Date: Thu, 6 Apr 2006 17:36:17 -0400 (EDT) From: Andy Reitz <reitz@eecs.cwru.edu> To: Nick Stenning <nickstenning@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: NAT, VPN and other SOHO router advice Message-ID: <Pine.SOL.4.53.0604061730490.28862@cerne.EECS.cwru.edu> In-Reply-To: <c7eef7920604061128j2703048u1fbf229a93758c91@mail.gmail.com> References: <c7eef7920604061128j2703048u1fbf229a93758c91@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 6 Apr 2006, Nick Stenning wrote: [snip] > First, NAT'ing. Currently the Vigor router (10.0.0.2) is the default > router for the network, as specified by the FBSD box's DHCP server. If > I disconnect the cable I want to disconnect, however, obviously the > FBSD box will have to be the router. Now, I've recompiled my kernel > with all the relevant options, and I've got an extensive firewall > script (ipfw). I've also got the following in my rc.conf: > > firewall_enable="YES" > firewall_script="/etc/ipfw.rules" > firewall_logging="YES" > > natd_enable="YES" > natd_interface="rl1" > gateway_enable="YES" > > rl1, by the way, has a public IP block on it, and the vigor router has > one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf) > we have: > > defaultrouter="xx.yy.zz.201" > ifconfig_rl0="inet 10.0.0.1 netmask 255.255.255.0" > ifconfig_rl1="inet xx.yy.zz.202 netmask 255.255.255.248" > ifconfig_rl1_alias0="xx.yy.zz.203/29" > ... > > So, really, the question for this bit of the email is .. what else do > I need to get my FBSD box acting as a router for the machines on the > LAN? .. I assume I'd need an IPFW divert rule to set up all the > NATing, but I'm unsure what that should be, and whether it would come > before or after all the protective stuff in the firewall script etc > etc. Hi Nick, It looks to me like you are on the right track. The only other option that I have in my rc.conf is: natd_flags="-config /etc/natd.conf" This forces natd to read my configuration file. I think in normal operations, natd will "pretty-much" do the right thing, but you might want to customize yours like I have mine. Here are some statements that I have in my natd.conf: dynamic yes use_sockets yes same_ports yes log no log_denied yes log_ipfw_denied yes In terms of the divert rule, mine looks like this: /sbin/ipfw add 50 divert natd all from any to any via fxp0 You'll want to replace 'fxp0' with your external interface, in this case, 'rl1'. On FreeBSD 6, the /etc/rc.firewall script will automatically add the proper divert rule if you set the "firewall_type" to be either "open" or "client" in rc.conf. Good luck, -Andy Reitz.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.53.0604061730490.28862>