From owner-freebsd-questions@FreeBSD.ORG Sun Nov 23 07:14:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1752F106564A for ; Sun, 23 Nov 2008 07:14:45 +0000 (UTC) (envelope-from ptkrisada@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.231]) by mx1.freebsd.org (Postfix) with ESMTP id D725B8FC08 for ; Sun, 23 Nov 2008 07:14:44 +0000 (UTC) (envelope-from ptkrisada@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1556440rvf.43 for ; Sat, 22 Nov 2008 23:14:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type:references; bh=kQ0Gm/8mo/eB3uRazkJ2q5EOqWxD/yMvzJVGTZEMBL8=; b=xSZ0wXi605SObteI0qmT4SDwWq6GAcSG/nloahLDe6i2p4RfmPWax+1cIcEu3fCAzC zyAozwVFWKKm9aGxgGUJOXNBjsns7gMeHNlw2BKp/frj3KA2Yg8AzeynaCr0jo5W/jU7 ZqF3I4LJG0Lan6A612LwbHFRx1mlSBtJFG82M= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:references; b=oTrG1TQWp/HGsg/x8uknNBNR2IpFpGRJTJWbvW/CcFgJ+lVmdovWDvaPaloa7PkUBU 1ORJFmwB7h/6M1rsbHobvOX0t0HrRTQeYPeUatV8LhKz+RxvddNH7G1q8YVejJpms47x qrxgeqF1F525hjpgAGpsJJDNeZXnYtOznpH6A= Received: by 10.141.115.20 with SMTP id s20mr1202131rvm.255.1227424484111; Sat, 22 Nov 2008 23:14:44 -0800 (PST) Received: by 10.141.114.4 with HTTP; Sat, 22 Nov 2008 23:14:44 -0800 (PST) Message-ID: Date: Sun, 23 Nov 2008 14:14:44 +0700 From: "Pongthep Kulkrisada" To: freebsd-questions@freebsd.org In-Reply-To: <20081121145726.0c1208bc.freebsd@edvax.de> MIME-Version: 1.0 References: <20081121060619.GA1057@gmail.com> <20081121145726.0c1208bc.freebsd@edvax.de> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Problem about ppp -nat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Nov 2008 07:14:45 -0000 Hi All, Firstly, I'm sorry for late reply. For simplicity to your responses, I shall ask question by question... * Manolis Kiagias (sonic2000gr@gmail.com) wrote: > > There are at least two ways that I know of to achieve this. One uses the > ipfw firewall, the other the pf firewall. > For the ipfw solution, look at the FreeBSD Handbook: > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 1. I heard that ppp itself has capability of NAT. It can work with the command ppp -nat and without running natd. Please tell me whether it is right or wrong. ipfw is the same. If natd is not used, I can't add the rule ... add divert natd ip from any to any via tun0 to /etc/ipfw.rules. I'm confused. 2. And if natd is still required, what -nat argument (ppp -nat) is for? > This worked fine for me, although I prefer to use pf. Here is how I > setup pf (Adjust for your interfaces as necessary) > > My Internet interface is rl0, setup in rc.conf as: > > ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0" > > My local interface is rl1, setup in rc.conf as: > > ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0" 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0="inet 192.168.0.100 netmask 0xffffff00" to /etc/rc.conf. If I'm wrong, please tell me. I did much googling. All sites always refer 2 NIC cards being used like your example. I do have only one NIC card + 56k serial modem (/dev/cuad0). > (I also have a defaultrouter setting which probably does not apply to you) > > I have nameserver entries in /etc/resolv.conf (or setup your own DNS > server if you wish) 4. I also have nameserver entries. I tried setting DNS server on my WinXP host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. > Use this settings in rc.conf for pf: > > pf_enable="YES" > pflog_logfile="/var/log/pflog" > pflog_flags="" > pf_rules="/etc/pf.conf" > pf_flags="" > gateway_enable="YES" 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" firewall_quite="YES" firewall_script="/etc/ipfw.rules" firewall_logging="YES" > Run: > # sysctl net.inet.ip.forwarding=1 > # /etc/rc.d/routing restart > > Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots 6. I recompiled my kernel. options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT I think it should be equivalent to sysctl setting. > Add the following rule to /etc/pf.conf > > nat pass on rl0 from rl1:network to any -> rl0 > > AFAIR, if rl0 has a dynamic address, you will have to write it with > parentheses, like: > > nat pass on rl0 from rl1:network to any -> (rl0) > (Note that in /etc/pf.conf translation rules like the above, are placed > above filtering rules like pass or block etc) > You may have to adjust /etc/pf.conf filtering rules, assuming you have any. > > Restart some services > > # /etc/rc.d/netif restart > # /etc/rc.d/routing restart > # /etc/rc.d/pf restart > > or simply reboot, and you should be set. 7. I don't know about PF. * Fbsd1 (fbsd1@a1poweruser.com) wrote: > You need to run dhcp so you can assign ip address on the LAN so the down > stream xp box can gain access to the public internet through your > gateway freebsd box. There is a detailed step by step instructions in > the install guide at www.a1poweruser.com 8. I read doc from the mentioned site. The doc does not mention anything about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the point of my concern now. I only want to share internet access whether IP is static or dynamic. BTW the doc is very good anyway. I shall keep it. :-) * Polytropon (freebsd@edvax.de) wrote: > First of all, I made my kernel capable; significant parts: > # Firewall, NAT > ...blah 9. I compiled the kernel following your advice excepted NETGRAPH. I think PPPoE is not the point of concern > Configuration in /etc/rc.conf goes this way: > ifconfig_xl0="inet 192.168.0.1 netmask 0xffffff00" > ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00 media 10baseT/UTP" 10. As said earlier, my interface connecting to outside are 56k serial modem (/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way. 11. CONCLUSION: I did read much document. More I read, more I get confused. I tried many possible things but still don't work. My RECENT configurations are as followings. /etc/rc.conf gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" firewall_quite="YES" natd_enable="YES" natd_interface="tun0" natd_flags="-s -u -m" kernel options options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT /etc/ipfw.rules add divert natd ip from any to any via tun0 ppp command ppp -background -nat myisp With these settings, My FBSD host can NOT even dial out to ISP. :-( Please anybody tell me, what I do wrong here. At this time I must go back to the original setting in order to dial ISP. And lastly I'm sorry for long questions. Thank you. Pongthep