Re: Puzzling Simple NATD and IPFW Problem
assigned, use the command pfctl -sr 6.3 - NAT Note: Packet Filter is the filtering system in If you are looking for the IPF/IPNAT FAQ for before, click here. 6.3.1 NAT Introduction Based on RFC 1631, NAT provides an easy way to map internal networks to a single routeable (real) internet address. This is very useful if you don't have officially assigned addresses for every host on your internal network. When you set up private/internal networks, you can take advantage of reserved address blocks (assigned in RFC 1918), such as: 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) 172.16.0.0/12 (172.16.0.0 - 172.31.255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255) The user is assumed to have already set up and configured an BSD machine with two network cards (one connected to the Internet and the other to the local network). Configuration For the purpose of example, we will use the system described below. Your setup will almost certainly vary from this, so be very careful in typing anything you see here literally into your system and expecting it to work as you desire. NICs: Intel EtherExpress Pro/100 fxp0 Connected to the EXTERNAL LAN (or WAN) IP Address: 24.5.0.5 Netmask: 255.255.255.0 Compaq Netelligent 10/100Mb tl0 Connected to the INTERNAL LAN IP Address: 192.168.1.1 Netmask: 255.255.255.0 External, Internet-routeable IP (provided by ISP, in this example, a cable modem provider) IP Address: 24.5.0.5 Netmask: 255.255.255.0 Gateway: 24.5.0.1 Local Area Network In this example environment, machines on the internal network use the IP addressing scheme 192.168.1.xxx (where xxx is a unique number). There could be a variety of different operating systems on the internal network, such as Windows 98, Windows NT, FreeBSD and Linux, but the client OS is not an issue for NAT. For the examples, the client we will look at on the internal network will be assumed to have an IP address of 192.168.1.40. Diagram of Configuration +-+ +-+ +--+ | Hub |- tl0 | NAT | fxp0 | Internet | +-+ +-+ +--+ | | | +-- Client A + More clients +--+ | LEGEND | +--+ | NIC fxp0 - 24.5.0.5 | | NIC tl0 - 192.168.1.1 | | Client A - 192.168.1.35 | +--+ 6.3.2 Network Address Translation Introduction to NAT Each node on the Internet requires a unique IP address. At least with IPv4, there is a very finite number of distinct IP addresses available, and as a result, they are not free. Most low-cost ISPs will limit a site to anywhere from 1 to 30 addresses, and while larger budget organizations may be able to afford a larger block, in most cases, there are relatively few benefits and considerable risks to having each computer individually addressable on the Internet. Network Address Translation, or NAT, (also known as IP Masquerading if you are coming from a Linux background) allows multiple computers to be located behind one (or a small number of) IP address. Each internal computer has a locally assigned, unregistered IP address (per RFC 1918), and all utilize the same external IP address, simultaneously. The way NAT works is rather simple. When a client on the LAN wants to connect to a machine on the Internet, it sends out a TCP packet with a request to connect. Inside the TCP packet header is the client's IP address (e.g. 192.168.1.40) and the requested host's IP address (e.g. 123.45.67.89). The machine running NAT intercepts this TCP packet and changes the client's IP address from 192.168.1.40 to the IP address of the Internet-connected machine (e.g. 24.5.0.5). This effectively tricks the host machine into thinking the actual connection is from the NAT machine, not the actual client's machine. The host then sends back responses to the NAT machine like it was the one connecting. When the NAT machine receives the responses it quickly translates the destination IP address back from itself to the client's machine and sends