Problem about ppp -nat

Pongthep Kulkrisada ptkrisada at
Sat Nov 22 23:14:45 PST 2008

Hi All,

Firstly, I'm sorry for late reply. For simplicity to your responses, I shall
ask question by question...

* Manolis Kiagias (sonic2000gr at wrote:
> There are at least two ways that I know of to achieve this. One uses the
> ipfw firewall, the other the pf firewall.
> For the ipfw solution, look at the FreeBSD Handbook:
1. I heard that ppp itself has capability of NAT. It can work with the
command ppp -nat and without running natd. Please tell me whether it is
right or wrong. ipfw is the same. If natd is not used, I can't add the rule

add divert natd ip from any to any via tun0

to /etc/ipfw.rules. I'm confused.

2. And if natd is still required, what -nat argument (ppp -nat) is for?

> This worked fine for me, although I prefer to use pf. Here is how I
> setup pf (Adjust for your interfaces as necessary)
> My Internet interface is rl0, setup in rc.conf as:
> ifconfig_rl0="inet netmask"
> My local interface is rl1, setup in rc.conf as:
> ifconfig_rl1="inet netmask"
3. I haven't mentioned that I can't use this configuration. I have 2
interfaces i.e. public and private LAN. But I have only one NIC card for
private LAN. I don't have NIC card for public. I'm using 56k modem to
connect the outside world. I think I can't add

ifconfig_tun0="inet netmask 0xffffff00"

to /etc/rc.conf. If I'm wrong, please tell me.
I did much googling. All sites always refer 2 NIC cards being used like your
example. I do have only one NIC card + 56k serial modem (/dev/cuad0).

> (I also have a defaultrouter setting which probably does not apply to you)
> I have nameserver entries in /etc/resolv.conf (or setup your own DNS
> server if you wish)
4. I also have nameserver entries. I tried setting DNS server on my WinXP
host to both gateway (FBSD host) and DNS servers of ISP. Both don't work.

> Use this settings in rc.conf for pf:
> pf_enable="YES"
> pflog_logfile="/var/log/pflog"
> pflog_flags=""
> pf_rules="/etc/pf.conf"
> pf_flags=""
> gateway_enable="YES"
5. I think I have equivalent setting of ipfw in /etc/rc.conf but don't work.

> Run:
> # sysctl net.inet.ip.forwarding=1
> # /etc/rc.d/routing restart
> Add net.inet.ip.forwarding=1 to /etc/sysctl.conf so it persists reboots
6. I recompiled my kernel.
options IPDIVERT
I think it should be equivalent to sysctl setting.

> Add the following rule to /etc/pf.conf
> nat pass on rl0 from rl1:network to any -> rl0
> AFAIR, if rl0 has a dynamic address, you will have to write it with
> parentheses, like:
> nat pass on rl0 from rl1:network to any -> (rl0)
> (Note that in /etc/pf.conf translation rules like the above, are placed
> above filtering rules like pass or block etc)
> You may have to adjust /etc/pf.conf filtering rules, assuming you have
> Restart some services
> # /etc/rc.d/netif restart
> # /etc/rc.d/routing restart
> # /etc/rc.d/pf restart
> or simply reboot, and you should be set.
7. I don't know about PF.

* Fbsd1 (fbsd1 at wrote:
> You need to run dhcp so you can assign ip address on the LAN so the down
> stream xp box can gain access to the public internet through your
> gateway freebsd box.  There is a detailed step by step instructions in
> the install guide at
8. I read doc from the mentioned site. The doc does not mention anything
about sharing ppp dial-up to the other host. And I'm sorry dhcp is not the
point of my concern now. I only want to share internet access whether IP is
static or dynamic. BTW the doc is very good anyway. I shall keep it. :-)

* Polytropon (freebsd at wrote:
> First of all, I made my kernel capable; significant parts:
> # Firewall, NAT
> ...blah
9. I compiled the kernel following your advice excepted NETGRAPH. I think
PPPoE is not the point of concern

> Configuration in /etc/rc.conf goes this way:
>    ifconfig_xl0="inet netmask 0xffffff00"
>    ifconfig_rl0="inet netmask 0xffffff00 media 10baseT/UTP"
10. As said earlier, my interface connecting to outside are 56k serial modem
(/dev/cuad0). I think I can't set /dev/cuad0 (or even tun0) in this way.

11. CONCLUSION: I did read much document. More I read, more I get confused.
I tried many possible things but still don't work. My RECENT configurations
are as followings.

natd_flags="-s -u -m"

kernel options
options IPDIVERT

add divert natd ip from any to any via tun0

ppp command
ppp -background -nat myisp

With these settings, My FBSD host can NOT even dial out to ISP. :-(
Please anybody tell me, what I do wrong here.
At this time I must go back to the original setting in order to dial ISP.
And lastly I'm sorry for long questions.

Thank you.

More information about the freebsd-questions mailing list