Re: Problem about ppp -nat
- From: Andrew <awd@xxxxxxxxxxx>
- Date: Sun, 23 Nov 2008 19:34:55 +1030
Hi Pongthep,
Pongthep Kulkrisada wrote:
Hi All,
Firstly, I'm sorry for late reply. For simplicity to your responses, I shall
ask question by question...
* Manolis Kiagias (sonic2000gr@xxxxxxxxx) wrote:There are at least two ways that I know of to achieve this. One uses thehttp://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
ipfw firewall, the other the pf firewall.
For the ipfw solution, look at the FreeBSD Handbook:
1. I heard that ppp itself has capability of NAT. It can work with the
command ppp -nat and without running natd. Please tell me whether it is
right or wrong.
That is correct, it doesn't require natd for 'ppp -nat'
Just setup your fw of choice as if the tun0 device is the external device and leave all the nat stuff completely out of it.
Put any port forwarding rules you need in the ppp.conf file.
ipfw is the same. If natd is not used, I can't add the rule
...
Correct, you need natd if you will be using ipfw for your NAT rules.
add divert natd ip from any to any via tun0
to /etc/ipfw.rules. I'm confused.
2. And if natd is still required, what -nat argument (ppp -nat) is for?
natd isn't required for ppp -nat.
HTH the confusion.
cya
Andrew
This worked fine for me, although I prefer to use pf. Here is how I3. I haven't mentioned that I can't use this configuration. I have 2
setup pf (Adjust for your interfaces as necessary)
My Internet interface is rl0, setup in rc.conf as:
ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0"
My local interface is rl1, setup in rc.conf as:
ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0"
interfaces i.e. public and private LAN. But I have only one NIC card for
private LAN. I don't have NIC card for public. I'm using 56k modem to
connect the outside world. I think I can't add
ifconfig_tun0="inet 192.168.0.100 netmask 0xffffff00"
to /etc/rc.conf. If I'm wrong, please tell me.
I did much googling. All sites always refer 2 NIC cards being used like your
example. I do have only one NIC card + 56k serial modem (/dev/cuad0).
(I also have a defaultrouter setting which probably does not apply to you)4. I also have nameserver entries. I tried setting DNS server on my WinXP
I have nameserver entries in /etc/resolv.conf (or setup your own DNS
server if you wish)
host to both gateway (FBSD host) and DNS servers of ISP. Both don't work.
Use this settings in rc.conf for pf:5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work.
pf_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pf_rules="/etc/pf.conf"
pf_flags=""
gateway_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_quite="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
Run:6. I recompiled my kernel.
# sysctl net.inet.ip.forwarding=1
# /etc/rc.d/routing restart
Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=120
options IPDIVERT
I think it should be equivalent to sysctl setting.
Add the following rule to /etc/pf.confany.
nat pass on rl0 from rl1:network to any -> rl0
AFAIR, if rl0 has a dynamic address, you will have to write it with
parentheses, like:
nat pass on rl0 from rl1:network to any -> (rl0)
(Note that in /etc/pf.conf translation rules like the above, are placed
above filtering rules like pass or block etc)
You may have to adjust /etc/pf.conf filtering rules, assuming you have
Restart some services7. I don't know about PF.
# /etc/rc.d/netif restart
# /etc/rc.d/routing restart
# /etc/rc.d/pf restart
or simply reboot, and you should be set.
* Fbsd1 (fbsd1@xxxxxxxxxxxxxxx) wrote:You need to run dhcp so you can assign ip address on the LAN so the down8. I read doc from the mentioned site. The doc does not mention anything
stream xp box can gain access to the public internet through your
gateway freebsd box. There is a detailed step by step instructions in
the install guide at www.a1poweruser.com
about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the
point of my concern now. I only want to share internet access whether IP is
static or dynamic. BTW the doc is very good anyway. I shall keep it. :-)
* Polytropon (freebsd@xxxxxxxx) wrote:First of all, I made my kernel capable; significant parts:9. I compiled the kernel following your advice excepted NETGRAPH. I think
# Firewall, NAT
...blah
PPPoE is not the point of concern
Configuration in /etc/rc.conf goes this way:10. As said earlier, my interface connecting to outside are 56k serial modem
ifconfig_xl0="inet 192.168.0.1 netmask 0xffffff00"
ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00 media 10baseT/UTP"
(/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way.
11. CONCLUSION: I did read much document. More I read, more I get confused.
I tried many possible things but still don't work. My RECENT configurations
are as followings.
/etc/rc.conf
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
firewall_quite="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags="-s -u -m"
kernel options
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=120
options IPDIVERT
/etc/ipfw.rules
add divert natd ip from any to any via tun0
ppp command
ppp -background -nat myisp
With these settings, My FBSD host can NOT even dial out to ISP. :-(
Please anybody tell me, what I do wrong here.
At this time I must go back to the original setting in order to dial ISP.
And lastly I'm sorry for long questions.
Thank you.
Pongthep
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"
- References:
- Problem about ppp -nat
- From: Pongthep Kulkrisada
- Re: Problem about ppp -nat
- From: Polytropon
- Re: Problem about ppp -nat
- From: Pongthep Kulkrisada
- Problem about ppp -nat
- Prev by Date: Re: Suggestions for PII 400 boot failure
- Next by Date: Re: auto-addm new tap device to existing bridge ...
- Previous by thread: Re: Problem about ppp -nat
- Next by thread: Syslog Suggestion - Help!
- Index(es):
Relevant Pages
|
