Date: Tue, 4 Jan 2000 12:13:29 -0500 From: Ben WIlliams <williamsl@Home.Com> To: FreeBSD questions <freebsd-questions@freebsd.org> Subject: Re: Need some help with NAT Message-ID: <1509.000104@Home.Com>
next in thread | raw e-mail | index | archive | help
Tuesday, January 04, 2000
I am using a 3.2-RELEASE box for a cable-modem NAT box (with a
whole 2 machines behind it on the private 192.168.0.0 network) with 2
NICs and it works well for web broswing, getting email and IRC with a
forwarding rule for ident. It works passably well for ICQ too.
My hardware config is:
cable-modem -> natbox (Intel EE Pro) -> natbox (3Com 509B) -> internal_net
(natbox is an i486 w/ 8mb RAM & 470mb HD)
Kernel config:
(relevant portions only)
device ep0 at isa? port 0x300 net irq 10
device ex0 at isa? port? net irq?
pseudo-device loop
pseudo-device ether
pseudo-device sl 1 # could probably do without these
pseudo-device ppp 1 # three but I'm going to try my
pseudo-device tun 1 # hand at VPN ...
options "TCP_COMPAT_42" # I should take this out
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options "IPFIREWALL_VERBOSE_LIMIT=100"
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
options IPFILTER
options IPFILTER_LOG
options IPFILTER_LKM
options TCPDEBUG
options "ICMP_BANDLIM"
options DUMMYNET
options BRIDGE
IP-Filter rules adapted from:
http://users.orac.net.au/~doug/network/html/node18.html#SECTION00092200000000000000
IP-Nat rules built by hand but this site should get you started:
http://users.orac.net.au/~doug/network/html/node18.html#630
/etc/rc.conf has:
gateway_enable="YES"
tcp_extensions="YES"
network_interfaces="ex0 ep0 lo0"
gateway_enable="YES" # Set to YES if this host will be a gateway.
# -- sysinstall generated deltas -- #
ifconfig_ex0="inet 24.X.X.X netmask 255.255.255.0"
defaultrouter="24.X.X.X"
hostname="my_full_@home_name"
ifconfig_ep0="inet 192.168.1.1 netmask 255.255.255.0"
# -- sysadmin generated deltas -- #
firewall_enable="NO" # Set to YES to enable firewall functionality
router_enable="YES" # Set to YES to enable a routing daemon.
router="routed" # Name of routing daemon to use if enabled.
router_flags="-q" # Flags for routing daemon.
This is more of a shotgun approach since from what you told us I
can't tell where or how your natbox is 'breaking' things but I think
it's all the relevant details.
HTH,
Ben.
Tuesday, January 04, 2000, 11:14:53 AM, you wrote:
JAM> I seem to be having a brain fart here getting NAT setup - I'm looking
JAM> for some help.
JAM> We're implementing NAT on the BSD box because it's breaking our Ascend
JAM> P130 - so I don't need to do firewalling or packet filtering (Yet). I'd
JAM> like to get this all up and running using the 'ipfilter' package so that
JAM> implementing a firewall will be easy later on down the road.
JAM> Here's what I've got so far:
JAM> Kernel Options:
JAM> IPFIREWALL
JAM> IPFIREWALL_DEFAULT_TO_ACCEPT
JAM> IPDIVERT
JAM> IPFILTER
JAM> IPSTEALTH (We'll use this later)
JAM> TCP_DROP_SYNFIN (Again, we'll use this later)
JAM> TCP_RESTRICT_RST (We'll use this later also)
JAM> "ICMP_BANDLIM"
JAM> In rc.conf we've got this:
JAM> gateway_enable="YES"
JAM> In rc.local we've got the following entries:
JAM> /sbin/ipf -Fa -f /etc/ipf.rules -E
JAM> /sbin/ipnat -CF -f /etc/ipnat.rules
JAM> Finally, we've tried 2 different NIC combos -
JAM> 1st try was 2NIC's, 2IP's, both plugged into the same LAN - That didn't
JAM> work very well.
JAM> 2nd try was 1NIC
JAM> pn0=192.196.1.1
JAM> pn0:1=204.XXX.XXX.XXX - That doesn't seem to be working either.
JAM> As soon as I activate the 'ipnat' rules the machine becomes
JAM> inaccessible. However, pings from another machine on the network reveal
JAM> something interesting (when ipnat is enabled) Pings are sent to the
JAM> internal interface and returned by the external interface.
JAM> Any ideas here?
JAM> Thanks again,
JAM> Jim
JAM> To Unsubscribe: send mail to majordomo@FreeBSD.org
JAM> with "unsubscribe freebsd-questions" in the body of the message
--
Ben mailto:williamsl@Home.Com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1509.000104>