Date: Sun, 26 Nov 2000 17:39:30 -0600 From: Gene Harris <geneh@tetronsoftware.com> To: freebsd-questions <freebsd-questions@freebsd.org> Cc: "'mike@hyperreal.org'" <mike@hyperreal.org> Subject: RE: natd basic setup help Message-ID: <51F9B228ED26D311A17700A0C99826643B0C@tetboss.internal.tetronsoftware.com>
next in thread | raw e-mail | index | archive | help
For the connection [FreeBSD_box]---[DSL modem], you may need a cross over cable to connect the NIC to the DSL modem. Some NIC's and some modems will auto negotiate polarity, but yours may not. That is why the lights are not on. Unless you need to perform static NAT, you do not need to redirect any addresses. My natd.conf looks like: log yes use_sockets yes same_ports yes unregistered_only yes interface xl0 For the firewall to become active, you need to add firewall_enable="YES" to your /etc/rc.conf So, to recap, you are almost there. First, reverse your cable polarity with a crossover cable, and then make sure you add the line shown above to your /etc/rc.conf file. The reason you are not "NATing" is that you have not specified an interface for the NAT to watch, and you are manually redirecting packets, called static nat, which is not what you want. Gene > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of > mike@hyperreal.org > Sent: Sunday, November 26, 2000 4:53 PM > To: freebsd-questions > Subject: Re: natd basic setup help > > > Crist J . Clark wrote: > > natd(8) was not designed to work with one physical interface. It may > > work, but if it doesn't you're kind of on your own. You > might say it is > > not a supported configuration. > > OK, I'm still confused about NAT setup. I have successfully > installed a 2nd NIC in the FreeBSD box and now have the > following connections: > > [private_box_1]----[ unmanaged ] > [ switch ]---[FreeBSD_box]---[DSL modem] > [private_box_2]----[ ] > > The kernel is configured with: > options IPFIREWALL > options IPFIREWALL_FORWARD > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=50 > options IPDIVERT > options IPFILTER > options IPFILTER_LOG > > /etc/rc.conf contains: > ifconfig_rl0="inet 216.241.42.159 netmask 255.255.255.0" > ifconfig_dc0="inet 10.0.0.1 netmask 255.255.255.0" > defaultrouter="216.241.42.1" > gateway_enable="YES" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > firewall_type="open" > > /etc/natd.conf contains: > log yes > use_sockets yes > same_ports yes > redirect_address 10.0.0.2 216.241.42.159 > redirect_address 10.0.0.3 216.241.42.159 > > rl0 is the public interface. The NIC for that interface is physically > connected to the DSL modem. dc0 is physically connected to the switch. > > The kernel's boot messages indicate that both links are up and active, > and "IP packet filtering initialized, divert enabled, rule-based > forwarding enabled, default to deny, logging limited to 50 packets/ > entry by default" and "IP Filter: v3.4.8 initialized. Default = pass > all, Logging = enabled" ... everything as expected, I think. > > > First question: > > Before, when I connected the DSL modem to the switch, I had to use > the switch's uplink port. Connecting the modem to the other ports > does not work (no link lights on the NIC or the switch). > > Now, when I connect the dc0 NIC to the switch, I have to use one of > the regular ports in order to get link lights. If I connect to the > uplink port, no link. > > Why would I get no link lights in the case of DSL modem <-> regular > port, or dc0 NIC <-> uplink port? Do I need to use the uplink port > at all in the new configuration? > > > Question 2: > From what I've read and what I've seen in rc.firewall, the above > kernel and rc.conf configuration should be sufficient to have an > open firewall. However, after boot, it appears that rc.firewall is > not being run at all: > > # ipfw list > 65535 deny ip from any to any > > And indeed, no packets go anywhere. If I go ahead and run > rc.firewall, I get > > # sh /etc/rc.firewall > Flushed all rules. > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > # ipfw list > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > which looks about right. > > Why is /etc/rc.firewall not running on startup? Is this expected? > > > Question 3: > > After running rc.firewall, the FreeBSD box and a private box > can ping each other at 10.0.0.1 and 10.0.0.2, respectively. Each > can also ping themselves at 127.0.0.1. So good, the local network > is functional. > > However, none of the boxes can ping the ISP's router at the other end > of the DSL link (216.241.42.1). > > What should I look at next? > > TIA, > Mike > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51F9B228ED26D311A17700A0C99826643B0C>