Problem about ppp -nat

Pongthep Kulkrisada ptkrisada at
Mon Dec 1 08:35:19 PST 2008

>  > # ppp -background isp
>  > Loading /lib/
>  > Loading /lib/
>  > Loading /lib/
>  > Loading /lib/
>  > Loading /lib/
>  > Loading /lib/
>  > Loading /lib/
> I'm surprised ppp would load these unless -nat was specified somewhere?  
It is just ppp -background isp.

> I spent about 15 years debugging user problems with dialup modems; it 
> can be really difficult without first knowing the modem type and it's 
> internal config - however that doesn't seem to be your problem here.
Modem type... it is just a normal external serial modem.
Internal config... I don't know I lost its manual, sorry.

> That is, on connect it should then procede to authentication.  There's 
> no sign of that.  Whether failing at your end or the other is unclear;
> maybe logging LCP might provide more of a clue, but I'm not sure ..
I also don't know about this.

>  > At boot time ...
>  > Flush all rules.
>  > ipfw: unknown interface name tun0
>  > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> Hmm.  I have rules for natd via ng0, which also doesn't exist at boot, 
> without any such complaints, but that's on a 5.5-STABLE box.
>  > 00100 check-state
>  > ...
>  > 
>  > After presence of tun0 (after dialing) ...
>  > # sh /etc/ipfw.rules
>  > Flush all rules.
>  > ipfw: ipfw_ctl invalid option 56
> What's that about?  You haven't shown the rule that produced that ..
root at bsdhost:~# cat /etc/ipfw.rules
# Define the firewall command (as in /etc/rc.firewall) for easy
# reference. Helps to make it easier to read.

# Define our outside interface. With userland-ppp this
# defaults to tun0. Or just define ethernet device.

# Force a flushing of the current rules before we reload.
$fwcmd -f flush

# Do NAT before check-state
$fwcmd nat 123 config if $oif log deny_in same_ports unreg_only reset
$fwcmd add nat 123 ip4 from any to any via $oif

# Check the state of all packets.
$fwcmd add check-state

# Allow all internal traffics, it is dangerous but just for testing.
$fwcmd add allow all from any to any via fxp0

# Allow IPv6 tunneling
$fwcmd add allow udp from any 3653 to any 3653 via $oif
$fwcmd add allow tcp from any 3653 to any 3653 via $oif
# The following line is for user-ppp.
$fwcmd add allow ipv6 from any to any via gif0
# The following line is for UDP encapsulation (machine behind NAT).
# $fwcmd add allow ipv6 from any to any via tun1

# Stop spoofing on the outside interface.
$fwcmd add deny ip from any to any in via $oif not verrevpath

# Allow all connections that we initiate, and keep their state.
# but deny established connections that don't have a dynamic rule.
$fwcmd add allow ip from me to any out via $oif keep-state
$fwcmd add deny tcp from any to any established in via $oif

# Allow all local traffic.
$fwcmd add allow all from any to any via lo0
$fwcmd add deny all from any to
$fwcmd add deny ip from to any

# Allow internet users to connect to the port 21, 23 and 80.
# We specifically allow connections to the ftpd, telnetd and a webserver.
$fwcmd add allow tcp from any to me dst-port 21,23,80 in via $oif setup keep-state

# Allow ICMP packets: remove type 8 if you don't want your host
# to be pingable.
$fwcmd add allow icmp from any to any via $oif icmptypes 0,3,8,11,12

# Deny and log all the rest.
$fwcmd add deny log ip from any to any

>  > 5. Then insert these commands to /etc/ipfw.rules as the first two rules.
>  >        /sbin/ipfw add divert natd all from any to any via tun0
>  >        /sbin/ipfw add pass all from any to any
>  >    then run the ipfw script to load the new rules.
>  >        sh /etc/ipfw.rules
> Which other rules?
Please see above.

>  > But I just can't pass step 3, unless I unload ipdivert.
> And your ppp.conf or ppp command definitely doesn't mention -nat?
Not at all. As said above only ``ppp -background isp''.
/etc/rc.conf and /etc/ppp/ppp.conf do not store anything about -nat.

>  > Please don't suspect my system. It had just been very freshly 
>  > installed from CDs before I tried everything. And without ipdivert 
>  > being loaded into the kernel, I can dial and browse any sites and 
>  > very fast with my /etc/ppp/ppp.conf. Should note a bug?
> Maybe it is.  I'm out of ideas anyway, and noone else has come forward.
I have been using *Unix for 7 years (2 years for linux and 5 years for FreeBSD). I haven't found such things. Even with noisy telephone line, I could always dial isp. (But link down sometimes, of course it is found everywhere.) I think it is a bug.

> Well I'm pretty sure you shouldn't load ipdivert as well as using ipfw 
> nat, but I've been almost 100% wrong so far so perhaps best ignore me :)
I may go on with ppp -nat, but when I have time.
I am always busy...
Lastly, thank you very much for your kind response.


More information about the freebsd-questions mailing list