Problem accessing net from a NAT Firewall

David Wassman myfreebsd at
Sat Feb 12 04:12:37 GMT 2005

Ok, after two days with little sleep I am now going to ask for some 
help. Here are my problems to ponder and I will give my sys info and 
configs after.

1) I want to connect to my wireless router (A) from one computer (B) and 
connect through it a wired network (C) to access the internet. Is this 
possible? I know you can do it with a wired network through nat but am 
not sure about the wireless in the middle.

2)I have setup the computer A as a router with a firewall and NAT. I can 
access to web from it through the wireless link but cannot ping out from 
C behind it.

The net hardware:
I have cable.
A -     Linksys WGT54G
D-      WG511T wireless PC card
          Xircom 10Mbps PC card
C       RealTek 8139
          3Com  3c905-TX

I have put the following options in the kernel and compiled
IPSEC               (I know this is for IPsec and not the firewall 
directly. I have not installed racoon and am not using IPsec. Included 
it here in case this is the problem.)

I modified the following configs from this site
# use DHCP for external interface
ifconfig_ath0="ssid xxxx"


# static address for internal interface
ifconfig_xe0="inet netmask broadcast"

# enable IP forwarding

# enable firewall
# set path to custom firewall config
# be non-verbose? set to YES after testing

# enable natd, the NAT daemon
# which is the interface to the internet that we hide behind?
# flags for natd
natd_flags="-f /etc/natd.conf"

# be quiet and flush all rules on start
-q flush
# allow local traffic, deny RFC 1918 addresses on the outside
add 00100 allow ip from any to any via lo0
add 00110 deny ip from any to
add 00120 deny ip from any to any not verrevpath in
add 00301 deny ip from to any in via ep0
add 00302 deny ip from to any in via ath0
add 00303 deny ip from to any in via ath0

# check if incoming packets belong to a natted session, allow through if yes
add 01000 divert natd ip from any to me in via ath0
add 01001 check-state
# allow some traffic from the local net to the router
add 04000 allow tcp from to me dst-port 22 in via xe0 
setup keep-state
add 04002 allow tcp from to me dst-port 123 in via xe0 
setup keep-state
add 04003 allow udp from to me dst-port 123 in via xe0 
add 04006 allow udp from to me dst-port 53 in via xe0
# drop everything else
add 04009 deny ip from to me
# pass outgoing packets (to be natted) on to a special NAT rule
add 04109 skipto 61000 ip from to any in via xe0 keep-state

# allow all outgoing traffic from the router (maybe you should be more 
add 05010 allow ip from me to any out keep-state
# drop everything that has come so far. This means it doesn't belong to 
an established connection, don't log the most noisy scans.
add 59998 deny icmp from any to me
add 59999 deny ip from any to me dst-port 135,137-139,445,4665
add 60000 deny log tcp from any to any established
add 60000 deny log ip from any to any
# this is the NAT rule. Only outgoing packets from the local net will 
come here.
# First, nat them, then pass them on (again, you may choose to be more 
add 61000 divert natd ip from to any out via ath0
add 61001 allow ip from any to any

interface ath0
#dynamic                                        (Don't think I need this 
as not running any services for the outside)
# dyamically open fw for ftp, irc
#punch_fw 53

Any help would be greatly appreciated as I am very tired of pulling my 
hair out at 4 in the morning. It is also annoying to have to use M$ on 
my wife's laptop to access the internet. Please help bring FreeBSD back 
into my everyday life:-)


More information about the freebsd-questions mailing list