NAT, VPN and other SOHO router advice

Andy Reitz reitz at
Thu Apr 6 21:36:22 UTC 2006

On Thu, 6 Apr 2006, Nick Stenning wrote:

> First, NAT'ing. Currently the Vigor router ( is the default
> router for the network, as specified by the FBSD box's DHCP server. If
> I disconnect the cable I want to disconnect, however, obviously the
> FBSD box will have to be the router. Now, I've recompiled my kernel
> with all the relevant options, and I've got an extensive firewall
> script (ipfw). I've also got the following in my rc.conf:
> firewall_enable="YES"
> firewall_script="/etc/ipfw.rules"
> firewall_logging="YES"
> natd_enable="YES"
> natd_interface="rl1"
> gateway_enable="YES"
> rl1, by the way, has a public IP block on it, and the vigor router has
> one of these, let's call it xx.yy.zz.201. On the FBSD box (in rc.conf)
> we have:
> defaultrouter="xx.yy.zz.201"
> ifconfig_rl0="inet netmask"
> ifconfig_rl1="inet xx.yy.zz.202 netmask"
> ifconfig_rl1_alias0="xx.yy.zz.203/29"
> ...
> So, really, the question for this bit of the email is .. what else do
> I need to get my FBSD box acting as a router for the machines on the
> LAN? .. I assume I'd need an IPFW divert rule to set up all the
> NATing, but I'm unsure what that should be, and whether it would come
> before or after all the protective stuff in the firewall script etc
> etc.

Hi Nick,

It looks to me like you are on the right track. The only other option that
I have in my rc.conf is:

	natd_flags="-config /etc/natd.conf"

This forces natd to read my configuration file. I think in normal
operations, natd will "pretty-much" do the right thing, but you might want
to customize yours like I have mine. Here are some statements that I have
in my natd.conf:

	dynamic yes
	use_sockets yes
	same_ports yes
	log no
	log_denied yes
	log_ipfw_denied yes

In terms of the divert rule, mine looks like this:

	/sbin/ipfw add 50 divert natd all from any to any via fxp0

You'll want to replace 'fxp0' with your external interface, in this case,

On FreeBSD 6, the /etc/rc.firewall script will automatically add the
proper divert rule if you set the "firewall_type" to be either "open" or
"client" in rc.conf.

Good luck,
	-Andy Reitz.

More information about the freebsd-questions mailing list