the packet to the client. The client normally does not have any idea what happened and the apparent Internet connectivity is transparent to the user and user's applications. The example below shows NAT a little more clearly: Client - tl0 [ NAT ] fxp0 -- Internet Host 192.168.1.35 --- 192.168.1.1 [ NAT ] 24.5.0.5 --- 123.45.67.89 OUTGOING TCP Packet OUTGOING TCP Packet From: 192.168.1.35 === NAT === From: 24.5.0.5 To: 123.45.67.89To: 123.45.67.89 INCOMING TCP Packet INCOMING TCP Packet From: 123.45.67.89 From: 123.45.67.89 To: 192.168.1.40 === NAT === To: 24.5.0.5 Why use NAT? When presented with a cable modem in my new
Re: Puzzling Simple NATD and IPFW Problem
On Wed, Oct 09, 2002 at 12:00:25AM -0400, 2005 - Chill, Samuel Thomas wrote: Date: Wed, 9 Oct 2002 00:00:25 -0400 From: 2005 - Chill, Samuel Thomas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Puzzling Simple NATD and IPFW Problem Here is the info. Hope it helps solve this problem. # ifconfig -a rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::201:aff:fe10:815b%rl0 prefixlen 64 scopeid 0x1 inet 68.59.237.192 netmask 0xf800 broadcast 68.59.239.255 ether 00:01:0a:10:81:5b media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::2d0:9ff:fec6:15ed%rl1 prefixlen 64 scopeid 0x2 ether 00:d0:09:c6:15:ed media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 # ipfw -a l 00100 160 72611 divert 8668 ip from any to any via rl0 00200 661 115174 allow ip from any to any 65535 4581 deny ip from any to any # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default68.59.232.1UGSc95rl0 10/24 link#2 UC 20rl1 10.0.0.3 00:04:5a:53:4d:92 UHLW2 2109rl1241 10.0.0.4 00:04:5a:53:4d:92 UHLW2 679rl1 1050 68.59.232/21 link#1 UC 20rl0 68.59.232.100:02:fc:82:f0:54 UHLW 100rl0 1199 68.59.237.177 00:02:fc:82:f0:70 UHLW06rl0163 68.59.237.192 127.0.0.1 UGHS00lo0 127.0.0.1 127.0.0.1 UH 10lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1UC rl0 fe80::201:aff:fe10:815b%rl0 00:01:0a:10:81:5b UHL lo0 fe80::%rl1/64 link#2UC rl1 fe80::2d0:9ff:fec6:15ed%rl1 00:d0:09:c6:15:ed UHL lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#6UHL lo0 ff01::/32 ::1 U lo0 ff02::%rl0/32 link#1UC rl0 ff02::%rl1/32 link#2UC rl1 ff02::%lo0/32 ::1 UC lo0 # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 # ps -aux |grep nat root 216 0.0 0.1 436 292 ?? Is6:13PM 0:00.01 natd -interface rl0 what ps x | grep natd show ? In principle if natd is started from rc.network first argument must be $natd_flags and then $natd_interface. # cat /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=/etc/rc.ipfw-queue firewall_quiet=NO natd_enabled=YES ^ Is this error really exist in rc.conf ? natd_interface=rl0 natd_flags=-f /etc/natd.conf hostname=.andrsn01.tn.comcast.net ifconfig_rl0=DHCP ifconfig_rl1=inet 10.0.0.1 netmask 255.255.255.0 inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES lpd_enable=YES nfs_reserved_port_only=YES sendmail_enable=YES sshd_enable=YES usbd_enable=YES # cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only -- Original Message -- From: Nick Rogness [EMAIL PROTECTED] Date: Tue, 8 Oct 2002 15:38:00 -0600 (MDT) On Tue, 8 Oct 2002, 2005 - Chill, Samuel Thomas wrote: I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using the default rules supplied in the man page and apperently natd is not passing them on. I cant ping or go to any website at all. The lan clients have 10.0.0.1 set as there default gateway. rl0 is connected to the cable modem and gets it ip via dhcp. The freebsd box can ping any thing but apparently nothing is forwarded to the external interface. I have double checked and reinstalled multiple times
Re: Puzzling Simple NATD and IPFW Problem
