Re: Problem about ppp -nat
On Sun, 30 Nov 2008, Pongthep Kulkrisada wrote: Hi all, set log phase chat connect carrier link ipcp ccp ID0 TUN command I still can't dial using this configuration... Yes sorry, that was from a really old system, from backups. # ppp -background isp Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so I'm surprised ppp would load these unless -nat was specified somewhere? My newest system that used ppp is 5.5-STABLE, up till last August, but I'm not up with it on 6 or 7, still this does look rather odd to me. Perhaps someone else could confirm whether ppp always loads these libalias modules, whether intending to use them or not? Working in background mode Using interface: tun0 Warning: carrier: Invalid log value Warning: link: Invalid log value Warning: usage: set log [local] [+|-]all|async|cbcp|ccp|chat|command|connect|debug|dns|hdlc|id0|ipcp|lcp|lqm|phase|physical|radius|sync|tcp/ip|timer|tun... Attempting redial Attempting redial Attempting redial I then removed ``carrier'' and ``link''. It always keeps redialing without hearing dialing tone from the modem. So I removed ``connect'' again. The result was still the same. Sorry again. On 5.5 I just used 'log Phase LCP IPCP CCP tun command' once everything was running smoothly, using several different modems. Try /dev/cuaa0. At least in the olden days, cuad0 was configured more for dialin rather than dialout. This may? explain the next two lines: It keeps redialing without hearing any tone from the modem. So I switched back to /dev/cuad0. Then dial; now I hear dialing tone from the modem but warning message of ``Child failed (errdead)'' occured then line dropped. And can not connect. I tried it many times. Note that /dev/cuad0 appeared in my /usr/share/examples/ppp/ppp.conf.sample, not /dev/cuaa0. If I remember correctly I changed from cuaa0 to cuad0 when I upgraded from FBSD5.4R to FBSD6.2R. Ok. I hadn't realised that ppp had changed so much. Wish someone who knows a bit more about the current situation would comment .. [...] Working in background mode Using interface: tun0 Child failed (errdead) set ctsrts off # enables software flow control set accmap 000a # comments out these 2 lines for hardware flow control Not sure why you don't want to use hardware flow control? Is this with a regular external modem? Anyway, I've always used ctsrts (with cuaa0). 5 year ago, I downloaded this ppp.conf from some web site. But anyway, I did follow your suggestion i.e. hardware flow control. It still doesn't work as ``Child failed''. Actually I don't know so much in this area (flow control). I only code C on *Unix. I rarely do this kind of things e.g. system setup or configuration. And yes, it is a regular external modem. I spent about 15 years debugging user problems with dialup modems; it can be really difficult without first knowing the modem type and it's internal config - however that doesn't seem to be your problem here. add! default HISADDR # Add a (sticky) default route [...] add 0 0 HISADDR You probably don't want both those add statements. Try taking out the first one, and replacing the last one with the add! default HISADDR. I changed it before dialing. Unsure if you need an 'enable pap' as well, maybe default. Can't hurt. I added it before dialing. But all failed. I think it is probably caused by ipdivert. Well as mentioned above, if ppp is loading libalias modules also, there definitely could be some conflict there .. but I'm now out of my depth. Anyway, some extra logging should show you when and how it fails, if it still does .. Nov 30 17:00:00 bsdhost newsyslog[960]: logfile turned over due to size100K Nov 30 17:00:16 bsdhost ppp[977]: Phase: Using interface: tun0 Nov 30 17:00:16 bsdhost ppp[977]: Phase: deflink: Created in closed state Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: ident user-ppp VERSION (built COMPILATIONDATE) Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set device /dev/cuad0 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set speed 115200 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable pred1 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny pred1 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable lqr Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny lqr Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set dial ABORT BUSY ABORT NO\sCARRIER TIMEOUT 5 AT OK-AT-OK ATE1Q0 OK \dATDT\T TIMEOUT 180 CONNECT Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set redial 3 20 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command:
Re: Problem about ppp -nat
