Date: Wed, 16 Feb 2005 23:06:39 -0500 From: David Wassman <myfreebsd@cox.net> To: freebsd-questions@freebsd.org Subject: Problem accessing net from a NAT Firewall Message-ID: <4214184F.5060700@cox.net>
next in thread | raw e-mail | index | archive | help
Ok, after two days with little sleep I am now going to ask for some help. Here are my problems to ponder and I will give my sys info and configs after. 1) I want to connect to my wireless router (A) from one computer (B) and connect through it a wired network (C) to access the internet. Is this possible? I know you can do it with a wired network through nat but am not sure about the wireless in the middle. 2)I have setup the computer A as a router with a firewall and NAT. I can access to web from it through the wireless link but cannot ping out from C behind it. The net hardware: I have cable. A - Linksys WGT54G D- WG511T wireless PC card Xircom 10Mbps PC card C RealTek 8139 3Com 3c905-TX I have put the following options in the kernel and compiled IPFIREWALL IPDIVERT IPSEC (I know this is for IPsec and not the firewall directly. I have not installed racoon and am not using IPsec. Included it here in case this is the problem.) IPSEC_ESP IPSEC_DEBUG I modified the following configs from this site http://lugbe.ch/lostfound/contrib/freebsd_router/ rc.conf: # use DHCP for external interface ifconfig_ath0="ssid xxxx" ifconfig_ath0="DHCP" # static address for internal interface ifconfig_xe0="inet 223.147.37.1 netmask 255.255.255.0 broadcast 223.147.37.255" # enable IP forwarding gateway_enable="YES" sshd_enable="YES" # enable firewall firewall_enable="YES" # set path to custom firewall config firewall_type="/etc/rc.firewall.rules" # be non-verbose? set to YES after testing firewall_quiet="NO" # enable natd, the NAT daemon natd_enable="YES" # which is the interface to the internet that we hide behind? natd_interface="ath0" # flags for natd natd_flags="-f /etc/natd.conf" rc.firewall.rules # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via ep0 add 00302 deny ip from 172.16.0.0/12 to any in via ath0 add 00303 deny ip from 192.168.0.0/16 to any in via ath0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via ath0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from 223.147.37.0/24 to me dst-port 22 in via xe0 setup keep-state # NTP add 04002 allow tcp from 223.147.37.0/24 to me dst-port 123 in via xe0 setup keep-state add 04003 allow udp from 223.147.37.0/24 to me dst-port 123 in via xe0 keep-state # DNS add 04006 allow udp from 223.147.37.0/24 to me dst-port 53 in via xe0 # drop everything else add 04009 deny ip from 223.147.37.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 223.147.37.0/24 to any in via xe0 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 59999 deny ip from any to me dst-port 135,137-139,445,4665 add 60000 deny log tcp from any to any established add 60000 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 223.147.37.0/24 to any out via ath0 add 61001 allow ip from any to any natd.conf unregistered_only interface ath0 use_sockets #dynamic (Don't think I need this as not running any services for the outside) # dyamically open fw for ftp, irc #punch_fw 53 Any help would be greatly appreciated as I am very tired of pulling my hair out at 4 in the morning. It is also annoying to have to use M$ on my wife's laptop to access the internet. Please help bring FreeBSD back into my everyday life:-) David
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4214184F.5060700>