After fixing all of these problems still it does not work! Im running FreeBSD 4.6-STABLE Using two realtek 8139's (rl0 external rl1 internal) External is Dhcp to cable modem Internal ip is 10.0.0.1 Client machines have 10.0.0.x as there ip and 10.0.0.1 set as there gateway and dns -- Original Message -- From: D. Penev [EMAIL PROTECTED] Date: Wed, 9 Oct 2002 21:06:36 +0300 On Wed, Oct 09, 2002 at 12:00:25AM -0400, 2005 - Chill, Samuel Thomas wrote: Date: Wed, 9 Oct 2002 00:00:25 -0400 From: 2005 - Chill, Samuel Thomas [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Puzzling Simple NATD and IPFW Problem Here is the info. Hope it helps solve this problem. # ifconfig -a rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::201:aff:fe10:815b%rl0 prefixlen 64 scopeid 0x1 inet 68.59.237.192 netmask 0xf800 broadcast 68.59.239.255 ether 00:01:0a:10:81:5b media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::2d0:9ff:fec6:15ed%rl1 prefixlen 64 scopeid 0x2 ether 00:d0:09:c6:15:ed media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 # ipfw -a l 00100 160 72611 divert 8668 ip from any to any via rl0 00200 661 115174 allow ip from any to any 65535 4581 deny ip from any to any # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default68.59.232.1UGSc95rl0 10/24 link#2 UC 20rl1 10.0.0.3 00:04:5a:53:4d:92 UHLW2 2109rl1241 10.0.0.4 00:04:5a:53:4d:92 UHLW2 679rl1 1050 68.59.232/21 link#1 UC 20rl0 68.59.232.100:02:fc:82:f0:54 UHLW 100rl0 1199 68.59.237.177 00:02:fc:82:f0:70 UHLW06rl0163 68.59.237.192 127.0.0.1 UGHS00lo0 127.0.0.1 127.0.0.1 UH 10lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1UC rl0 fe80::201:aff:fe10:815b%rl0 00:01:0a:10:81:5b UHL lo0 fe80::%rl1/64 link#2UC rl1 fe80::2d0:9ff:fec6:15ed%rl1 00:d0:09:c6:15:ed UHL lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#6UHL lo0 ff01::/32 ::1 U lo0 ff02::%rl0/32 link#1UC rl0 ff02::%rl1/32 link#2UC rl1 ff02::%lo0/32 ::1 UC lo0 # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 # ps -aux |grep nat root 216 0.0 0.1 436 292 ?? Is6:13PM 0:00.01 natd -interface rl0 what ps x | grep natd show ? In principle if natd is started from rc.network first argument must be $natd_flags and then $natd_interface. # cat /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=/etc/rc.ipfw-queue firewall_quiet=NO natd_enabled=YES ^ Is this error really exist in rc.conf ? natd_interface=rl0 natd_flags=-f /etc/natd.conf hostname=.andrsn01.tn.comcast.net ifconfig_rl0=DHCP ifconfig_rl1=inet 10.0.0.1 netmask 255.255.255.0 inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES lpd_enable=YES nfs_reserved_port_only=YES sendmail_enable=YES sshd_enable=YES usbd_enable=YES # cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only -- Original Message -- From: Nick Rogness [EMAIL PROTECTED] Date: Tue, 8 Oct 2002 15:38:00 -0600 (MDT) On Tue, 8 Oct 2002, 2005 - Chill, Samuel Thomas wrote: I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using
Puzzling Simple NATD and IPFW Problem
I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using the default rules supplied in the man page and apperently natd is not passing them on. I cant ping or go to any website at all. The lan clients have 10.0.0.1 set as there default gateway. rl0 is connected to the cable modem and gets it ip via dhcp. The freebsd box can ping any thing but apparently nothing is forwarded to the external interface. I have double checked and reinstalled multiple times and it seems that it is bound to never work! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Puzzling Simple NATD and IPFW Problem
On Tue, 8 Oct 2002, 2005 - Chill, Samuel Thomas wrote: I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using the default rules supplied in the man page and apperently natd is not passing them on. I cant ping or go to any website at all. The lan clients have 10.0.0.1 set as there default gateway. rl0 is connected to the cable modem and gets it ip via dhcp. The freebsd box can ping any thing but apparently nothing is forwarded to the external interface. I have double checked and reinstalled multiple times and it seems that it is bound to never work! Do you have gateway_enable=YES in /etc/rc.conf? What do the following show when you run them (just paste them in a reply): # ifconfig -a # netstat -rn # ipfw -a l # sysctl net.inet.ip.forwarding # ps -aux |grep nat # cat /etc/rc.conf Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Puzzling Simple NATD and IPFW Problem
