Date: Fri, 21 Nov 2008 09:07:32 +0200 From: Manolis Kiagias <sonic2000gr@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Problem about ppp -nat Message-ID: <49265E34.6020907@gmail.com> In-Reply-To: <20081121060619.GA1057@gmail.com> References: <20081121060619.GA1057@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Pongthep Kulkrisada wrote: > Hi All, > > I have just subscribed to freebsd-questions and I have a question about ppp -nat. > > I have 2 computers. One is running FreeBSD-7.0R, the other is running WinXP. The host running FBSD7.0R has been connecting to the outside world using user-ppp without any problem for very long. Now I want to share internet access to the other host behind NAT through this FBSD host. > My FBSD machine has 2 interfaces i.e. > tun0 (connecting to ISP) with dynamic IP (of course) > fxp0 (for internal LAN) with static IP of 192.168.1.10 > My WinXP machine has 1 interface (internal LAN) with static IP of 192.168.1.11 > > Previously I have a router acting as a gateway for all machines behind NAT. But now I want FBSD machine to work as a gateway. I have never done this before. I tried some googling with reading ppp(8) and ipfw(8). And I tried masquerading but it didn't work. I have plenty configuration files. But the relevant configurations are listed here. > > /etc/rc.conf > # enable IP forwarding > gateway_enable="YES" > # previously I ran web-server, just disable it or comment it out, not sure why! > #apache_enable="YES" > > On the host running WinXP, I set its gateway and DNS server to the IP of ppp host i.e. 192.168.1.10. > > I then inserted the following line as the first rule in /etc/ipfw.rules. > /sbin/ipfw add allow all from any to any via fxp0 > (I know this rule is dangerous, but just for testing.) > > I then issue the ppp command. > root@fbsd:~# ppp -background -nat myisp > > FBSD host (running ppp) can access anywhere but WinXP host can't. I learned from some site explaining that ppp itself has the capability of IP masquerading. And it does not require natd(8). So I don't mention about natd here. > Anyone have a clue or who have done the correct configurations, please point me out. > > Thank you in advance. > Pongthep > > There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0" My local interface is rl1, setup in rc.conf as: ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) Use this settings in rc.conf for pf: pf_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" pf_rules="/etc/pf.conf" pf_flags="" gateway_enable="YES" Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots Add the following rule to /etc/pf.conf nat pass on rl0 from rl1:network to any -> rl0 AFAIR, if rl0 has a dynamic address, you will have to write it with parentheses, like: nat pass on rl0 from rl1:network to any -> (rl0) (Note that in /etc/pf.conf translation rules like the above, are placed above filtering rules like pass or block etc) You may have to adjust /etc/pf.conf filtering rules, assuming you have any. Restart some services # /etc/rc.d/netif restart # /etc/rc.d/routing restart # /etc/rc.d/pf restart or simply reboot, and you should be set. Note that in your client machine, you should set gateway to point to your FreeBSD machine, but unless you are running your own DNS server, DNS entries should point to your ISP. If you combine this setup with a DHCP server from the Ports Collection, you will have pretty much a standard home router out of a FreeBSD machine. There are also other capabilities, like port forwarding and so on, but I'll let you figure them out yourself ;)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49265E34.6020907>