From owner-freebsd-questions Sat Sep 1 11:30:33 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pioneernet.net (mail.pioneernet.net [207.115.64.224]) by hub.freebsd.org (Postfix) with ESMTP id 9E53B37B406 for ; Sat, 1 Sep 2001 11:30:26 -0700 (PDT) Received: from chip.wiegand.org [66.114.152.128] by pioneernet.net (SMTPD32-6.06) id A9CD8A340034; Sat, 01 Sep 2001 11:32:45 -0700 Content-Type: text/plain; charset="iso-8859-1" From: Chip To: Kenneth W Cochran , "Kulraj Gurm (bosa.ca Account)" Subject: Re: NAT with >1 gateway interface Date: Sat, 1 Sep 2001 11:31:01 -0700 X-Mailer: KMail [version 1.2] Cc: freebsd-questions@freebsd.org References: <200109011358.JAA09511@world.std.com> <200109011512.LAA29975@world.std.com> In-Reply-To: <200109011512.LAA29975@world.std.com> MIME-Version: 1.0 Message-Id: <01090111310103.44697@chip.wiegand.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Saturday 01 September 2001 08:12, Kenneth W Cochran wrote: > Thanks, but with the exception of the following: > natd_flags="-l -s -m -u" > > everything is as documented in Section 18.10 of the Handbook. > > You make no mention of >1 interface on the gateway system. Is > the config you describe working with a firewall/NAT system that > uses Ethernet & dialup-kernel-ppp in a similar manner? > > From the natd manpage: > -l = logging > -s = use sockets > -m = same ports > -u = unregistered only > > How do any of these options affect or help a scenario as > outlined with Machine A? > > -kc He was showing only the part of rc.conf you need to add. You should already have the nics specified in rc.conf, something like this - network_interfaces="xl0 xl1 lo0" linux_enable="YES" firewall_enable="YES" firewall_script="/etc/rc.firewall" firewall_type="simple" gateway_enable="YES" natd_enable="YES" natd_flags="-f /etc/natd.conf" ifconfig_xl1="inet xx.xxx.xxx.xxx netmask 255.255.248.0" ifconfig_xl0="inet 192.168.1.10 netmask 255.255.255.0" defaultrouter="xx.xxx.xxx.x" sendmail_enable="NO" hostname="firewall.wiegand.org" In my case I created a file called natd.conf and used rc.firewall with some modifications. -- Chip Wiegand > From kulraj@bosa.ca Sat Sep 1 10:33:38 2001 > > >Message-ID: <001001c132f2$097324e0$0ac8a8c0@kimsamy.com> > > From: "Kulraj Gurm (bosa.ca Account)" > > >To: "Kenneth W Cochran" , > > Subject: Re: NAT with >1 gateway > > interface > >Date: Sat, 1 Sep 2001 07:26:05 -0700 > > > >> How do I "properly" set up NAT on a system that "transmits" > >> and "receives" on different interfaces? > > > >This is what I do : > > > >Entries in kernel config file : > > > >#IP Packet Filtering FireWall/NAT > >options IPFIREWALL # IP Firewall support > >options IPFIREWALL_FORWARD # enable transparent proxy > > su options IPFIREWALL_VERBOSE_LIMIT=1000 # limit verbosity > >options IPDIVERT > ># Network Address Translation > >#options DUMMYNET > >#options BRIDGE > > > >Entries in rc.conf : > > > >#Firewall > >firewall_enable="YES" # Set to YES to enable firewall functionality > >firewall_type="open" # Firewall type (see /etc/rc.firewall) > >firewall_quiet="NO" # Set to YES to suppress rule display > >natd_enable="YES" # Enable natd (if firewall_enable == YES). > >natd_interface="fxp0" # Public interface to use with > > natd. natd_flags="-l -s -m -u" # Additional flags for > > > >That should be all you need. > > > >Regards, > > > >Kulraj > > > >----- Original Message ----- > > From: "Kenneth W Cochran" > > >To: ; > >Sent: Saturday, September 01, 2001 6:58 AM > >Subject: NAT with >1 gateway interface > > > >> Hello: > >> > >> How do I "properly" set up NAT on a system that "transmits" > >> and "receives" on different interfaces? > >> > >> Briefly - Machine A receives on fxp0 & transmits on ppp0. > >> I'd like to use a 2nd Ethernet on Machine A (fxp1) for the > >> "NAT"ed/masqueraded network. > >> > >> Scenario: > >> > >> Machine A: > >> - Running RELENG_4 as of 2001/08/28, scheduled to update again > >> 2001/09/01 (thus one reason I'm asking on -stable :). > >> - Connected to a "hybrid" aka "1-way" cable-modem, > >> - "Receives" via cablemodem/Ethernet (fxp0, config'ed as 10.0.0.11/24) > >> - "Transmits/outgoing" is via analog dial-modem & ppp(d). > >> - "Real" ip-address is established by (kernel) pppd (ppp0), > >> and is "officially" dynamic, even though it always (at least > >> right now) gets the same ip-address. > >> - Runs cache-only nameserver. > >> - Has been running in this manner for about 1.5 years. > >> - (recently) Has 2nd NIC (fxp1), connected to hub for private network. > >> > >> Machine B: > >> - Has private ip-address on "its" fxp0. > >> - Connected via hub to 2nd NIC (fxp1) on Machine A. > >> > >> I've followed the instructions from the Handbook, Section > >> 18.10, Network Address Translation. > >> > >> Machines A & B can talk to each other; I can ping & ssh from/to > >> either one. Machine A communicates "outside" (with the > >> Internet) as usual, but Machine B cannot. > >> > >> I'm thinking something needs to be tweaked in the ipfw and/or > >> natd-config(s). Suggestions? Also, where would be the best place(s) > >> to put these "customizations" (for example, so as to not be any > >> more "disruptive" than necessary to the base-OS configs)? > >> > >> Of course, FAQ/-doc/readme pointers are quite welcome. :) > >> Please cc replies to me. > >> > >> Many thanks, > >> > >> -kc > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- -- Chip W. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message