pf or ipfw for NAT
Frank Leonhardt
freebsd-doc at fjl.co.uk
Sun Apr 11 18:21:26 UTC 2021
On 03/04/2021 09:20, Steve O'Hara-Smith wrote:
>> Thanks Steve. Any idea whether I need to enable the gateway when using
>> pf instead?
>>
>> e.g. sysctl net.inet.ip.forwarding=1
>
> I'm pretty sure you do - TBH I've never tried not setting it on
> anything that routes.
I think so too. I set it and it works perfectly. I'm really wondering why I've bothered with natd - just using pf works a treat.
For the sake of anyone reading this thread in the future, this script starts the whole thing off (xxx is the external address):
sysctl net.inet.ip.forwarding=1
ifconfig bge0 inet 192.168.1.210 netmask 0xffffffff alias
ifconfig re0 inet xxx.xxx.xxx.xxx netmask 0xffffffff alias
service dhcpd onestart
service pf onestart
-----------------------------------------------------
This is what I'd put in rc.conf to make it permanent (but not a cut/paste job so may be errors):
gateway_enable=yes
ifconfig_bge0=" inet 192.168.1.210 netmask 0xffffffff alias"
ifconfig re0="inet xxx.xxx.xxx.xxx netmask 255.255.255.248"
dhcpd_enable=yes
pf_enable=yes
-----------------------------------------------------
/usr/local/etc/dhcpd.conf (important part):
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.128 192.168.1.192;
option routers 192.168.1.210;
authoritative;
}
-----------------------------------------------------
/etc/pf.conf
scrub in all
# NAT bit
nat pass on re0 from 192.168.1.0/24 to any -> xxx.xxx.xxx.xxx
# Pass port 25 to mail server on LAN
rdr pass on re0 proto tcp from any to xxx.xxx.xxx.xxx port 25 -> 192.168.1.203
More information about the freebsd-questions
mailing list