Hi Pongthep,

Pongthep Kulkrisada wrote:
Hi All,

Firstly, I'm sorry for late reply. For simplicity to your responses, I shall
ask question by question...

* Manolis Kiagias ([EMAIL PROTECTED]) wrote:
There are at least two ways that I know of to achieve this. One uses the
ipfw firewall, the other the pf firewall.
For the ipfw solution, look at the FreeBSD Handbook:


http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
1. I heard that ppp itself has capability of NAT. It can work with the
command ppp -nat and without running natd. Please tell me whether it is
right or wrong.

That is correct, it doesn't require natd for 'ppp -nat'

Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it.

Put any port forwarding rules you need in the ppp.conf file.


ipfw is the same. If natd is not used, I can't add the rule
...


Correct, you need natd if you will be using ipfw for your NAT rules.

add divert natd ip from any to any via tun0

to /etc/ipfw.rules. I'm confused.

2. And if natd is still required, what -nat argument (ppp -nat) is for?


natd isn't required for ppp -nat.

HTH the confusion.

cya
Andrew

This worked fine for me, although I prefer to use pf. Here is how I
setup pf (Adjust for your interfaces as necessary)

My Internet interface is rl0, setup in rc.conf as:

ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0"

My local interface is rl1, setup in rc.conf as:

ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0"
3. I haven't mentioned that I can't use this configuration. I have 2
interfaces i.e. public and private LAN. But I have only one NIC card for
private LAN. I don't have NIC card for public. I'm using 56k modem to
connect the outside world. I think I can't add

ifconfig_tun0="inet 192.168.0.100 netmask 0xffffff00"

to /etc/rc.conf. If I'm wrong, please tell me.
I did much googling. All sites always refer 2 NIC cards being used like your
example. I do have only one NIC card + 56k serial modem (/dev/cuad0).

(I also have a defaultrouter setting which probably does not apply to you)

I have nameserver entries in /etc/resolv.conf (or setup your own DNS
server if you wish)
4. I also have nameserver entries. I tried setting DNS server on my WinXP
host to both gateway (FBSD host) and DNS servers of ISP. Both don't work.

Use this settings in rc.conf for pf:

pf_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pf_rules="/etc/pf.conf"
pf_flags=""
gateway_enable="YES"
5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work.
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_quite="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"

Run:
# sysctl net.inet.ip.forwarding=1
# /etc/rc.d/routing restart

Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots
6. I recompiled my kernel.
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=120
options IPDIVERT
I think it should be equivalent to sysctl setting.

Add the following rule to /etc/pf.conf

nat pass on rl0 from rl1:network to any -> rl0

AFAIR, if rl0 has a dynamic address, you will have to write it with
parentheses, like:

nat pass on rl0 from rl1:network to any -> (rl0)
(Note that in /etc/pf.conf translation rules like the above, are placed
above filtering rules like pass or block etc)
You may have to adjust /etc/pf.conf filtering rules, assuming you have
any.
Restart some services

# /etc/rc.d/netif restart
# /etc/rc.d/routing restart
# /etc/rc.d/pf restart

or simply reboot, and you should be set.
7. I don't know about PF.

* Fbsd1 ([EMAIL PROTECTED]) wrote:
You need to run dhcp so you can assign ip address on the LAN so the down
stream xp box can gain access to the public internet through your
gateway freebsd box.  There is a detailed step by step instructions in
the install guide at www.a1poweruser.com
8. I read doc from the mentioned site. The doc does not mention anything
about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the
point of my concern now. I only want to share internet access whether IP is
static or dynamic. BTW the doc is very good anyway. I shall keep it. :-)

* Polytropon ([EMAIL PROTECTED]) wrote:
First of all, I made my kernel capable; significant parts:
# Firewall, NAT
...blah
9. I compiled the kernel following your advice excepted NETGRAPH. I think
PPPoE is not the point of concern

Configuration in /etc/rc.conf goes this way:
   ifconfig_xl0="inet 192.168.0.1 netmask 0xffffff00"
   ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00 media 10baseT/UTP"
10. As said earlier, my interface connecting to outside are 56k serial modem
(/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way.

11. CONCLUSION: I did read much document. More I read, more I get confused.
I tried many possible things but still don't work. My RECENT configurations
are as followings.

/etc/rc.conf
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_quite="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-s -u -m"

kernel options
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=120
options IPDIVERT

/etc/ipfw.rules
add divert natd ip from any to any via tun0

ppp command
ppp -background -nat myisp

With these settings, My FBSD host can NOT even dial out to ISP. :-(
Please anybody tell me, what I do wrong here.
At this time I must go back to the original setting in order to dial ISP.
And lastly I'm sorry for long questions.

Thank you.
Pongthep
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to