From owner-freebsd-questions@FreeBSD.ORG Fri Dec 26 11:17:32 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E020516A4CE for ; Fri, 26 Dec 2003 11:17:32 -0800 (PST) Received: from web40414.mail.yahoo.com (web40414.mail.yahoo.com [66.218.78.111]) by mx1.FreeBSD.org (Postfix) with SMTP id AAA6443D39 for ; Fri, 26 Dec 2003 11:17:31 -0800 (PST) (envelope-from beantaxi@yahoo.com) Message-ID: <20031226191731.30016.qmail@web40414.mail.yahoo.com> Received: from [66.139.244.185] by web40414.mail.yahoo.com via HTTP; Fri, 26 Dec 2003 11:17:31 PST Date: Fri, 26 Dec 2003 11:17:31 -0800 (PST) From: The Bean To: Micheal Patterson , freebsd-questions@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: natd problem (but close!) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: beantaxi@yahoo.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2003 19:17:33 -0000 Thanks Michael. Yep, that rule is there: (in response to a bash-2.0.4# ipfw -a list) 00050 1398666 172283391 divert 8668 ip from any to any via xl0 00100 1202 127228 allow ip from any to any via lo0 ... etc ... Very first rule. (I was going to mention this in my initial email but I guess I forgot). I believe I was helped in this by rc.firewall itself -- looks like that for 'open' and 'simple' it adds the divert rule if natd_enable is set. I'm guessing this is newish, as the docs I read insisted that I add the rule myself. In any case, it's there. Thanks again, T.B. --- Micheal Patterson wrote: > > > ----- Original Message ----- > From: "The Bean" > To: > Sent: Friday, December 26, 2003 11:27 AM > Subject: natd problem (but close!) > > > > Hi all, > > > > I've been trying to get natd up on a FreeBSD 4.9-Stable box. > > I think I've followed every step, and it's still not quite working, > > although I believe it's getting close. My dual-homed box has > > two interfaces: internal ed0=10.13.0.1/8, and external > > xl0=xx.yy.zz.187/29 (note I've cleverly obscured the IP). > > > > Here's what I've done on the dual-homed box: > > - Kernel compiled with IPFIREWALL & IPDIVERT > > - gateway_enabled="YES", verified with sysctl -a list | grep ipforwarding > > - firewall set to open > > - natd_enabled="YES" > > - natd_interface=my external interface > > - natd_flags=-f /etc/natd.conf > > - /etc/natd.conf contains one line: redirect_address 10.0.0.13 > xx.yy.zz.186, > > where xx.yy.zz.186 is the desired public IP for a client on my internal > > network, whose internal IP is 10.0.0.13 > > > > On my client, I've set the default router to 10.13.0.1, which is the IP > for the > > internal interface for the gateway box. > > > > The gateway can access the Internet just fine. The client has some > problems, > > which I've attempted to diagnose by running tcpdump on the gateway, and > > trying a ping and a lynx from the client. Here are the results, as > reported > > by the gateway: > > > > > Do an ipfw list and you should see an entry at or very near the top similar > to: > divert 8668 ip from any to any via xl0 > > If you don't, traffic isn't being diverted to NAT and it's trying to route > the 10 /8 traffic to it's connected router and dieing there. > > > -- > > Micheal Patterson > Network Administration > TSG Incorporated > 405-917-0600 > __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/