Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Feb 2005 23:06:39 -0500
From:      David Wassman <myfreebsd@cox.net>
To:        freebsd-questions@freebsd.org
Subject:   Problem accessing net from a NAT Firewall
Message-ID:  <4214184F.5060700@cox.net>

next in thread | raw e-mail | index | archive | help
Ok, after two days with little sleep I am now going to ask for some 
help. Here are my problems to ponder and I will give my sys info and 
configs after.

1) I want to connect to my wireless router (A) from one computer (B) and 
connect through it a wired network (C) to access the internet. Is this 
possible? I know you can do it with a wired network through nat but am 
not sure about the wireless in the middle.

2)I have setup the computer A as a router with a firewall and NAT. I can 
access to web from it through the wireless link but cannot ping out from 
C behind it.

The net hardware:
I have cable.
A -     Linksys WGT54G
D-      WG511T wireless PC card
          Xircom 10Mbps PC card
C       RealTek 8139
          3Com  3c905-TX

I have put the following options in the kernel and compiled
IPFIREWALL
IPDIVERT
IPSEC               (I know this is for IPsec and not the firewall 
directly. I have not installed racoon and am not using IPsec. Included 
it here in case this is the problem.)
IPSEC_ESP
IPSEC_DEBUG

I modified the following configs from this site 
http://lugbe.ch/lostfound/contrib/freebsd_router/
rc.conf:
# use DHCP for external interface
ifconfig_ath0="ssid xxxx"

ifconfig_ath0="DHCP"

# static address for internal interface
ifconfig_xe0="inet 223.147.37.1 netmask 255.255.255.0 broadcast 
223.147.37.255"

# enable IP forwarding
gateway_enable="YES"
sshd_enable="YES"

# enable firewall
firewall_enable="YES"
# set path to custom firewall config
firewall_type="/etc/rc.firewall.rules"
# be non-verbose? set to YES after testing
firewall_quiet="NO"

# enable natd, the NAT daemon
natd_enable="YES"
# which is the interface to the internet that we hide behind?
natd_interface="ath0"
# flags for natd
natd_flags="-f /etc/natd.conf"

rc.firewall.rules
# be quiet and flush all rules on start
-q flush
   
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to 127.0.0.0/8
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from 10.0.0.0/8 to any in via ep0
add 00302 deny ip from 172.16.0.0/12 to any in via ath0
add 00303 deny ip from 192.168.0.0/16 to any in via ath0
                                                                                    

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via ath0
add 01001 check-state
  
# allow some traffic from the local net to the router
# SSH
add 04000 allow tcp from 223.147.37.0/24 to me dst-port 22 in via xe0 
setup keep-state
# NTP
add 04002 allow tcp from 223.147.37.0/24 to me dst-port 123 in via xe0 
setup keep-state
add 04003 allow udp from 223.147.37.0/24 to me dst-port 123 in via xe0 
keep-state
# DNS
add 04006 allow udp from 223.147.37.0/24 to me dst-port 53 in via xe0
   
# drop everything else
add 04009 deny ip from 223.147.37.0/24 to me
       
# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from 223.147.37.0/24 to any in via xe0 keep-state
                                                                                  

# allow all outgoing traffic from the router (maybe you should be more 
restrictive)
add 05010 allow ip from me to any out keep-state
  
# drop everything that has come so far. This means it doesn't belong to 
an established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60000 deny log ip from any to any
   
# this is the NAT rule. Only outgoing packets from the local net will 
come here.
# First, nat them, then pass them on (again, you may choose to be more 
restrictive)
add 61000 divert natd ip from 223.147.37.0/24 to any out via ath0
add 61001 allow ip from any to any

natd.conf
unregistered_only
interface ath0
use_sockets
#dynamic                                        (Don't think I need this 
as not running any services for the outside)
# dyamically open fw for ftp, irc
#punch_fw 53

Any help would be greatly appreciated as I am very tired of pulling my 
hair out at 4 in the morning. It is also annoying to have to use M$ on 
my wife's laptop to access the internet. Please help bring FreeBSD back 
into my everyday life:-)

David



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4214184F.5060700>