Here is the info. Hope it helps solve this problem. # ifconfig -a rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet6 fe80::201:aff:fe10:815b%rl0 prefixlen 64 scopeid 0x1 inet 68.59.237.192 netmask 0xf800 broadcast 68.59.239.255 ether 00:01:0a:10:81:5b media: Ethernet autoselect (100baseTX full-duplex) status: active rl1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255 inet6 fe80::2d0:9ff:fec6:15ed%rl1 prefixlen 64 scopeid 0x2 ether 00:d0:09:c6:15:ed media: Ethernet autoselect (10baseT/UTP) status: active lp0: flags=8810POINTOPOINT,SIMPLEX,MULTICAST mtu 1500 sl0: flags=c010POINTOPOINT,LINK2,MULTICAST mtu 552 faith0: flags=8002BROADCAST,MULTICAST mtu 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff00 ppp0: flags=8010POINTOPOINT,MULTICAST mtu 1500 # ipfw -a l 00100 160 72611 divert 8668 ip from any to any via rl0 00200 661 115174 allow ip from any to any 65535 4581 deny ip from any to any # netstat -rn Routing tables Internet: DestinationGatewayFlagsRefs Use Netif Expire default68.59.232.1UGSc95rl0 10/24 link#2 UC 20rl1 10.0.0.3 00:04:5a:53:4d:92 UHLW2 2109rl1241 10.0.0.4 00:04:5a:53:4d:92 UHLW2 679rl1 1050 68.59.232/21 link#1 UC 20rl0 68.59.232.100:02:fc:82:f0:54 UHLW 100rl0 1199 68.59.237.177 00:02:fc:82:f0:70 UHLW06rl0163 68.59.237.192 127.0.0.1 UGHS00lo0 127.0.0.1 127.0.0.1 UH 10lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%rl0/64 link#1UC rl0 fe80::201:aff:fe10:815b%rl0 00:01:0a:10:81:5b UHL lo0 fe80::%rl1/64 link#2UC rl1 fe80::2d0:9ff:fec6:15ed%rl1 00:d0:09:c6:15:ed UHL lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#6UHL lo0 ff01::/32 ::1 U lo0 ff02::%rl0/32 link#1UC rl0 ff02::%rl1/32 link#2UC rl1 ff02::%lo0/32 ::1 UC lo0 # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 # ps -aux |grep nat root 216 0.0 0.1 436 292 ?? Is6:13PM 0:00.01 natd -interface rl0 # cat /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=/etc/rc.ipfw-queue firewall_quiet=NO natd_enabled=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf hostname=.andrsn01.tn.comcast.net ifconfig_rl0=DHCP ifconfig_rl1=inet 10.0.0.1 netmask 255.255.255.0 inetd_enable=YES kern_securelevel_enable=NO linux_enable=YES lpd_enable=YES nfs_reserved_port_only=YES sendmail_enable=YES sshd_enable=YES usbd_enable=YES # cat /etc/natd.conf dynamic yes use_sockets yes same_ports yes unregistered_only -- Original Message -- From: Nick Rogness [EMAIL PROTECTED] Date: Tue, 8 Oct 2002 15:38:00 -0600 (MDT) On Tue, 8 Oct 2002, 2005 - Chill, Samuel Thomas wrote: I have ipfirewall, ipdivert, and dummynet all compiled into my kernel. I am able to run run natd and to specify rules with ipfw, i can also ping my external interface. My internal network card (rl1) is 10.0.0.1 and my lan clients are running on 10.0.0.x. I can ping everything, the network is setup properly. Im using the default rules supplied in the man page and apperently natd is not passing them on. I cant ping or go to any website at all. The lan clients have 10.0.0.1 set as there default gateway. rl0 is connected to the cable modem and gets it ip via dhcp. The freebsd box can ping any thing but apparently nothing is forwarded to the external interface. I have double checked and reinstalled multiple times and it seems that it is bound to never work! Do you have gateway_enable=YES in /etc/rc.conf? What do the following show when you run them (just paste them in a reply): # ifconfig -a # netstat -rn # ipfw -a l # sysctl net.inet.ip.forwarding # ps -aux |grep nat # cat /etc/rc.conf Nick Rogness [EMAIL PROTECTED] - WARNING TO ALL PERSONNEL: Firings will continue until