Hi all, set log phase chat connect carrier link ipcp ccp ID0 TUN command I still can't dial using this configuration... # ppp -background isp Loading /lib/libalias_cuseeme.so Loading /lib/libalias_ftp.so Loading /lib/libalias_irc.so Loading /lib/libalias_nbt.so Loading /lib/libalias_pptp.so Loading /lib/libalias_skinny.so Loading /lib/libalias_smedia.so Working in background mode Using interface: tun0 Warning: carrier: Invalid log value Warning: link: Invalid log value Warning: usage: set log [local] [+|-]all|async|cbcp|ccp|chat|command|connect|debug|dns|hdlc|id0|ipcp|lcp|lqm|phase|physical|radius|sync|tcp/ip|timer|tun... Attempting redial Attempting redial Attempting redial I then removed ``carrier'' and ``link''. It always keeps redialing without hearing dialing tone from the modem. So I removed ``connect'' again. The result was still the same. Try /dev/cuaa0. At least in the olden days, cuad0 was configured more for dialin rather than dialout. This may? explain the next two lines: It keeps redialing without hearing any tone from the modem. So I switched back to /dev/cuad0. Then dial; now I hear dialing tone from the modem but warning message of ``Child failed (errdead)'' occured then line dropped. And can not connect. I tried it many times. Note that /dev/cuad0 appeared in my /usr/share/examples/ppp/ppp.conf.sample, not /dev/cuaa0. If I remember correctly I changed from cuaa0 to cuad0 when I upgraded from FBSD5.4R to FBSD6.2R. [...] Working in background mode Using interface: tun0 Child failed (errdead) set ctsrts off # enables software flow control set accmap 000a # comments out these 2 lines for hardware flow control Not sure why you don't want to use hardware flow control? Is this with a regular external modem? Anyway, I've always used ctsrts (with cuaa0). 5 year ago, I downloaded this ppp.conf from some web site. But anyway, I did follow your suggestion i.e. hardware flow control. It still doesn't work as ``Child failed''. Actually I don't know so much in this area (flow control). I only code C on *Unix. I rarely do this kind of things e.g. system setup or configuration. And yes, it is a regular external modem. add! default HISADDR # Add a (sticky) default route [...] add 0 0 HISADDR You probably don't want both those add statements. Try taking out the first one, and replacing the last one with the add! default HISADDR. I changed it before dialing. Unsure if you need an 'enable pap' as well, maybe default. Can't hurt. I added it before dialing. But all failed. I think it is probably caused by ipdivert. Anyway, some extra logging should show you when and how it fails, if it still does .. Nov 30 17:00:00 bsdhost newsyslog[960]: logfile turned over due to size100K Nov 30 17:00:16 bsdhost ppp[977]: Phase: Using interface: tun0 Nov 30 17:00:16 bsdhost ppp[977]: Phase: deflink: Created in closed state Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: ident user-ppp VERSION (built COMPILATIONDATE) Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set device /dev/cuad0 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set speed 115200 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable pred1 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny pred1 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: disable lqr Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: deny lqr Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set dial ABORT BUSY ABORT NO\sCARRIER TIMEOUT 5AT OK-AT-OK ATE1Q0 OK \dATDT\T TIMEOUT 180 CONNECT Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: set redial 3 20 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: default: enable dns Nov 30 17:00:16 bsdhost ppp[977]: tun0: ID0: 0x28389e78 = fopen(/etc/ppp/ppp.conf, r) Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set phone 0123456789 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set authname [EMAIL PROTECTED] Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set authkey ** Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set timeout 0 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set openmode active Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: accept pap Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: enable pap Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 Nov 30 17:00:16 bsdhost ppp[977]: tun0: Command: ego: add! default HISADDR Nov 30 17:00:16 bsdhost ppp[977]: tun0: ID0: 10 = socket(17, 3, 0) Nov 30 17:00:16 bsdhost ppp[977]: tun0: ID0: -1 = write(10, data, 140) Nov 30 17:00:16 bsdhost ppp[978]: tun0: ID0: 0x28389e78 = fopen(/var/run/tun0.pid, w) Nov 30 17:00:16 bsdhost ppp[978]: tun0: Phase: PPP Started (background mode). Nov 30 17:00:16 bsdhost ppp[978]: tun0: Phase: bundle: Establish Nov 30 17:00:16 bsdhost ppp[978]: tun0: Phase: deflink: closed - opening Nov 30
Re: Problem about ppp -nat
On Fri, 28 Nov 2008, Pongthep Kulkrisada wrote: Hi all, I didn't touch /etc/ppp/ppp.conf, which has been working for 5 years since FBSD5.0R. Even if I go back to GENERIC kernel. I could not dial out to ISP in any ways. I didn't know what I do wrong even if I did read many docs. I tried exactly what being described in the handbook. But all failed, I still can't dial ISP. I think that posting /etc/ppp/ppp.conf may be useful for your diagnostic. Note that this file has been used for long time and never changed. But I've just reminded that ppp is changed from version to version. My ppp.conf may not suit the current version. I don't know. # cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command Try using more logging, at least temporarily, then you should be able to see from your ppp.log just what's going on. For about 10 years I used: