ADSL (1 dyn IP) => FreeBSD => WinGate => NAT Network???

Adam Smith adam at internode.com.au
Sat Aug 7 10:34:14 PDT 2004


On Fri, Aug 06, 2004 at 10:50:39PM +0400, Andrew said:
> Hi!
> 
> What is the best way to retain most of the NAT functionality?
> If you are happy to not know what Wingate is, try to assume that it is
> just another nat-box. Can bsd somehow "forward" connection, so that the
> nat-box almost feels like it has a real IP?

Perhaps you should let your router do all the PPP, and then set the default
gateway on the hosts of your network to your FreeBSD machine (with it's
gateway set to the router).

However, if you're initiating a PPPoE session from FreeBSD or have some
other way that this is working, then you need only add the following lines
to FreeBSD to support NAT:

in /etc/rc.conf, add:

router_enable="YES"
gateway_enable="YES"

You should also consider adding, especially if your BSD machine is live to
the Internet, and not behind NAT itself:

firewall_enable="YES"
firewall_type="/etc/rc.firewall.rules"

where /etc/rc.firewall.rules is a plain text file in the following firewall
rule format:

[adam at nautilus /]$ less /etc/rc.firewall.rules 
add allow tcp from any to any 21
add allow tcp from any to any 25
add allow tcp from any to any 113
add allow udp from any to any 53 keep-state
add allow tcp from any to any 53
add allow udp from any to any 123 keep-state
add allow tcp from any to any 80
add allow tcp from any to any 22
add allow ip from me to any
add allow icmp from any to any
add allow ip from 10.0.0.0/24 to any
add allow tcp from any to any established
add allow ip from any to any frag


As you can see above, the rules I've included allow traffic from any to any
on several ports (ftp/dns/www/ssh, etc) and then the following five lines
allow IP, ICMP, IP traffic from the 10.0.0.0/24 network, and 'add allow tcp
from any to any established' (which is very important for NAT behind a
firewall) and frag (fragmented connections).

If you implement a firewall you will need that 'established' line, because
it allows TCP/IP traffic to flow from any host on the Internet to any host
via the socket (TCP connection to a host on a specific port) that was
established by the NAT client who initiated the connection.

ie, if client 10.0.0.1 requests http://www.freebsd.org:80, the NAT gateway,
according to 'allow tcp from any to any established' will allow traffic to
flow between www.freebsd.org to 10.0.0.1 on port 80 for the life of the
open socket.  Once that socket is closed by either end, it means the client
or the remote server can no longer communicate to each other unless a new
socket is opened by the NAT client.


Cheers,

-- 
Adam Smith
Internode	: http://www.internode.on.net
Phone		: (08) 8228 2999

Dog for sale:  Eats lots and is fond of children.


More information about the freebsd-questions mailing list