From owner-freebsd-questions@FreeBSD.ORG Fri Nov 21 07:07:38 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9EC911065672 for ; Fri, 21 Nov 2008 07:07:38 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.27]) by mx1.freebsd.org (Postfix) with ESMTP id 26B608FC1C for ; Fri, 21 Nov 2008 07:07:37 +0000 (UTC) (envelope-from sonic2000gr@gmail.com) Received: by ey-out-2122.google.com with SMTP id 6so326995eyi.7 for ; Thu, 20 Nov 2008 23:07:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=BnN+t/zJW2wfcmgdjW596tSX7dqLEwyglXzPpICSZnI=; b=NaEFd1Ra07D29yyJIgAKoHOE+mK4RBA6oeUv6uc3tyVt0QbzBgjiyp+gGFVRG4nMF1 MpxFOHBhaj6EU9GFN0OoiCY4eVc8TG5HfU2/zOFFD2IKj4fzaj4aiBCqHWtDNBWg46S7 OA2VyLJZMaxUriTGqdQIz+DYxN4VUoLZhyN9s= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=M6SYT0ftA512kZWHGVblpKGmxUFbbqbYMkO341rST6vQHJkZ5UjQp+plveGUs7ivzQ vFyBiVl2S+frvyWyzgMI5HaTVpqQnIaf1xD/xnVF6SrLLbQsfrN+m1Faz+nnoII96bgb ZvCZSCGqajWNZCixd/k6HKJMCK0eZ7QLTKHcE= Received: by 10.210.26.14 with SMTP id 14mr174960ebz.165.1227251256758; Thu, 20 Nov 2008 23:07:36 -0800 (PST) Received: from atlantis.dyndns.org (athedsl-4362332.home.otenet.gr [79.130.0.76]) by mx.google.com with ESMTPS id z40sm1224065ikz.20.2008.11.20.23.07.34 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 20 Nov 2008 23:07:35 -0800 (PST) Message-ID: <49265E34.6020907@gmail.com> Date: Fri, 21 Nov 2008 09:07:32 +0200 From: Manolis Kiagias User-Agent: Thunderbird 2.0.0.17 (X11/20081011) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20081121060619.GA1057@gmail.com> In-Reply-To: <20081121060619.GA1057@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: Problem about ppp -nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 07:07:38 -0000 Pongthep Kulkrisada wrote: > Hi All, > > I have just subscribed to freebsd-questions and I have a question about ppp -nat. > > I have 2 computers. One is running FreeBSD-7.0R, the other is running WinXP. The host running FBSD7.0R has been connecting to the outside world using user-ppp without any problem for very long. Now I want to share internet access to the other host behind NAT through this FBSD host. > My FBSD machine has 2 interfaces i.e. > tun0 (connecting to ISP) with dynamic IP (of course) > fxp0 (for internal LAN) with static IP of 192.168.1.10 > My WinXP machine has 1 interface (internal LAN) with static IP of 192.168.1.11 > > Previously I have a router acting as a gateway for all machines behind NAT. But now I want FBSD machine to work as a gateway. I have never done this before. I tried some googling with reading ppp(8) and ipfw(8). And I tried masquerading but it didn't work. I have plenty configuration files. But the relevant configurations are listed here. > > /etc/rc.conf > # enable IP forwarding > gateway_enable="YES" > # previously I ran web-server, just disable it or comment it out, not sure why! > #apache_enable="YES" > > On the host running WinXP, I set its gateway and DNS server to the IP of ppp host i.e. 192.168.1.10. > > I then inserted the following line as the first rule in /etc/ipfw.rules. > /sbin/ipfw add allow all from any to any via fxp0 > (I know this rule is dangerous, but just for testing.) > > I then issue the ppp command. > root@fbsd:~# ppp -background -nat myisp > > FBSD host (running ppp) can access anywhere but WinXP host can't. I learned from some site explaining that ppp itself has the capability of IP masquerading. And it does not require natd(8). So I don't mention about natd here. > Anyone have a clue or who have done the correct configurations, please point me out. > > Thank you in advance. > Pongthep > > There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0" My local interface is rl1, setup in rc.conf as: ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) Use this settings in rc.conf for pf: pf_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" pf_rules="/etc/pf.conf" pf_flags="" gateway_enable="YES" Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots Add the following rule to /etc/pf.conf nat pass on rl0 from rl1:network to any -> rl0 AFAIR, if rl0 has a dynamic address, you will have to write it with parentheses, like: nat pass on rl0 from rl1:network to any -> (rl0) (Note that in /etc/pf.conf translation rules like the above, are placed above filtering rules like pass or block etc) You may have to adjust /etc/pf.conf filtering rules, assuming you have any. Restart some services # /etc/rc.d/netif restart # /etc/rc.d/routing restart # /etc/rc.d/pf restart or simply reboot, and you should be set. Note that in your client machine, you should set gateway to point to your FreeBSD machine, but unless you are running your own DNS server, DNS entries should point to your ISP. If you combine this setup with a DHCP server from the Ports Collection, you will have pretty much a standard home router out of a FreeBSD machine. There are also other capabilities, like port forwarding and so on, but I'll let you figure them out yourself ;)