From owner-freebsd-questions@FreeBSD.ORG Fri Mar 12 09:55:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0431B16A4CF for ; Fri, 12 Mar 2004 09:55:53 -0800 (PST) Received: from out006.verizon.net (out006pub.verizon.net [206.46.170.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id C07DD43D2F for ; Fri, 12 Mar 2004 09:55:52 -0800 (PST) (envelope-from cswiger@mac.com) Received: from mac.com ([68.161.120.219]) by out006.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040312175551.WLAR1634.out006.verizon.net@mac.com>; Fri, 12 Mar 2004 11:55:51 -0600 Message-ID: <4051FA06.8050907@mac.com> Date: Fri, 12 Mar 2004 12:57:26 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mohsin Rahman References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out006.verizon.net from [68.161.120.219] at Fri, 12 Mar 2004 11:55:51 -0600 cc: FreeBSD Question List q Subject: Re: NAT & PPPoE (detailed email) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2004 17:55:53 -0000 Mohsin Rahman wrote: > Thank you. I will try tun0 as my nat interface. However, if lets say, the > modem drops the connection and the next attempt to access the internet, > wouldn't FreeBSD assign the new ip address to tun1 and basically render > tun0 nat useless? A better solution might be to let do ppp -nat perhaps. I > will test and post my results. Thanks. You should have ppp do the NAT, yes. If you use ppp with the -auto or -ddial, you can have on-demand dialing where ppp will attempt to bring up the link if it drops. That means NAT should handle the link drop better (since ppp knows to use the new connection's IP), and it also means that your firewall rules can simply use tun0. /etc/ppp/ppp.conf should contain something like: default: set log local connect ipcp lcp lqm chat # set log all ident user-ppp VERSION (built COMPILATIONDATE) enable lqr set server 3000 xxxxx set timeout 1200 # 20 minute idle timer # enable dns # request DNS info (for resolv.conf) set device PPPoE:fxp0:verizon set login set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \"\" AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT" set urgent udp +53 set urgent tcp +53 set urgent udp +123 set urgent tcp +123 set ifaddr 162.84.171.0/0 10.3.23.0/0 255.255.255.255 0.0.0.0 add! default HISADDR # Add a (sticky) default route nat enable yes nat use_sockets yes nat same_ports yes nat port tcp 192.168.1.3:6667 6667 verizon: set authname xxxxx set authkey xxxxx [ ... ] -- -Chuck