Date: Sun, 26 Nov 2000 17:54:26 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: mike@hyperreal.org Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd basic setup help Message-ID: <20001126175426.L70192@149.211.6.64.reflexcom.com> In-Reply-To: <20001126225317.29294.qmail@hyperreal.org>; from mike@hyperreal.org on Sun, Nov 26, 2000 at 02:53:17PM -0800 References: <20001125174840.B12190@149.211.6.64.reflexcom.com> <20001126225317.29294.qmail@hyperreal.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Nov 26, 2000 at 02:53:17PM -0800, mike@hyperreal.org wrote: > Crist J . Clark wrote: > > natd(8) was not designed to work with one physical interface. It may > > work, but if it doesn't you're kind of on your own. You might say it is > > not a supported configuration. > > OK, I'm still confused about NAT setup. I have successfully > installed a 2nd NIC in the FreeBSD box and now have the > following connections: > > [private_box_1]----[ unmanaged ] > [ switch ]---[FreeBSD_box]---[DSL modem] > [private_box_2]----[ ] > > The kernel is configured with: > options IPFIREWALL > options IPFIREWALL_FORWARD You probably do not need IPFIREWALL_FORWARD. > options IPFIREWALL_VERBOSE > options IPFIREWALL_VERBOSE_LIMIT=50 > options IPDIVERT > options IPFILTER > options IPFILTER_LOG These two are for IPFilter (ipf(8)), not the native FreeBSD IPFirewall (ipfw(8)). > /etc/rc.conf contains: > ifconfig_rl0="inet 216.241.42.159 netmask 255.255.255.0" > ifconfig_dc0="inet 10.0.0.1 netmask 255.255.255.0" > defaultrouter="216.241.42.1" > gateway_enable="YES" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > firewall_type="open" You are missing, firewall_enable="YES" Which is the answer to your "Question 2." > /etc/natd.conf contains: > log yes Ouch. This can get big. You probably want to turn it off once you are up and going. > use_sockets yes > same_ports yes > redirect_address 10.0.0.2 216.241.42.159 > redirect_address 10.0.0.3 216.241.42.159 Hmmm... Do you really mean to have these redirect_address lines? > rl0 is the public interface. The NIC for that interface is physically > connected to the DSL modem. dc0 is physically connected to the switch. > > The kernel's boot messages indicate that both links are up and active, > and "IP packet filtering initialized, divert enabled, rule-based > forwarding enabled, default to deny, logging limited to 50 packets/ > entry by default" Great, everything is "go" with your kernel. > and "IP Filter: v3.4.8 initialized. Default = pass > all, Logging = enabled" ... everything as expected, I think. As pointed out, this is a whole other dealie. > First question: > > Before, when I connected the DSL modem to the switch, I had to use > the switch's uplink port. Connecting the modem to the other ports > does not work (no link lights on the NIC or the switch). > > Now, when I connect the dc0 NIC to the switch, I have to use one of > the regular ports in order to get link lights. If I connect to the > uplink port, no link. > > Why would I get no link lights in the case of DSL modem <-> regular > port, or dc0 NIC <-> uplink port? Do I need to use the uplink port > at all in the new configuration? Probably because the xmit and recv pairs on your DSL modem are designed for it to be plugged into a NIC with a straight-through cable or into an uplink port. The other possibility might be that it has the normal xmit and recv pairs, but you are using a crossover cable to hook it to the hub and now the NIC. > Question 2: > >From what I've read and what I've seen in rc.firewall, the above > kernel and rc.conf configuration should be sufficient to have an > open firewall. However, after boot, it appears that rc.firewall is > not being run at all: > > # ipfw list > 65535 deny ip from any to any > > And indeed, no packets go anywhere. If I go ahead and run > rc.firewall, I get > > # sh /etc/rc.firewall > Flushed all rules. > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > # ipfw list > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > which looks about right. > > Why is /etc/rc.firewall not running on startup? Is this expected? Got it above, missing 'firewall_enable="YES"'. > Question 3: > > After running rc.firewall, the FreeBSD box and a private box > can ping each other at 10.0.0.1 and 10.0.0.2, respectively. Each > can also ping themselves at 127.0.0.1. So good, the local network > is functional. > > However, none of the boxes can ping the ISP's router at the other end > of the DSL link (216.241.42.1). > > What should I look at next? Run tcpdump on each interface when you are doing the pings from the internal machine. Where are the packets getting lost? And to be safe, is natd(8) running? $ ps axu | grep natd You would have to start it manually since it won't run without 'firewall_enable' set. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001126175426.L70192>