Problem about ppp -nat

[Andrew]

Hi Pongthep,

Pongthep Kulkrisada wrote:
> Hi All,
> 
> Firstly, I'm sorry for late reply. For simplicity to your responses, I shall
> ask question by question...
> 
> * Manolis Kiagias (sonic2000gr at gmail.com) wrote:
>> There are at least two ways that I know of to achieve this. One uses the
>> ipfw firewall, the other the pf firewall.
>> For the ipfw solution, look at the FreeBSD Handbook:
>>
>>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
> 1. I heard that ppp itself has capability of NAT. It can work with the
> command ppp -nat and without running natd. Please tell me whether it is
> right or wrong. 

That is correct, it doesn't require natd for 'ppp -nat'

Just setup your fw of choice as if the tun0 device is the external 
device and leave all the nat stuff completely out of it.

Put any port forwarding rules you need in the ppp.conf file.


> ipfw is the same. If natd is not used, I can't add the rule
> ...
> 

Correct, you need natd if you will be using ipfw for your NAT rules.

> add divert natd ip from any to any via tun0
> 
> to /etc/ipfw.rules. I'm confused.
> 
> 2. And if natd is still required, what -nat argument (ppp -nat) is for?
> 

natd isn't required for ppp -nat.

HTH the confusion.

cya
Andrew

>> This worked fine for me, although I prefer to use pf. Here is how I
>> setup pf (Adjust for your interfaces as necessary)
>>
>> My Internet interface is rl0, setup in rc.conf as:
>>
>> ifconfig_rl0="inet 192.168.0.100 netmask 255.255.255.0"
>>
>> My local interface is rl1, setup in rc.conf as:
>>
>> ifconfig_rl1="inet 192.168.1.100 netmask 255.255.255.0"
> 3. I haven't mentioned that I can't use this configuration. I have 2
> interfaces i.e. public and private LAN. But I have only one NIC card for
> private LAN. I don't have NIC card for public. I'm using 56k modem to
> connect the outside world. I think I can't add
> 
> ifconfig_tun0="inet 192.168.0.100 netmask 0xffffff00"
> 
> to /etc/rc.conf. If I'm wrong, please tell me.
> I did much googling. All sites always refer 2 NIC cards being used like your
> example. I do have only one NIC card + 56k serial modem (/dev/cuad0).
> 
>> (I also have a defaultrouter setting which probably does not apply to you)
>>
>> I have nameserver entries in /etc/resolv.conf (or setup your own DNS
>> server if you wish)
> 4. I also have nameserver entries. I tried setting DNS server on my WinXP
> host to both gateway (FBSD host) and DNS servers of ISP. Both don't work.
> 
>> Use this settings in rc.conf for pf:
>>
>> pf_enable="YES"
>> pflog_logfile="/var/log/pflog"
>> pflog_flags=""
>> pf_rules="/etc/pf.conf"
>> pf_flags=""
>> gateway_enable="YES"
> 5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work.
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> firewall_quite="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> 
>> Run:
>> # sysctl net.inet.ip.forwarding=1
>> # /etc/rc.d/routing restart
>>
>> Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots
> 6. I recompiled my kernel.
> options IPFIREWALL
> options IPFIREWALL_FORWARD
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=120
> options IPDIVERT
> I think it should be equivalent to sysctl setting.
> 
>> Add the following rule to /etc/pf.conf
>>
>> nat pass on rl0 from rl1:network to any -> rl0
>>
>> AFAIR, if rl0 has a dynamic address, you will have to write it with
>> parentheses, like:
>>
>> nat pass on rl0 from rl1:network to any -> (rl0)
>> (Note that in /etc/pf.conf translation rules like the above, are placed
>> above filtering rules like pass or block etc)
>> You may have to adjust /etc/pf.conf filtering rules, assuming you have
> any.
>> Restart some services
>>
>> # /etc/rc.d/netif restart
>> # /etc/rc.d/routing restart
>> # /etc/rc.d/pf restart
>>
>> or simply reboot, and you should be set.
> 7. I don't know about PF.
> 
> * Fbsd1 (fbsd1 at a1poweruser.com) wrote:
>> You need to run dhcp so you can assign ip address on the LAN so the down
>> stream xp box can gain access to the public internet through your
>> gateway freebsd box.  There is a detailed step by step instructions in
>> the install guide at www.a1poweruser.com
> 8. I read doc from the mentioned site. The doc does not mention anything
> about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the
> point of my concern now. I only want to share internet access whether IP is
> static or dynamic. BTW the doc is very good anyway. I shall keep it. :-)
> 
> * Polytropon (freebsd at edvax.de) wrote:
>> First of all, I made my kernel capable; significant parts:
>> # Firewall, NAT
>> ...blah
> 9. I compiled the kernel following your advice excepted NETGRAPH. I think
> PPPoE is not the point of concern
> 
>> Configuration in /etc/rc.conf goes this way:
>>    ifconfig_xl0="inet 192.168.0.1 netmask 0xffffff00"
>>    ifconfig_rl0="inet 192.168.1.1 netmask 0xffffff00 media 10baseT/UTP"
> 10. As said earlier, my interface connecting to outside are 56k serial modem
> (/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way.
> 
> 11. CONCLUSION: I did read much document. More I read, more I get confused.
> I tried many possible things but still don't work. My RECENT configurations
> are as followings.
> 
> /etc/rc.conf
> gateway_enable="YES"
> firewall_enable="YES"
> firewall_type="OPEN"
> firewall_quite="YES"
> natd_enable="YES"
> natd_interface="tun0"
> natd_flags="-s -u -m"
> 
> kernel options
> options IPFIREWALL
> options IPFIREWALL_FORWARD
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_VERBOSE
> options IPFIREWALL_VERBOSE_LIMIT=120
> options IPDIVERT
> 
> /etc/ipfw.rules
> add divert natd ip from any to any via tun0
> 
> ppp command
> ppp -background -nat myisp
> 
> With these settings, My FBSD host can NOT even dial out to ISP. :-(
> Please anybody tell me, what I do wrong here.
> At this time I must go back to the original setting in order to dial ISP.
> And lastly I'm sorry for long questions.
> 
> Thank you.
> Pongthep
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"