From owner-freebsd-questions  Wed Dec 13 10:12: 8 2000
From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 13 10:12:05 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 151CC37B400
	for <freebsd-questions@freebsd.org>; Wed, 13 Dec 2000 10:12:05 -0800 (PST)
Received: from rfx-64-6-211-1.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 13 Dec 2000 10:10:27 -0800
Received: (from cjc@localhost)
	by rfx-64-6-211-1.users.reflexcom.com (8.11.0/8.11.0) id eBDIC1S32488;
	Wed, 13 Dec 2000 10:12:01 -0800 (PST)
	(envelope-from cjc)
Resent-Message-Id: <200012131812.eBDIC1S32488@rfx-64-6-211-1.users.reflexcom.com>
Date: Wed, 13 Dec 2000 10:02:43 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Sean Peck <speck@newsindex.com>
Subject: Re: Configuring Gateway/NAT on Freebsd
Message-ID: <20001213100243.A32372@rfx-64-6-211-1.users.reflexcom.>
Reply-To: cjclark@alum.mit.edu
References: <20001212231103.H96105@149.211.6.64.reflexcom.com> <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.10012130329590.10186-100000@www.newsindex.com>; from speck@newsindex.com on Wed, Dec 13, 2000 at 04:00:17AM -0800
Resent-From: cjc@rfx-64-6-211-1.users.reflexcom
Resent-Date: Wed, 13 Dec 2000 10:12:01 -0800
Resent-To: David Raistrick <keen@damoe.wireless-isp.net>,
	Chris Hill <chris@monochrome.org>, freebsd-questions@FreeBSD.ORG
Resent-Sender: cjc@rfx-64-6-211-1.users.reflexcom.com
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Dec 13, 2000 at 04:00:17AM -0800, Sean Peck wrote:
> > 
> > OK, one more time. What _exactly_ are your configs? What _exactly_ is
> > and is not working? Saying "you have a machine running natd" and
> > giving us the IP is not enough. You ask what natd(8) "flags" to
> > use. Well, let's get the ones you are using now. All you really should
> > need are the entries to start it and provide the interface or
> > address.
> 
> here are settings in rc.conf:

OK, now we are getting somewhere,

> natd_enabled="YES"
> natd_interface="172.16.0.1"  (I have tried this with public ip and with
>                               private ip)

This is wrong. It needs to be your public address.

> natd_program="/sbin/natd"
> natd_flags="-a xxx.xxx.xxx.xxx" (public space address)

This is not needed and actually confuses things. The 'natd_interface'
value is used to provided the '-a' or '-n' argument to natd(8). Neither
should ever appear in the 'natd_flags' value.

> gateway_enabled="YES"

You are missing,

  firewall_enable="YES"
  firewall_type="<whatever>"
  
> in rc.local I have the alias command to force nic in this box to also
> listen at 172.16.0.1 as follows
> 
> ifconfig xl0 alias 172.16.0.1 netmask 0xffffff00

So you are saying you have,

  ifconfig_xl0_alias0="172.16.0.1 netmask 0xffffff00"

In rc.conf to do this, right?

> Network looks like this
> 
> ISP
> 
>   1 Machine, in my network listening as both a public IP and to 172.16.0.1
> This is the machine that natd is running on, and I wish to be the gateway
> to my network.
> 
> other machines behind this all in 172.16.0.x space, with their default
> router set to 172.16.0.1 and netmask of 255.255.255.0
> 
> ifconfig -a :
> 
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet xx.xx.xx.xxx netmask 0xffffff00 broadcast 64.2.61.255
>         inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
>         ether 00:01:02:34:0b:61 
>         media: 10baseT/UTP <half-duplex>
>         supported media: 10baseT/UTP <full-duplex> 10baseT/UTP
> <half-duplex> 10baseT/UTP

It has already been pointed out in the thread that using a single
interface with natd(8) is not a really good idea. Some people have
reported problems, others have had none. You have not got far enough
yet to determine if you are OK or not.

I see ISA 10BaseT NICs at the store for less than $10. You can get a
PCI one for less than $20. Since (1) you can't really firewall with
one NIC, (2) you might leak traffic onto your public LAN, and (3)
natd(8) may not work right, I would make the investment. 

[snip]

> ipfw sh 
> ipfw: getsockopt(IP_FW_GET): Protocol not available
> (OBVIOUSLY THIS ISN'T RIGHT... )

It looks like you have not rebuilt the kernel with firewalling and
divert(4) enabled. I guess you skipped over point (1) in the 'RUNNING
NATD' section of the natd(8) manpage. Go back and do it or this just
won't get anywhere.

> grep natd is not showing the process running either...very weird.

Nope, still lots of problem.

But you see how much easier this is when you provide the real
technical details?
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message