set log phase chat connect carrier link ipcp ccp ID0 TUN command ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuad0 Try /dev/cuaa0. At least in the olden days, cuad0 was configured more for dialin rather than dialout. This may? explain the next two lines: set ctsrts off # enables software flow control set accmap 000a# comments out these 2 lines for hardware flow control Not sure why you don't want to use hardware flow control? Is this with a regular external modem? Anyway, I've always used ctsrts (with cuaa0). set speed 115200 disable pred1 deny pred1 disable lqr deny lqr set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \\ AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 180 CONNECT set redial 3 20 enable dns # request DNS info (for resolv.conf) Looks ok. TIMEOUT 60 is plenty for a dialup modem, but whatever. isp: set phone 0123456789 set authname [EMAIL PROTECTED] set authkey mypassword set timeout 0 add! default HISADDR # Add a (sticky) default route set openmode active accept pap set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add 0 0 HISADDR You probably don't want both those add statements. Try taking out the first one, and replacing the last one with the add! default HISADDR. Unsure if you need an 'enable pap' as well, maybe default. Can't hurt. Anyway, some extra logging should show you when and how it fails, if it still does .. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem about ppp -nat
On Wed, 26 Nov 2008, Pongthep Kulkrisada wrote: [..] read many docs. Yesterday I decided to re-install FBSD7.0R from CDs again. That causes late reply, I'm sorry. :-( No worries .. it's not like we were just hanging out waiting :) I now have gateway_enable=YES and firewall_enable=YES in my /etc/rc.conf. I can then dial ISP again. Then the following steps were taken. 1. I can ping any sites and very fast. 2. # kldload ipfw (as I don't want to compile kernel anymore.) 3. # kldload ipdivert I was under the impression that divert had to be built into the kernel, but perhaps kldload ipdivert works allright with 7.x. 4. I also have ``natd8668/divert'' in my /etc/services. 5. # natd -interface tun0 6. # /sbin/ipfw add 101 divert natd all from any to any via tun0 7. # /sbin/ipfw add 102 pass all from any to any (Note that my first ipfw rule is 100 check-state. So steps 6 and 7 should be considered as the first two filtering rules.) Just as an aside, as you're not using any keep-state rules: you should do NAT before a check-state, so packets match dynamic rules after NAT. I do this way because I know from reading document that ppp must be run before natd. I always want to dial ppp by myself so I can't put natd in /etc/rc.conf. And doing it interactively is very easy to detect when something goes wrong and step 1 can proof my good connection. More specifically the interface, here tun0, must exist before using divert sockets using that interface. natd(8) says: 3. If you use the -interface option, make sure that your interface is already configured. If, for example, you wish to specify `tun0' as your interface, and you are using ppp(8) on that interface, you must make sure that you start ppp prior to starting natd. You've probably noticed that tun0 doesn't go away when you close ppp, so it's sufficient to have run ppp once before using the divert rule. In any case I doubt this'd really do any harm (apart from not working :) There's another way to bring up ppp (so creating tun0) without dialing out until you're ready; using ppp -auto, with a dial filter rule/s. See ppp(8) and the examples in /usr/share/examples/ppp/ppp.conf.sample .. maybe something like: set filter dial 00 0 icmp src eq 8 which will only dial upon seeing an outbound ping packet. You could specify some address rather than 0 0 if you want to be more specific. After step 7 I switched to terminal, which keeping ping. I found that ping stalled. I tried re-connect many times, now I know that step 3 causes the problem. I have also tried putting ipfw_load=YES and ipdivert_load=YES in /boot/loader.conf. The problem persists. I'm quite sure that the module ipdivert has adverse effect to the connection through modem. Should I say a bug?!!! Perhaps others can say if it's ok to kldload ipdivert after ipfw these days? In any case, this could mean coincidence rather than causation. You've not shown error messages from ppp.log indicating disconnection? Two things you should always check if there are problems passing traffic through an interface that's apparently 'UP': # ifconfig # make sure addresses, netmasks, etc make sense. # netstat -finet -ran # check the default and other routes make sense. Without ipdivert I can not play NAT (I don't want to learn ``ipfw nat'' and ``ppp -nat'' for now). This was also the major problem when 'ipfw nat' is as easy to setup as natd, using much the same semantics, and doesn't require the presence of ipdivert. I can't say whether it would get upset if tun0 was specified and didn't yet exist, but expect it'll just ignore any packets that don't match the specified interface, though I can't test that here now. Something like this should work: # ipfw nat 123 config if tun0 log deny_in same_ports unreg_only reset # ipfw add [number] nat 123 ip4 from any to any via tun0 where 123 is an arbitary number,and ip4 is more specific than 'all' nat logging is likely intense, but useful until things are working. deny_in provides some protection till your ipfw is properly setup. unreg_only means only traffic from your internal network (eg 192.168.