On Wed, 2008-10-15 at 21:19 -0700, Jeremy Chadwick wrote:
> On Thu, Oct 16, 2008 at 10:15:49AM +1000, Da Rock wrote:
> > 
> > On Wed, 2008-10-15 at 04:10 -0700, Jeremy Chadwick wrote:
> > > On Wed, Oct 15, 2008 at 08:40:48PM +1000, Da Rock wrote:
> > > > 
> > > > On Tue, 2008-10-14 at 06:46 -0400, Michael Powell wrote:
> > > > > Jeremy Chadwick wrote:
> > > > > 
> > > > > > On Tue, Oct 14, 2008 at 04:55:11AM -0400, Michael Powell wrote:
> > > > > [snip] 
> > > > > >> Next, you will want to configure your FreeBSD machine as a NAT 
> > > > > >> gateway.
> > > > > >> In your /etc/rc.conf you will want something like 
> > > > > >> gateway_enable="YES"
> > > > > >> and some form of firewall initialization[1]. The gateway_enable is 
> > > > > >> what
> > > > > >> allows the forwarding of packets between your rl0 and your rl1, 
> > > > > >> but the
> > > > > >> activation of NAT functionality is usually a function contained 
> > > > > >> within a
> > > > > >> firewall. So conceptually, the firewall will be "in between" rl0 
> > > > > >> and rl1.
> > > > > >> 
> > > > > >> There are three different firewalls you can choose from. 
> > > > > >> Configuring the
> > > > > >> firewall is usually where the inexperienced get stuck. This subject
> > > > > >> material is beyond the scope of this missive, and you would do 
> > > > > >> well to
> > > > > >> start reading in the Handbook. But essentially, when you configure 
> > > > > >> NAT in
> > > > > >> the firewall your rl0 (connected to the ISP) will be assigned a 
> > > > > >> "Public"
> > > > > >> IP address and the NAT function will translate between "Public" and
> > > > > >> "Private".
> > > > > 
> > > > > With respect to "NAT", the caveat here is the assumption that your 
> > > > > DSL/Cable
> > > > > modem is *not* already performing NAT. The situation you do not want 
> > > > > to get
> > > > > into is having *two* NATs. The content herein is assuming that the 
> > > > > external
> > > > > (rl0) interface is getting assigned a "Public" IP from the ISP. 
> > > > >  
> > > > 
> > > > If this is the case wouldn't the OP set router_enable=YES instead of
> > > > gateway?
> > > 
> > > No.  router_enable causes routed(8) to run, which allows for
> > > announcements and withdraws of network routes via RIPv1/v2.  This is
> > > something completely different than forwarding packets.
> > > 
> > > What the OP wants is to route packets from his private LAN (e.g.
> > > 192.168.0.0/16) on to the Internet using NAT.  That means he has to have
> > > a NAT gateway of some kind that forwards and translates packets.  That
> > > means he needs gateway_enable="yes", which allows IPv4 forwarding
> > > to happen "through" the FreeBSD box.  In layman's terms, it allows
> > > the FreeBSD box to be used a "Gateway" for other computers which
> > > are connected to it directly.
> > > 
> > 
> > Ok, then. So it would be gateway_enable, but no nat_enable? (To avoid
> > double nat'ing)
> 
> Do you mean firewall_nat_enable, natd_enable, or ipnat_enable?  :-)
> See /etc/defaults/rc.conf.
> 

<grin> Actually I'm not sure... I'm just an innocent bystander :)

Throughout the thread there was mention of enabling nat in the rc.conf,
so whichever that was...

My consideration was just in general. Someone mentioned enabling nat,
another said don't double nat, so I thought routed would be better. But
it seems routed is not the way to go, but to keep gateway_enable:
question remains as to whether to use nat or not (I suppose in any form;
but if you can enlighten me with regard if one form of nat is better
than another especially in the case of double nat then I'd appreciate
the information).

The main reason I'm bring up this issue is to clarify (and possibly the
OP will then get a better picture too) of precisely how to accomplish
the result required. And maybe increase my knowledge of the subject
too :) thats always a good thing.

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to