internet. Pacbell DSL provides the IP 216.103.215.136 and the default gateway 216.103.215.254. The FreeBSD machine is the gateway with an IP of 10.0.1.11 and is providing NAT (network address translation) for two Windows 98 machines, with the IP addresses 10.0.1.2 and 10.0.1.3. Both these Windows machines should set their default gateway to be 10.0.1.11.
Example:
#here's where you list your network cards (in this example called pn0 and pn1)
network_interfaces="pn0 pn1 lo0"
#here's the external interface (IP and default router provided by ISP)
ifconfig_pn0="inet 216.103.215.136 netmask 255.255.255.0
defaultrouter="216.103.215.254"
#here's the internal interface configuration (what you need to add)
ifconfig_pn1="inet 10.0.1.11 netmask 255.255.255.0"
Step 2:
Now you're ready to configure the kernel. You will need to recompile the kernel to add the routing options it needs to do NAT (network address translation). You need to have the kernel source installed. It will be located in /usr/src/sys. If you do not have this directory, run /stand/sysinstall and add the Kern-Developer packages. Here's what you need to do now:
# cd /usr/src/sys/i386/conf
# cp GENERIC LOCAL
Now you need to edit LOCAL with your favorite text editor (vi, emacs, pico, etc.). In this example I use vi.
# vi LOCAL
In the options section, add these lines:
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
Now go the end of the file and make sure that the following line is there:
pseudo-device bpfilter 4 #Berkeley packet filter
The number after bpfilter is adjustable. The number 4 is used above because it's a good default value, but this number depends on the number of simultaneously instances you need running on your gateway. For example, if you plan to run DCHP, NAT, and a tcpdump at the same time, then you need that number to be 3.
Okay, now you're ready to recompile your kernel. Follow these steps:
# config LOCAL
# cd /sys/compile/LOCAL
# make clean
# make depend
# make
# make install
This last step, "make install" copies your old kernel to /kernel.old and puts in the newly compiled kernel. Now it's time to edit rc.conf again. Again, use your favorite text editor (my choice is vi here) and add the following lines:
firewall_enable="YES
firewall_type="open"
gateway_enable="YES"
natd_enable="YES"
natd_interface="pn0" #This is the external (public) interface
If you get your IP dynamically (ie. Through DHCP) then add the following line:
natd_flags="-dynamic"
Step 3:
Reboot!!! That's it. If something goes wrong and it won't boot you can always hit something other than RETURN when it asks you to and type "boot kernel.old" to boot the machine using your old kernel.
Thanks for letting me write it!
Eric Hampshire
[-- Attachment #2 --]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="MSHTML 5.00.2919.6307" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Okay, here it is... the documentation for setting
up a gateway under FreeBSD. I wrote in as Thomas Hargrove earlier (he's my
roommate) because he was on my computer using my burner. Anyways, here it
is:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">Setting up a
Gateway<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office"
/><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">Step
1:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>Note: The following steps assume you have a PCI network card that you are
adding to your machine.<SPAN style="mso-spacerun: yes"> </SPAN>If you plan
on adding an ISA network card you are going to have to recompile your kernel
after adding the IRQ and port number (ex. 0x280) to the proper place in your
kernel source.<SPAN style="mso-spacerun: yes"> </SPAN>If you already have
two PCI network cards installed skip down to the part that starts “Pick a
range…”.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN><o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>Install two network cards in a machine running FreeBSD.<SPAN
style="mso-spacerun: yes"> </SPAN>One network card should have an IP
assigned by your ISP (a static IP) or by DHCP (a dynamic IP), also assigned by
your ISP.<SPAN style="mso-spacerun: yes"> </SPAN>This network card is the
external interface and you should have instructions on what to set the IP and
netmask to.<SPAN style="mso-spacerun: yes"> </SPAN>Now you have some
choices for the other network card which will be the internal interface.<SPAN
style="mso-spacerun: yes"> </SPAN>The following IP ranges are available
for private networks:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal style="TEXT-INDENT: 0.5in"><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">10.0.0.1 - 10.255.255.254
<SPAN
style="mso-tab-count: 1"> </SPAN>mask
255.0.0.0<o:p></o:p></SPAN></P>
<P class=MsoNormal style="TEXT-INDENT: 0.5in"><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">172.16.0.1 - 172.16.255.254
<SPAN
style="mso-tab-count: 1">
</SPAN>mask 255.240.0.0<o:p></o:p></SPAN></P>
<P class=MsoNormal style="TEXT-INDENT: 0.5in"><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">192.168.0.1 - 192.168.255.254
<SPAN
style="mso-tab-count: 1">
</SPAN>mask 255.255.0.0<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoBodyText>Pick a range and then an IP for your gateway.<SPAN
style="mso-spacerun: yes"> </SPAN>This IP will the default gateway you set
on all the machines on your internal network.<SPAN
style="mso-spacerun: yes"> </SPAN>Add a line in your rc.conf (located in
/etc) so this network card is configured and set up on bootup.</P>
<P class=MsoBodyText> <o:p></o:p></P>
<P class=MsoBodyText><SPAN
style="mso-tab-count: 1">
</SPAN>In the following example the network is set up with a FreeBSD machine
connected via Pacbell DSL to the internet.<SPAN style="mso-spacerun: yes">
</SPAN>Pacbell DSL provides the IP 216.103.215.136 and the default gateway
216.103.215.254.<SPAN style="mso-spacerun: yes"> </SPAN>The FreeBSD
machine is the gateway with an IP of 10.0.1.11 and is providing NAT (network
address translation) for two Windows 98 machines, with the IP addresses 10.0.1.2