*) is considered, not traffic from your router itself - maybe quicker. reset clears the aliasing table if your IP address on tun0 changes. You can study more about all NAT functionality in 'man 3 libalias'. I recompiled kernel with options IPDIVERT few days ago. That caused me unable to connect ISP. One thing I should note here, always run ppp before natd. Last time when I was on GENERIC kernel, I couldn't connect ISP because my /etc/rc.conf contained natd. So natd ran Again, I kinda doubt this is cause and effect; I can't see how the mere presence of ipdivert could have any such effect. Perhaps the extra logging in ppp.log suggested might help debug this (other) problem? before ppp, which was run
Re: Problem about ppp -nat
Hi all, I didn't touch /etc/ppp/ppp.conf, which has been working for 5 years since FBSD5.0R. Even if I go back to GENERIC kernel. I could not dial out to ISP in any ways. I didn't know what I do wrong even if I did read many docs. I tried exactly what being described in the handbook. But all failed, I still can't dial ISP. I think that posting /etc/ppp/ppp.conf may be useful for your diagnostic. Note that this file has been used for long time and never changed. But I've just reminded that ppp is changed from version to version. My ppp.conf may not suit the current version. I don't know. # cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device /dev/cuad0 set ctsrts off # enables software flow control set accmap 000a# comments out these 2 lines for hardware flow control set speed 115200 disable pred1 deny pred1 disable lqr deny lqr set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \ \\ AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 180 CONNECT set redial 3 20 enable dns # request DNS info (for resolv.conf) isp: set phone 0123456789 set authname [EMAIL PROTECTED] set authkey mypassword set timeout 0 add! default HISADDR # Add a (sticky) default route set openmode active accept pap set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0 add 0 0 HISADDR Thank you. Pongthep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem about ppp -nat
Hi Pongthep, Pongthep Kulkrisada wrote: Hi All, Firstly, I'm sorry for late reply. For simplicity to your responses, I shall ask question by question... * Manolis Kiagias ([EMAIL PROTECTED]) wrote: There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 1. I heard that ppp itself has capability of NAT. It can work with the command ppp -nat and without running natd. Please tell me whether it is right or wrong. That is correct, it doesn't require natd for 'ppp -nat' Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it. Put any port forwarding rules you need in the ppp.conf file. ipfw is the same. If natd is not used, I can't add the rule ... Correct, you need natd if you will be using ipfw for your NAT rules. add divert natd ip from any to any via tun0 to /etc/ipfw.rules. I'm confused. 2. And if natd is still required, what -nat argument (ppp -nat) is for? natd isn't required for ppp -nat. HTH the confusion. cya Andrew This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0=inet 192.168.0.100 netmask 255.255.255.0 My local interface is rl1, setup in rc.conf as: ifconfig_rl1=inet 192.168.1.100 netmask 255.255.255.0 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0=inet 192.168.0.100 netmask 0xff00 to /etc/rc.conf. If I'm wrong, please tell me. I did much googling. All sites always refer 2 NIC cards being used like your example. I do have only one NIC card + 56k serial modem (/dev/cuad0). (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) 4. I also have nameserver entries. I tried setting DNS server on my WinXP host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. Use this settings in rc.conf for pf: pf_enable=YES pflog_logfile=/var/log/pflog pflog_flags= pf_rules=/etc/pf.conf pf_flags= gateway_enable=YES 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quite=YES firewall_script=/etc/ipfw.rules firewall_logging=YES Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots 6. I recompiled my kernel. options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT I think it should be equivalent to sysctl setting. Add the following rule to /etc/pf.conf nat pass on rl0 from rl1:network to any - rl0 AFAIR, if rl0 has a dynamic address, you will have to write it with parentheses, like: nat pass on rl0 from rl1:network to any - (rl0) (Note that in /etc/pf.conf translation rules like the above, are placed above filtering rules like pass or block etc) You may have to adjust /etc/pf.conf filtering rules, assuming you have any. Restart some services # /etc/rc.d/netif restart # /etc/rc.d/routing restart # /etc/rc.d/pf restart or simply reboot, and you should be