problems with networking and route command

Ian Smith smithi at
Sun May 20 07:41:34 UTC 2012

In freebsd-questions Digest, Vol 415, Issue 6, Message: 1
On Fri, 18 May 2012 08:07:16 -0400
David Banning <david+dated+1337774837.907aca at> wrote:

 > > > It is machines that connect and receive via DHCP and above that
 > > > can't connect to the internet though the server.  I don't know a whole
 > > > lot about route - I have been attempting a variation of route commands
 > > > without success.

[Chuck Swiger wrote:]
 > > You need to implement NAT on this box, since is an 
 > > RFC-1918 unrouteable private network range.

 > I previously connected to the internet using ppp with the -nat option
 > and now my connection has changed - so that makes sense.
 > So I implemented natd.
 > Unfortunately natd does not work as yet.  I followed the setup as laid 
 > out in "man natd" and also used the layout in;

I've since seen Derek's response in the archives (I get the digests) at 
and I agree that 1998 is far too old to be of much use. I differ however 
about advisability of referring to the Handbook IPFW page, which frankly 
sucks - the only section of the Handbook that does, that I know of; you 
will find ipfw(8) and /etc/rc.firewall to be much better friends.

 > Here is my natd setup
 > 1. Compiled IPFIREWALL & IPDIVERT into my kernel - went fine.

Didn't need to, both will load from modules from the /etc/rc.d scripts. 
Many these days prefer to use in-kernel NAT (firewall_nat_enable="YES") 
instead, but natd still works as ever; you can always switch later.

 > Here is my rc.conf network related entries;
 > natd_enable="YES"
 > natd_interface="rl0"
 > natd_flags="-f /etc/natd.conf"
 > gateway_enable="YES"
 > ifconfig_rl0="inet netmask"
 > defaultrouter=""
 > ifconfig_vr0="DHCP"
 > ifconfig_vr0=up
 > ifconfig_vr0="inet"

Only the last ifconfig_vr0 counts, but that's ok, DHCP is for clients, 
not where vr0 gets its address from, right?  Ah, you fix that below ..

 > network_interfaces="rl0 vr0 lo0"
 > ifconfig_lo0="inet"
 > firewall_enable="YES"
 > firewall_script="/etc/firewall.rules"
 > firewall_type="simple"
 > firewall_logging="YES"

firewall_type only applies where firewall_script="/etc/rc.firewall", 
however that would be ignored by your custom /etc/firewall.rules.

 > dhcpd_ifaces="vr0"
 > dhcpd_enable="YES"
 > My firewall rules;
 > ipfw add 64000 allow ip from any to any
 > ipfw add divert natd all from any to any via rl0
 > ipfw add allow tcp from any to 139
 > ipfw add allow tcp from any to 139

That won't work; after specifying the current rule as 64000, subsequent 
unnumbered rules will be placed at 64100, 64200 etc - so they will never 
be reached.  If you put that 'allow all' at the end that would work, 
although a default policy of 'deny all' is very much safer.

 > ipfw add 6000 deny tcp from any to 139
 > ipfw add 6010 deny tcp from any to 445

These two will now be the first rules encountered, being so numbered.  
You'll also want to deny an awful lot more than NETBIOS packets to your 
outside address, see below.

 > ipfw add deny tcp from any to any 139

And that will go at the end, again after everything has been allowed.  
Always use 'ipfw list' or 'ipfw show' to check your running ruleset.

I would seriously advise you to consider using the rc.firewall 'simple' 
ruleset, at least as a basis, for a setup like yours.  It's designed 
specifically to protect small networks, and particularly to place the 
NAT rules in just the right place between inbound and outbound anti- 
spoofing rules.  See /etc/defaults/rc.conf for the variables you can set 
that should work more or less out of the box, though you may want to 
modify rc.firewall (or better, a copy of it, say rc.myfirewall) if you 
need to any add particular rules for specific services you need.

It will also protect your IPv6 network, if that's relevant to you.

 > My /etc/natd.conf;
 > interface rl0
 > use_sockets yes
 > same_ports yes

Should be ok.  You already have natd_interface="rl0" in rc.conf.
Consider 'unregistered_only yes', particularly if not using the 
anti-spoofing rules provided in rc.firewall 'simple'.

 > My /etc/services includes the line;
 > natd     8668/divert  # Network Address Translation socket
 > Output of ifconfig;
 > # ifconfig
 > fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
 >         ether 02:11:d8:b3:0e:43
 >         ch 1 dma -1
 >         inet netmask 0xffffff00 broadcast
 >         inet6 fe80::16d6:4dff:fe47:88ae%vr0 prefixlen 64 scopeid 0x2 
 >         ether 14:d6:4d:47:88:ae
 >         media: Ethernet autoselect (100baseTX <full-duplex>)
 >         status: active
 >         inet netmask 0xfffffff0 broadcast
 >         inet6 fe80::211:95ff:fe66:7162%rl0 prefixlen 64 scopeid 0x3 
 >         ether 00:11:95:66:71:62
 >         media: Ethernet autoselect (100baseTX <full-duplex>)
 >         status: active
 > lp0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500
 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
 >         inet6 ::1 prefixlen 128 
 >         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
 >         inet netmask 0xff000000 
 > ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
 > sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
 > faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
 > >From my initial communication I have swapped the uses of the two network
 > cards - which explains the reversal of entries for devices vr0 and rl0.
 > Still I have server connection to the internet on rl0 and server 
 > connection to the network on vr0 - but the network cannot connect 
 > to the internet via rl0.
 > If there are any commands that would help collect information leading
 > to the answer I would appreciate any feedback.

rc.firewall, though not perfect, provides a good, safe basic firewall 
for your stated needs.  The major omission in the 'simple' ruleset is 
that it doesn't enable 'essential' ICMP messages, allowing pings but 
more importantly, TCP path MTU discovery.  You might add, for example:

 # Allow outbound pings from our net
 ${fwcmd} add pass icmp from any to any out icmptypes 8 keep-state
 # Allow essential ICMP: unreachable, source quench, TTL exceeded
 ${fwcmd} add pass icmp from any to any icmptypes 3,4,11
 ${fwcmd} add deny icmp from any to any	# or default deny all later

cheers, Ian  (please cc me on any response)

More information about the freebsd-questions mailing list