and 10.0.1.3.<SPAN style="mso-spacerun: yes"> </SPAN>Both these Windows
machines should set their default gateway to be 10.0.1.11.</P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">Example:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">#here’s
where you list your network cards (in this example called pn0 and
pn1)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">network_interfaces=”pn0 pn1
lo0”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">#here’s
the external interface (IP and default router provided by
ISP)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">ifconfig_pn0=”inet 216.103.215.136
netmask 255.255.255.0<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">defaultrouter=”216.103.215.254”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">#here’s
the internal interface configuration (what you need to
add)<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">ifconfig_pn1=”inet 10.0.1.11
netmask 255.255.255.0”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><BR> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">Step
2:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><SPAN
style="mso-tab-count: 1">
</SPAN>Now you’re ready to configure the kernel.<SPAN
style="mso-spacerun: yes"> </SPAN>You will need to recompile the kernel to
add the routing options it needs to do NAT (network address translation).<SPAN
style="mso-spacerun: yes"> </SPAN>You need to have the kernel source
installed.<SPAN style="mso-spacerun: yes"> </SPAN>It will be located in
/usr/src/sys.<SPAN style="mso-spacerun: yes"> </SPAN>If you do not have
this directory, run /stand/sysinstall and add the Kern-Developer packages.<SPAN
style="mso-spacerun: yes"> </SPAN>Here’s what you need to do
now:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><SPAN
style="mso-tab-count: 1">
</SPAN># cd /usr/src/sys/i386/conf<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><SPAN
style="mso-tab-count: 1">
</SPAN># cp GENERIC LOCAL<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">Now you
need to edit LOCAL with your favorite text editor (vi, emacs, pico, etc…).<SPAN
style="mso-spacerun: yes"> </SPAN>In this example I use
vi.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><SPAN
style="mso-tab-count: 1">
</SPAN># vi LOCAL<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">In the
options section, add these lines:<BR> <BR> <SPAN
style="mso-tab-count: 1">
</SPAN>options IPFIREWALL<BR> <SPAN
style="mso-tab-count: 1">
</SPAN>options IPFIREWALL_DEFAULT_TO_ACCEPT<BR>
<SPAN style="mso-tab-count: 1">
</SPAN>options IPDIVERT<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt">Now go the
end of the file and make sure that the following line is
there:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"><SPAN
style="mso-tab-count: 1">
</SPAN>pseudo-device<SPAN style="mso-tab-count: 1"> </SPAN><SPAN
style="mso-tab-count: 1">
</SPAN>bpfilter 4<SPAN
style="mso-tab-count: 1">
</SPAN>#Berkeley packet filter<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-FAMILY: Geneva; FONT-SIZE: 10pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">The
number after bpfilter is adjustable.<SPAN style="mso-spacerun: yes">
</SPAN>The number 4 is used above because it’s a good default value, but this
number depends on the number of simultaneously instances you need running on
your gateway.<SPAN style="mso-spacerun: yes"> </SPAN>For example, if you
plan to run DCHP, NAT, and a tcpdump at the same time, then you need that number
to be 3.<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>Okay, now you’re ready to recompile your kernel.<SPAN
style="mso-spacerun: yes"> </SPAN>Follow these
steps:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># config LOCAL<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># cd /sys/compile/LOCAL<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># make clean<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># make depend<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># make<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN># make install<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">This last step, “make
install” copies your old kernel to /kernel.old and puts in the newly compiled
kernel.<SPAN style="mso-spacerun: yes"> </SPAN>Now it’s time to edit
rc.conf again.<SPAN style="mso-spacerun: yes"> </SPAN>Again, use your
favorite text editor (my choice is vi here) and add the following
lines:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>firewall_enable=”YES<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>firewall_type=”open”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>gateway_enable=”YES”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>natd_enable=”YES”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>natd_interface=”pn0”<SPAN
style="mso-tab-count: 1">
</SPAN>#This is the external (public) interface<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">If
you get your IP dynamically (ie. Through DHCP) then add the following
line:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>natd_flags=”-dynamic”<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"> <o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">Step
3:<o:p></o:p></SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"><SPAN
style="mso-tab-count: 1">
</SPAN>Reboot!!!<SPAN style="mso-spacerun: yes"> </SPAN>That’s it.<SPAN
style="mso-spacerun: yes"> </SPAN>If something goes wrong and it won’t
boot you can always hit something other than RETURN when it asks you to and type
“boot kernel.old” to boot the machine using your old kernel.</SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"></SPAN> </P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt"></SPAN> </P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">Thanks for letting me write
it!</SPAN></P>
<P class=MsoNormal><SPAN
style="FONT-SIZE: 10pt; mso-bidi-font-size: 12.0pt">Eric
Hampshire<o:p></o:p></SPAN></P></FONT></DIV></BODY></HTML>
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f701bf9563$6e0b52c0$0301000a>