set. 7. I don't know about PF. * Fbsd1 ([EMAIL PROTECTED]) wrote: You need to run dhcp so you can assign ip address on the LAN so the down stream xp box can gain access to the public internet through your gateway freebsd box. There is a detailed step by step instructions in the install guide at www.a1poweruser.com 8. I read doc from the mentioned site. The doc does not mention anything about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the point of my concern now. I only want to share internet access whether IP is static or dynamic. BTW the doc is very good anyway. I shall keep it. :-) * Polytropon ([EMAIL PROTECTED]) wrote: First of all, I made my kernel capable; significant parts: # Firewall, NAT ...blah 9. I compiled the kernel following your advice excepted NETGRAPH. I think PPPoE is not the point of concern Configuration in /etc/rc.conf goes this way: ifconfig_xl0=inet 192.168.0.1 netmask 0xff00 ifconfig_rl0=inet 192.168.1.1 netmask 0xff00 media 10baseT/UTP 10. As said earlier, my interface connecting to outside are 56k serial modem (/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way. 11. CONCLUSION: I did read much document. More I read, more I get confused. I tried many possible things but still don't work. My RECENT configurations
Re: Problem about ppp -nat
On Sun, 23 Nov 2008 14:14:44 +0700 Pongthep Kulkrisada [EMAIL PROTECTED] wrote: Hi All, Firstly, I'm sorry for late reply. For simplicity to your responses, I shall ask question by question... * Manolis Kiagias ([EMAIL PROTECTED]) wrote: There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html Since you're running FreeBSD 7 with ipfw, there's actually a third way: in-kernel NAT. See ipfw(8) searching for NAT (in caps) for the section. 1. I heard that ppp itself has capability of NAT. It can work with the command ppp -nat and without running natd. Please tell me whether it is right or wrong. ipfw is the same. If natd is not used, I can't add the rule ... add divert natd ip from any to any via tun0 to /etc/ipfw.rules. I'm confused. You're right in that if you use ppp -nat, NAT's already done by the time ipfw (or pf, ipf etc) see the packets. ppp has some simple and limited rules you might apply, but I'd have to recommend using either natd(8) or ipfw nat, and running ppp without -nat. This leaves open for you the possibility of using mpd rather than ppp, either dialup or pppoe etc. All use the same libalias(3) libraries, but both ppp -nat and natd run in userland, while ipfw nat runs in-kernel, which may not matter at dialup speeds, but will migrate easily if/when you get a faster link. 2. And if natd is still required, what -nat argument (ppp -nat) is for? For some very simple nat setups, mostly in ye olden days :) This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0=inet 192.168.0.100 netmask 255.255.255.0 My local interface is rl1, setup in rc.conf as: ifconfig_rl1=inet 192.168.1.100 netmask 255.255.255.0 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0=inet 192.168.0.100 netmask 0xff00 to /etc/rc.conf. If I'm wrong, please tell me. No, and you don't need to; ppp (or mpd) assigns the 'outside' IP and sets up the default route through it on connection or renegotiation, assuming your ppp.conf is setup right. I gather from your previous success with ppp that this is most likely not a problem. I did much googling. All sites always refer 2 NIC cards being used like your example. I do have only one NIC card + 56k serial modem (/dev/cuad0). That's fine. tun0 for ppp (or ng0 for mpd) will be configured as your outside interface, and ipfw only needs that, not its (varying) address. (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) 4. I also have nameserver entries. I tried setting DNS server on my WinXP host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. Once you get the NAT right, that should work out. I think ppp will fetch nameserver addresses for you if so configured, mpd sure will, or if they're constant just use resolv.conf and have ppp leave it alone. Use this settings in rc.conf for pf: pf_enable=YES pflog_logfile=/var/log/pflog pflog_flags= pf_rules=/etc/pf.conf pf_flags= gateway_enable=YES 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quite=YES That's 'firewall_quiet' - I think it only gets used by the default rules in rc.firewall, unless you add a check for it in your own, to add a '-q' flag to each ipfw command, so it's not noisy on boot or reloading ipfw. firewall_script=/etc/ipfw.rules firewall_logging=YES If you've used the IPFW section in the Handbook as a guide, I suggest reconsidering that after half a dozen browses of ipfw(8), and instead try using the 'simple' ruleset in rc.firewall at least to get going; of particular concern is the placement of divert rule/s in that scenario, where those anti-spoofing rules protect you from NAT misconfiguration. Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots gateway_enable=YES in rc.conf is an easier way to accomplish the same. 6. I recompiled my kernel. options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT I think it should be equivalent to sysctl setting. Ok.
