From owner-freebsd-questions@FreeBSD.ORG Thu Apr 6 21:36:22 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1319E16A400 for ; Thu, 6 Apr 2006 21:36:22 +0000 (UTC) (envelope-from reitz@eecs.cwru.edu) Received: from beta.eecs.cwru.edu (beta.EECS.CWRU.Edu [129.22.150.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0DDB43D6E for ; Thu, 6 Apr 2006 21:36:20 +0000 (GMT) (envelope-from reitz@eecs.cwru.edu) Received: from cerne.EECS.CWRU.Edu ([::ffff:129.22.151.43]) (TLS: TLSv1/SSLv3,168bits,DES-CBC3-SHA) by beta.eecs.cwru.edu with esmtp; Thu, 06 Apr 2006 17:36:17 -0400 id 000ABF2D.443589D1.00000919 Date: Thu, 6 Apr 2006 17:36:17 -0400 (EDT) From: Andy Reitz To: Nick Stenning In-Reply-To: Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: NAT, VPN and other SOHO router advice X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Apr 2006 21:36:22 -0000 On Thu, 6 Apr 2006, Nick Stenning wrote: [snip] > First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default > router for the network, as specified by the FBSD box's DHCP server. If > I disconnect the cable I want to disconnect, however, obviously the > FBSD box will have to be the router. Now, I've recompiled my kernel > with all the relevant options, and I've got an extensive firewall > script (ipfw). I've also got the following in my rc.conf: > > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > > natd_enable="YES" > natd_interface="rl1" > gateway_enable="YES" > > rl1, by the way, has a public IP block on it, and the vigor router has > one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf) > we have: > > defaultrouter="xx.yy.zz.201" > ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_rl1="inet xx.yy.zz.202 netmask 255.255.255.248" > ifconfig_rl1_alias0="xx.yy.zz.203/29" > ... > > So, really, the question for this bit of the email is .. what else do > I need to get my FBSD box acting as a router for the machines on the > LAN? .. I assume I'd need an IPFW divert rule to set up all the > NATing, but I'm unsure what that should be, and whether it would come > before or after all the protective stuff in the firewall script etc > etc. Hi Nick, It looks to me like you are on the right track. The only other option that I have in my rc.conf is: natd_flags="-config /etc/natd.conf" This forces natd to read my configuration file. I think in normal operations, natd will "pretty-much" do the right thing, but you might want to customize yours like I have mine. Here are some statements that I have in my natd.conf: dynamic yes use_sockets yes same_ports yes log no log_denied yes log_ipfw_denied yes In terms of the divert rule, mine looks like this: /sbin/ipfw add 50 divert natd all from any to any via fxp0 You'll want to replace 'fxp0' with your external interface, in this case, 'rl1'. On FreeBSD 6, the /etc/rc.firewall script will automatically add the proper divert rule if you set the "firewall_type" to be either "open" or "client" in rc.conf. Good luck, -Andy Reitz.