(more) confusion configuring NAT
Christopher Cowart
ccowart at rescomp.berkeley.edu
Wed Mar 19 16:19:00 PDT 2008
Robert Huff wrote:
> Christopher Cowart writes:
>
>> > 2) NAT still doesn't work. Still connected, but can't surf to
>> > www.google.com using Firefox.
>>
>> My kernel conf:
>> | options IPFIREWALL
>> | options IPFIREWALL_VERBOSE
>> | options IPFIREWALL_VERBOSE_LIMIT=100
>> | options IPFIREWALL_FORWARD
>> | options IPFIREWALL_NAT
>> | options LIBALIAS
>
> I do not have "options IPFIREWALL_FORWARD" (it's commented out)
> because the attached comment says:
>
> enable xparent proxy support
>
> Since that machine doesn't do proxy ... is this necessary?
Should be fine.
>> My (abbreviated) ipfw.rules script:
>> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports
>> | $CMD allow all from any to any via lo0
>> | $CMD nat 1 ip4 from any to any
>> | $CMD allow icmp from any to any
>> | $CMD deny log ip from any to me
>> | $CMD allow ip4 from any to any
>
> Not an ipfw guru, but don't see anything that contradicts what
> I have.
Do you have gateway_enable="YES" in your /etc/rc.conf?
$ sysctl -a net.inet.ip.forwarding
net.inet.ip.forwarding: 1
Is the interface mentioned in the nat config the interface with the
public IP?
Try putting `$CMD count log ip from any to any' rules to see if traffic
is matching where you expect it to; I have found this incredibly useful
in the past, because interface and direction tags are not always
intuitive (especially once you get fwd rules, which luckily you don't
have).
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080319/ba55c3d8/attachment.pgp
More information about the freebsd-questions
mailing list