Re: Problem about ppp -nat
Hi All, Firstly, I'm sorry for late reply. For simplicity to your responses, I shall ask question by question... * Manolis Kiagias ([EMAIL PROTECTED]) wrote: There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 1. I heard that ppp itself has capability of NAT. It can work with the command ppp -nat and without running natd. Please tell me whether it is right or wrong. ipfw is the same. If natd is not used, I can't add the rule ... add divert natd ip from any to any via tun0 to /etc/ipfw.rules. I'm confused. 2. And if natd is still required, what -nat argument (ppp -nat) is for? This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0=inet 192.168.0.100 netmask 255.255.255.0 My local interface is rl1, setup in rc.conf as: ifconfig_rl1=inet 192.168.1.100 netmask 255.255.255.0 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0=inet 192.168.0.100 netmask 0xff00 to /etc/rc.conf. If I'm wrong, please tell me. I did much googling. All sites always refer 2 NIC cards being used like your example. I do have only one NIC card + 56k serial modem (/dev/cuad0). (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) 4. I also have nameserver entries. I tried setting DNS server on my WinXP host to both gateway (FBSD host) and DNS servers of ISP. Both don't work. Use this settings in rc.conf for pf: pf_enable=YES pflog_logfile=/var/log/pflog pflog_flags= pf_rules=/etc/pf.conf pf_flags= gateway_enable=YES 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work. gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quite=YES firewall_script=/etc/ipfw.rules firewall_logging=YES Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots 6. I recompiled my kernel. options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT I think it should be equivalent to sysctl setting. Add the following rule to /etc/pf.conf nat pass on rl0 from rl1:network to any - rl0 AFAIR, if rl0 has a dynamic address, you will have to write it with parentheses, like: nat pass on rl0 from rl1:network to any - (rl0) (Note that in /etc/pf.conf translation rules like the above, are placed above filtering rules like pass or block etc) You may have to adjust /etc/pf.conf filtering rules, assuming you have any. Restart some services # /etc/rc.d/netif restart # /etc/rc.d/routing restart # /etc/rc.d/pf restart or simply reboot, and you should be set. 7. I don't know about PF. * Fbsd1 ([EMAIL PROTECTED]) wrote: You need to run dhcp so you can assign ip address on the LAN so the down stream xp box can gain access to the public internet through your gateway freebsd box. There is a detailed step by step instructions in the install guide at www.a1poweruser.com 8. I read doc from the mentioned site. The doc does not mention anything about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the point of my concern now. I only want to share internet access whether IP is static or dynamic. BTW the doc is very good anyway. I shall keep it. :-) * Polytropon ([EMAIL PROTECTED]) wrote: First of all, I made my kernel capable; significant parts: # Firewall, NAT ...blah 9. I compiled the kernel following your advice excepted NETGRAPH. I think PPPoE is not the point of concern Configuration in /etc/rc.conf goes this way: ifconfig_xl0=inet 192.168.0.1 netmask 0xff00 ifconfig_rl0=inet 192.168.1.1 netmask 0xff00 media 10baseT/UTP 10. As said earlier, my interface connecting to outside are 56k serial modem (/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way. 11. CONCLUSION: I did read much document. More I read, more I get confused. I tried many possible things but still don't work. My RECENT configurations are as followings. /etc/rc.conf gateway_enable=YES firewall_enable=YES firewall_type=OPEN firewall_quite=YES natd_enable=YES natd_interface=tun0 natd_flags=-s -u -m kernel options options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=120 options IPDIVERT /etc/ipfw.rules add divert natd ip from any to any via tun0
Re: Problem about ppp -nat
