From owner-freebsd-questions@FreeBSD.ORG Thu Aug 3 19:13:49 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E35A016A4DD for ; Thu, 3 Aug 2006 19:13:49 +0000 (UTC) (envelope-from dkelly@Grumpy.DynDNS.org) Received: from smtp.knology.net (smtp.knology.net [24.214.63.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9E5243D7E for ; Thu, 3 Aug 2006 19:13:47 +0000 (GMT) (envelope-from dkelly@Grumpy.DynDNS.org) Received: (qmail 32524 invoked by uid 0); 3 Aug 2006 19:10:12 -0000 Received: from unknown (HELO Grumpy.DynDNS.org) (216.186.148.249) by smtp1.knology.net with SMTP; 3 Aug 2006 19:10:12 -0000 Received: by Grumpy.DynDNS.org (Postfix, from userid 928) id 3E8FD28422; Thu, 3 Aug 2006 14:13:45 -0500 (CDT) Date: Thu, 3 Aug 2006 14:13:45 -0500 From: David Kelly To: "admin@hdk5.com" Message-ID: <20060803191345.GA31429@Grumpy.DynDNS.org> References: <44D241FE.8050007@hdk5.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44D241FE.8050007@hdk5.com> User-Agent: Mutt/1.4.2.2i Cc: freebsd-questions@freebsd.org Subject: Re: Adding a FreeBSD Gateway on a DSL/ ATM circuit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Aug 2006 19:13:50 -0000 On Thu, Aug 03, 2006 at 08:35:42AM -1000, admin@hdk5.com wrote: > > I can ping from the gateway box nic to the internet ok. I can ping from > the Test box to the Lan side of the gateway box OK. I cant reach the > internet thru the gateway. I have read probably 5 howtos from the > FreeBSD hand book and elsewhere and none are exactly what I am doing. A properly designed DSL/ATM modem or router is not going to allow private IP addresses onto the public internet. So you can not get thru the FreeBSD gateway without NAT to map 192.168/16 to the gateway external IP address. At the very least you need to enable gateway and NAT. One way to do NAT is with IPFW. in /etc/rc.conf I have: firewall_enable="YES" # Set to YES to enable firewall functionality firewall_type="client" # really ought to remove this from custom script firewall_script="/etc/dmk.firewall" # my custom script natd_enable="YES" # Enable natd (if firewall_enable == YES). natd_interface="fxp1" # the external interface to place nat'ed packets natd__flags="-f /etc/natd.conf" # some natd config gateway_enable="YES" # both natd and gateway needed /etc/natd.conf looks like this: interface fxp1 log_denied log_facility security use_sockets same_ports dynamic log_ipfw_denied punch_fw 4900:99 punch_fw defines where dynamic rules are inserted in my ipfw ruleset to support ftp. /etc/dmk.firewall is only a modified version of the stock rc.firewall. -- David Kelly N4HHE, dkelly@HiWAAY.net ======================================================================== Whom computers would destroy, they must first drive mad.