From owner-freebsd-questions@FreeBSD.ORG Tue Mar 22 22:32:24 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6725516A4CE for ; Tue, 22 Mar 2005 22:32:24 +0000 (GMT) Received: from orchid.homeunix.org (avc230.neoplus.adsl.tpnet.pl [83.27.36.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA47E43D4C for ; Tue, 22 Mar 2005 22:32:20 +0000 (GMT) (envelope-from freebsd@orchid.homeunix.org) Received: from [192.168.1.66] (blackacidevil.orchid.homeunix.org [192.168.1.66]) (authenticated bits=0) by orchid.homeunix.org (8.13.1/8.13.1) with ESMTP id j2MMWIna019191 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Mar 2005 23:32:19 +0100 (CET) (envelope-from freebsd@orchid.homeunix.org) Message-ID: <42409CF6.9010001@orchid.homeunix.org> Date: Tue, 22 Mar 2005 23:32:22 +0100 From: Karol Kwiatkowski User-Agent: Mozilla Thunderbird 1.0 (X11/20050314) X-Accept-Language: en-us, en MIME-Version: 1.0 To: alfredoj69@gmail.com References: <42407DB5.5050904@gmail.com> <4240915B.1090605@orchid.homeunix.org> <4240957A.9030206@gmail.com> In-Reply-To: <4240957A.9030206@gmail.com> X-Enigmail-Version: 0.90.2.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.83/779/Tue Mar 22 13:34:41 2005 on orchid.homeunix.org X-Virus-Status: Clean cc: freebsd-questions@freebsd.org Subject: Re: Router/Firewall? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@orchid.homeunix.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2005 22:32:24 -0000 [please cc freebsd-questions, someone may be interested, too] Aperez wrote: > Karol Kwiatkowski wrote: > >> Aperez wrote: >> >> >>> Hi: >>> >>> I am trying to set up a router/firewall with Freebsd 5.3 this is my >>> information: >>> >>> Winxp and Freebsd machine connected to Firewall machine using a hub >>> >>> Firewall has two ethernet cards: card1: dc0 connected to cable internet >>> using DHCP >>> card 2: rl0 setup to use >>> 192.168.1.1 >>> >>> I can connect to the internet from the firewall: ping -c 3 www.yahoo.con >>> successfull >>> I can ping from Firewall to the other two machines (WinXP and FreeBSD) >>> I can ping from XP to FreeBsd and Firewall >>> I can pin from FreeBSD to XP and Firewall >>> >> >> >> OK, it appears your internal network is working. >> >> Did you set 'defaultrouter' on FreeBSD and XP (whatever it may be >> called on Windows) to 192.168.1.1 (IP of the gateway)? >> >> >> >> >>> Here is the problem: I cant connect to internet from neither XP nor >>> FreeBSD machine >>> >>> Here is my rc.conf from the firewall machine: >>> >>> gateway_enable="YES" >>> ifconfig_lo0="inet 127.0.0.1" >>> ifconfig_dc0="DHCP" >>> ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0" >>> ipfilter_enable="YES" >>> ipmon_enable="YES" >>> ipmon_flags="-Dsvn" >>> ipnat_enable="YES" >>> >> >> >> What rules do you have in ipfilter and ipnat? Have you enabled NAT? >> >> >> >> >>> ipfs_enable="YES" >>> >>> Can anyabody tell me what I am missing? >>> >> >> >> Regards, >> >> Karol >> >> >> > Hi > > I did set up Winxp to use 192.168.1.1 as gateway and I put > defaultrouter=192.168.1.1 in the Freebsd machine. > > I dont have rules for ipfilter because I was trying to see if there was > connectivity box---firewall---internet. > Do I have to have ipnat rules in oder for the machines to connect to the > internet? Yes. NAT is not working yet. With ipnat_enable="YES" you've just enabled ipnat but you didn't tell it what to do yet. Something like this would do: > map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto # NAT for LAN +port mapping > map dc0 192.168.1.0/24 -> 0/32 # NAT for LAN (icmp) But keep in mind I no longer use ipfilter/ipnat. Please check manpage for ipnat(1). Also handbook section: 24.5.14 NAT http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html > Dind't I enable natd by putting "ipnat_enable="YES"" or do I have to put this > instead natd_enable="YES"? 'natd' is another way to do NAT. You'll need only one of them. And ipnat just doesn't do NAT yet. Regards, Karol -- Karol Kwiatkowski