From owner-freebsd-questions Fri Nov 20 09:59:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA28890 for freebsd-questions-outgoing; Fri, 20 Nov 1998 09:59:56 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from java.dpcsys.com (java.dpcsys.com [206.16.184.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28881 for ; Fri, 20 Nov 1998 09:59:54 -0800 (PST) (envelope-from dan@dpcsys.com) Received: from localhost (dan@localhost) by java.dpcsys.com (8.9.1a/8.9.1) with SMTP id JAA08788; Fri, 20 Nov 1998 09:59:34 -0800 (PST) Date: Fri, 20 Nov 1998 09:59:33 -0800 (PST) From: Dan Busarow To: Forrest Aldrich cc: freebsd-questions@FreeBSD.ORG Subject: Re: [resend] Ip_masquerading, NATD & Internet (more questions) In-Reply-To: <4.1.19981120102246.00a6de30@206.25.93.69> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 20 Nov 1998, Forrest Aldrich wrote: > STAGE 1 > ====================================== > I have 2 NICs on my FreeBSD system: xl0 and xl1. xl0 is the outbound > interface (connected to the > cable modem), xl1 is the private network (hooked to a hub) > > I imported in some firewall rules and added, at the beginning of them: > > $fwcmd add divert natd all from any to any via xl0 > > This was tried with the firewall rules and as an OPEN system (yes, I have > DIVERT and all > the rest of the definitions in /usr/src/sys/i386/conf). > > From what I was able to gleen from the manpage (3.0-RELEASE), I used: > > /usr/sbin/natd -dynamic -interface xl0 > > Which I'm not clear is correct. I did toy around with the firewall rules and > natd, eventually > I was able to get out to the internet, but not through the hub I had connected > to xl1. I think > that failed because I didn't hook in a straight-through cable from xl1 to the > uplink port on the hub. Your natd command line is correct. If you don't have a "crossover" cable plug xl1 into a normal port. > It's not clear about whether you need to add specific IPFW rules for the > internal interface (in this > case 10.0.0.3). OPEN is open. You do have to enable IP forwarding in /etc/rc.conf gateway_enable="YES" > STAGE 1.5 :-) > ======================================= > > I have been able to get the dhclient to work properly when booting to obtain > the IP address. But > don't screw with it afterwards, as you'll hose everything. > > Aside from not being able to get a carrier on xl1 (again, I think due the cable > type, I'll try it again), > I wasn't able to get isc-dhcpd2 to work. It complained that I had no subnet > declaration for my > ISP's address (the host) -- even though I've told it only to run on xl1. This > part is particularly important, > as the Windoze hosts I have hooked in the hub are used on other nets and need > dhcpd. What command are you using to start dhcpd? dhcpd xl1 should work fine. Your dhcpd.conf can be real simple, just a subnet 192.168.1.0 255.255.255.0 { range 192.168.1.10 192.168.1.20; } for example. > STAGE 2 > ======================================= > > While using the dhclient for your IP address does work, using this with a > firewall presents > a few gotchyas. As I recall: You need to somehow obtain the network, > netmask, host IP, etc. > for use in /etc/rc.firewall. I would imagine you could obtain variables from > /etc/dhclient-script > and save them to a file on bootup. You can also soecify the interface instead of IP address in rc.firewall. Dan -- Dan Busarow 949 443 4172 Dana Point Communications, Inc. dan@dpcsys.com Dana Point, California 83 09 EF 59 E0 11 89 B4 8D 09 DB FD E1 DD 0C 82 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message