Date: Sun, 23 Nov 2008 14:14:44 +0700 From: "Pongthep Kulkrisada" <ptkrisada@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Problem about ppp -nat Message-ID: <d22725a0811222314o6840668br6a8eaee9864ddc85@mail.gmail.com> In-Reply-To: <20081121145726.0c1208bc.freebsd@edvax.de> References: <20081121060619.GA1057@gmail.com> <20081121145726.0c1208bc.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi All, Firstly, I'm sorry for late reply. For simplicity to your responses, I shall ask question by question... * Manolis Kiagias (sonic2000gr@gmail.com) wrote: > > There are at least two ways that I know of to achieve this. One uses the > ipfw firewall, the other the pf firewall. > For the ipfw solution, look at the FreeBSD Handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 1. I heard that ppp itself has capability of NAT. It can work with the command ppp -nat and without running natd. Please tell me whether it is right or wrong. ipfw is the same. If natd is not used, I can't add the rule ... add divert natd ip from any to any via tun0 to /etc/ipfw.rules. I'm confused. 2. And if natd is still required, what -nat argument (ppp -nat) is for? > This worked fine for me, although I prefer to use pf. Here is how I > setup pf (Adjust for your interfaces as necessary) > > My Internet interface is rl0, setup in rc.conf as: > > ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0" > > My local interface is rl1, setup in rc.conf as: > > ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0="inet 192.168.0.100 netmask 0xffffff00" to /etc/rc.conf. If I'm wrong, please tell me. I did much googling. All sites always refer 2 NIC cards being used like your example. I do have only one NIC card + 56k serial modem (/dev/cuad0). > (I also have a defaultrouter setting which probably does not apply to you) > > I have nameserver entries in /etc/resolv.conf (or setup your own DNS > server if you wish) 4. I also have nameserver entries. I tried setting DNS server on my WinXP host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. > Use this settings in rc.conf for pf: > > pf_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_flags="" > pf_rules="/etc/pf.conf" > pf_flags="" > gateway_enable="YES" 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" firewall_quite="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" > Run: > # sysctl net.inet.ip.forwarding=1 > # /etc/rc.d/routing restart > > Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots 6. I recompiled my kernel. options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT I think it should be equivalent to sysctl setting. > Add the following rule to /etc/pf.conf > > nat pass on rl0 from rl1:network to any -> rl0 > > AFAIR, if rl0 has a dynamic address, you will have to write it with > parentheses, like: > > nat pass on rl0 from rl1:network to any -> (rl0) > (Note that in /etc/pf.conf translation rules like the above, are placed > above filtering rules like pass or block etc) > You may have to adjust /etc/pf.conf filtering rules, assuming you have any. > > Restart some services > > # /etc/rc.d/netif restart > # /etc/rc.d/routing restart > # /etc/rc.d/pf restart > > or simply reboot, and you should be set. 7. I don't know about PF. * Fbsd1 (fbsd1@a1poweruser.com) wrote: > You need to run dhcp so you can assign ip address on the LAN so the down > stream xp box can gain access to the public internet through your > gateway freebsd box. There is a detailed step by step instructions in > the install guide at www.a1poweruser.com 8. I read doc from the mentioned site. The doc does not mention anything about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the point of my concern now. I only want to share internet access whether IP is static or dynamic. BTW the doc is very good anyway. I shall keep it. :-) * Polytropon (freebsd@edvax.de) wrote: > First of all, I made my kernel capable; significant parts: > # Firewall, NAT > ...blah 9. I compiled the kernel following your advice excepted NETGRAPH. I think PPPoE is not the point of concern > Configuration in /etc/rc.conf goes this way: > ifconfig_xl0="inet 192.168.0.1 netmask 0xffffff00" > ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00 media 10baseT/UTP" 10. As said earlier, my interface connecting to outside are 56k serial modem (/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way. 11. CONCLUSION: I did read much document. More I read, more I get confused. I tried many possible things but still don't work. My RECENT configurations are as followings. /etc/rc.conf gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" firewall_quite="YES" natd_enable="YES" natd_interface="tun0" natd_flags="-s -u -m" kernel options options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT /etc/ipfw.rules add divert natd ip from any to any via tun0 ppp command ppp -background -nat myisp With these settings, My FBSD host can NOT even dial out to ISP. :-( Please anybody tell me, what I do wrong here. At this time I must go back to the original setting in order to dial ISP. And lastly I'm sorry for long questions. Thank you. Pongthep
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d22725a0811222314o6840668br6a8eaee9864ddc85>