(more) confusion configuring NAT

Christopher Cowart ccowart at rescomp.berkeley.edu
Wed Mar 19 16:19:00 PDT 2008

Robert Huff wrote:
> Christopher Cowart writes:
>>  > 	2) NAT still doesn't work.  Still connected, but can't surf to
>>  > www.google.com using Firefox.
>> My kernel conf:
>> | options IPFIREWALL
>> | options IPFIREWALL_NAT
>> | options LIBALIAS
> 	I do not have "options IPFIREWALL_FORWARD" (it's commented out)
> because the attached comment says:
>	enable xparent proxy support
>	Since that machine doesn't do proxy ... is this necessary?

Should be fine.

>> My (abbreviated) ipfw.rules script:
>> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports
>> | $CMD allow all from any to any via lo0
>> | $CMD nat 1 ip4 from any to any
>> | $CMD allow icmp from any to any
>> | $CMD deny log ip from any to me
>> | $CMD allow ip4 from any to any
> 	Not an ipfw guru, but don't see anything that contradicts what
> I have.

Do you have gateway_enable="YES" in your /etc/rc.conf?

$ sysctl -a net.inet.ip.forwarding 
net.inet.ip.forwarding: 1

Is the interface mentioned in the nat config the interface with the
public IP?

Try putting `$CMD count log ip from any to any' rules to see if traffic
is matching where you expect it to; I have found this incredibly useful
in the past, because interface and direction tags are not always
intuitive (especially once you get fwd rules, which luckily you don't

Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 825 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080319/ba55c3d8/attachment.pgp

More information about the freebsd-questions mailing list