Pongthep Kulkrisada wrote: * Manolis Kiagias ([EMAIL PROTECTED]) wrote: This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0=inet 192.168.0.100 netmask 255.255.255.0 My local interface is rl1, setup in rc.conf as: ifconfig_rl1=inet 192.168.1.100 netmask 255.255.255.0 3. I haven't mentioned that I can't use this configuration. I have 2 interfaces i.e. public and private LAN. But I have only one NIC card for private LAN. I don't have NIC card for public. I'm using 56k modem to connect the outside world. I think I can't add ifconfig_tun0=inet 192.168.0.100 netmask 0xff00 You won't of course put this in rc.conf. However AFAIK tun0 is *still* a network interface and can appear in firewall rules. So the PF method I described should work, tun0 is considered the external network interface, the rule would be: nat pass on tun0 from rl1:network to any - (tun0) where rl1 would be the internal interface. Needless to say, I have no way of testing the above as I don't have a modem. Since obviously you want to use ipfw, I still suggest you go by the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html First, make sure Internet works normally on your FreeBSD host. Then apply the above instructions. The example in the handbook shows a line: natd_interface=fxp0 which in your case would be: natd_interface=tun0 It seems you already have these settings though, so I would review the Handbook instructions and remove anything else from the configuration which does not appear there. Once things are working, go back and add firewall rules etc. Handbook instructions worked for me (with two ethernet cards though) out of the box. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem about ppp -nat
Pongthep Kulkrisada wrote: Hi All, I have just subscribed to freebsd-questions and I have a question about ppp -nat. I have 2 computers. One is running FreeBSD-7.0R, the other is running WinXP. The host running FBSD7.0R has been connecting to the outside world using user-ppp without any problem for very long. Now I want to share internet access to the other host behind NAT through this FBSD host. My FBSD machine has 2 interfaces i.e. tun0 (connecting to ISP) with dynamic IP (of course) fxp0 (for internal LAN) with static IP of 192.168.1.10 My WinXP machine has 1 interface (internal LAN) with static IP of 192.168.1.11 Previously I have a router acting as a gateway for all machines behind NAT. But now I want FBSD machine to work as a gateway. I have never done this before. I tried some googling with reading ppp(8) and ipfw(8). And I tried masquerading but it didn't work. I have plenty configuration files. But the relevant configurations are listed here. /etc/rc.conf # enable IP forwarding gateway_enable=YES # previously I ran web-server, just disable it or comment it out, not sure why! #apache_enable=YES On the host running WinXP, I set its gateway and DNS server to the IP of ppp host i.e. 192.168.1.10. I then inserted the following line as the first rule in /etc/ipfw.rules. /sbin/ipfw add allow all from any to any via fxp0 (I know this rule is dangerous, but just for testing.) I then issue the ppp command. [EMAIL PROTECTED]:~# ppp -background -nat myisp FBSD host (running ppp) can access anywhere but WinXP host can't. I learned from some site explaining that ppp itself has the capability of IP masquerading. And it does not require natd(8). So I don't mention about natd here. Anyone have a clue or who have done the correct configurations, please point me out. Thank you in advance. Pongthep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] You need to run dhcp so you can assign ip address on the LAN so the down stream xp box can gain access to the public internet through your gateway freebsd box. There is a detailed step by step instructions in the install guide at www.a1poweruser.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem about ppp -nat
Allthough others have already given you good advice, I'd like to add that I'm running here at a similar setting, but without any of these Windows. :-) First of all, I made my kernel capable; significant parts: # Firewall, NAT options DUMMYNET options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=500 options IPFILTER options IPDIVERT # PPPoE: netgraph(4) system options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_SOCKET options NETGRAPH_PPPOE If you don't want to compile a custom kernel, it's no problem. As far as I know, the required kernel modules will be loaded automatically. My setting includes two network interfaces, just like yours. Interface xl0 + tun0 is the PPPoE connection to the outside, while interface rl0 is the connection to the (slow) switch where the clients are connected. Configuration in /etc/rc.conf goes this way: ifconfig_xl0=inet 192.168.0.1 netmask 0xff00 ifconfig_rl0=inet 192.168.1.1 netmask 0xff00 media 10baseT/UTP firewall_enable=YES firewall_type=/etc/ipfw.conf gateway_enable=YES named_enable=YES natd_enable=YES natd_interface=xl0 ppp_enable=YES ppp_profile=mydslprovider ppp_mode=ddial ppp_nat=YES The connection is established via /etc/ppp/ppp.conf settings. Then I use a DHCP server to assign IPs to the clients instead of giving them fixed ones. In fact, they are fixed because I set up isc-dhcpd3-server (from ports) to assign IPs according to the respective MAC