pf or ipfw for NAT

Frank Leonhardt freebsd-doc at fjl.co.uk
Sun Apr 11 18:21:26 UTC 2021


On 03/04/2021 09:20, Steve O'Hara-Smith wrote:

>> Thanks Steve. Any idea whether I need to enable the gateway when using

>> pf instead?

>>

>> e.g. sysctl net.inet.ip.forwarding=1

>

>     I'm pretty sure you do - TBH I've never tried not setting it on

> anything that routes.

I think so too. I set it and it works perfectly. I'm really wondering why I've bothered with natd - just using pf works a treat.

For the sake of anyone reading this thread in the future, this script starts the whole thing off (xxx is the external address):

sysctl net.inet.ip.forwarding=1

ifconfig bge0 inet 192.168.1.210 netmask 0xffffffff alias

ifconfig re0  inet xxx.xxx.xxx.xxx netmask 0xffffffff alias

service dhcpd onestart

service pf onestart

-----------------------------------------------------

This is what I'd put in rc.conf to make it permanent (but not a cut/paste job so may be errors):

gateway_enable=yes

ifconfig_bge0=" inet 192.168.1.210 netmask 0xffffffff alias"

ifconfig re0="inet xxx.xxx.xxx.xxx netmask 255.255.255.248"

dhcpd_enable=yes

pf_enable=yes

-----------------------------------------------------

/usr/local/etc/dhcpd.conf (important part):

subnet 192.168.1.0  netmask 255.255.255.0 {

   range 192.168.1.128 192.168.1.192;

    option routers 192.168.1.210;

    authoritative;

}
-----------------------------------------------------

/etc/pf.conf

scrub in all
# NAT bit
nat pass on re0 from 192.168.1.0/24 to any -> xxx.xxx.xxx.xxx
# Pass port 25 to mail server on LAN
rdr pass on re0 proto tcp from any to xxx.xxx.xxx.xxx port 25 -> 192.168.1.203



More information about the freebsd-questions mailing list