Date: Wed, 13 Dec 2000 10:02:43 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Sean Peck <speck@newsindex.com> Subject: Re: Configuring Gateway/NAT on Freebsd Message-ID: <20001213100243.A32372@rfx-64-6-211-1.users.reflexcom.> Resent-Message-ID: <200012131812.eBDIC1S32488@rfx-64-6-211-1.users.reflexcom.com> In-Reply-To: <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>; from speck@newsindex.com on Wed, Dec 13, 2000 at 04:00:17AM -0800 References: <20001212231103.H96105@149.211.6.64.reflexcom.com> <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 13, 2000 at 04:00:17AM -0800, Sean Peck wrote: > > > > OK, one more time. What _exactly_ are your configs? What _exactly_ is > > and is not working? Saying "you have a machine running natd" and > > giving us the IP is not enough. You ask what natd(8) "flags" to > > use. Well, let's get the ones you are using now. All you really should > > need are the entries to start it and provide the interface or > > address. > > here are settings in rc.conf: OK, now we are getting somewhere, > natd_enabled="YES" > natd_interface="172.16.0.1" (I have tried this with public ip and with > private ip) This is wrong. It needs to be your public address. > natd_program="/sbin/natd" > natd_flags="-a xxx.xxx.xxx.xxx" (public space address) This is not needed and actually confuses things. The 'natd_interface' value is used to provided the '-a' or '-n' argument to natd(8). Neither should ever appear in the 'natd_flags' value. > gateway_enabled="YES" You are missing, firewall_enable="YES" firewall_type="<whatever>" > in rc.local I have the alias command to force nic in this box to also > listen at 172.16.0.1 as follows > > ifconfig xl0 alias 172.16.0.1 netmask 0xffffff00 So you are saying you have, ifconfig_xl0_alias0="172.16.0.1 netmask 0xffffff00" In rc.conf to do this, right? > Network looks like this > > ISP > > 1 Machine, in my network listening as both a public IP and to 172.16.0.1 > This is the machine that natd is running on, and I wish to be the gateway > to my network. > > other machines behind this all in 172.16.0.x space, with their default > router set to 172.16.0.1 and netmask of 255.255.255.0 > > ifconfig -a : > > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > inet xx.xx.xx.xxx netmask 0xffffff00 broadcast 64.2.61.255 > inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255 > ether 00:01:02:34:0b:61 > media: 10baseT/UTP <half-duplex> > supported media: 10baseT/UTP <full-duplex> 10baseT/UTP > <half-duplex> 10baseT/UTP It has already been pointed out in the thread that using a single interface with natd(8) is not a really good idea. Some people have reported problems, others have had none. You have not got far enough yet to determine if you are OK or not. I see ISA 10BaseT NICs at the store for less than $10. You can get a PCI one for less than $20. Since (1) you can't really firewall with one NIC, (2) you might leak traffic onto your public LAN, and (3) natd(8) may not work right, I would make the investment. [snip] > ipfw sh > ipfw: getsockopt(IP_FW_GET): Protocol not available > (OBVIOUSLY THIS ISN'T RIGHT... ) It looks like you have not rebuilt the kernel with firewalling and divert(4) enabled. I guess you skipped over point (1) in the 'RUNNING NATD' section of the natd(8) manpage. Go back and do it or this just won't get anywhere. > grep natd is not showing the process running either...very weird. Nope, still lots of problem. But you see how much easier this is when you provide the real technical details? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001213100243.A32372>