adresses. :-) Important note to IPFW settings: Have the line add divert natd ip from any to any via xl0 in your /etc/ipfw.conf. If you need to, you can add flags for natd in order to have a certain kind of port or address redirection, such as natd_flags=-redirect_port tcp 192.168.1.5:23 or natd_flags=-redirect_address 192.168.1.2 123.456.789.123 \ -redirect_address 192.168.1.5 123.456.789.123 In any case, go and check your Windows the usual way. Don't forget to do it, instead you'll end up searching for an error on the correctly working FreeBSD installation. :-) Check if the Windows has got the correct IP, if the name server settings are correct and if you can (1st) ping the gateway machine and (2nd) something outside the gateway machine. -- Polytropon From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Problem about ppp -nat
Pongthep Kulkrisada wrote: Hi All, I have just subscribed to freebsd-questions and I have a question about ppp -nat. I have 2 computers. One is running FreeBSD-7.0R, the other is running WinXP. The host running FBSD7.0R has been connecting to the outside world using user-ppp without any problem for very long. Now I want to share internet access to the other host behind NAT through this FBSD host. My FBSD machine has 2 interfaces i.e. tun0 (connecting to ISP) with dynamic IP (of course) fxp0 (for internal LAN) with static IP of 192.168.1.10 My WinXP machine has 1 interface (internal LAN) with static IP of 192.168.1.11 Previously I have a router acting as a gateway for all machines behind NAT. But now I want FBSD machine to work as a gateway. I have never done this before. I tried some googling with reading ppp(8) and ipfw(8). And I tried masquerading but it didn't work. I have plenty configuration files. But the relevant configurations are listed here. /etc/rc.conf # enable IP forwarding gateway_enable=YES # previously I ran web-server, just disable it or comment it out, not sure why! #apache_enable=YES On the host running WinXP, I set its gateway and DNS server to the IP of ppp host i.e. 192.168.1.10. I then inserted the following line as the first rule in /etc/ipfw.rules. /sbin/ipfw add allow all from any to any via fxp0 (I know this rule is dangerous, but just for testing.) I then issue the ppp command. [EMAIL PROTECTED]:~# ppp -background -nat myisp FBSD host (running ppp) can access anywhere but WinXP host can't. I learned from some site explaining that ppp itself has the capability of IP masquerading. And it does not require natd(8). So I don't mention about natd here. Anyone have a clue or who have done the correct configurations, please point me out. Thank you in advance. Pongthep There are at least two ways that I know of to achieve this. One uses the ipfw firewall, the other the pf firewall. For the ipfw solution, look at the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html This worked fine for me, although I prefer to use pf. Here is how I setup pf (Adjust for your interfaces as necessary) My Internet interface is rl0, setup in rc.conf as: ifconfig_rl0=inet 192.168.0.100 netmask 255.255.255.0 My local interface is rl1, setup in rc.conf as: ifconfig_rl1=inet 192.168.1.100 netmask 255.255.255.0 (I also have a defaultrouter setting which probably does not apply to you) I have nameserver entries in /etc/resolv.conf (or setup your own DNS server if you wish) Use this settings in rc.conf for pf: pf_enable=YES pflog_logfile=/var/log/pflog pflog_flags= pf_rules=/etc/pf.conf pf_flags= gateway_enable=YES Run: # sysctl net.inet.ip.forwarding=1 # /etc/rc.d/routing restart Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots Add the following rule to /etc/pf.conf nat pass on rl0 from rl1:network to any - rl0 AFAIR, if rl0 has a dynamic address, you will have to write it with parentheses, like: nat pass on rl0 from rl1:network to any - (rl0) (Note that in /etc/pf.conf translation rules like the above, are placed above filtering rules like pass or block etc) You may have to adjust /etc/pf.conf filtering rules, assuming you have any. Restart some services # /etc/rc.d/netif restart # /etc/rc.d/routing restart # /etc/rc.d/pf restart or simply reboot, and you should be set. Note that in your client machine, you should set gateway to point to your FreeBSD machine, but unless you are running your own DNS server, DNS entries should point to your ISP. If you combine this setup with a DHCP server from the Ports Collection, you will have pretty much a standard home router out of a FreeBSD machine. There are also other capabilities, like port forwarding and so on, but I'll let you figure them out yourself ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
