ipnat -CF -f /etc/ipnat.rules
perikillo
perikillo at gmail.com
Wed Jan 4 20:39:25 PST 2006
On 1/3/06, fbsd_user <fbsd_user at a1poweruser.com> wrote:
>
> On 1/2/06, fbsd_user <fbsd_user at a1poweruser.com> wrote:
> > I see "tun" in your ipnat rule.
> > That means you are using ppp for phone dialup connection.
> > Every time you lose your phone connection you get different IP
> from
> > your ISP.
> > Use NAT function of PPP and not ipnat and your problem will go
> away.
> >
> > -----Original Message-----
> > From: owner-freebsd-questions at freebsd.org
> > [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of caleb
> > Sent: Friday, December 30, 2005 9:16 PM
> > To: freebsd-questions at freebsd.org
> > Subject: ipnat -CF -f /etc/ipnat.rules
> >
> >
> > Hi everyone,
> > I have just put together a router/firewall using 5.4
> > RELEASE
> > and IPFILTER. Everything is working fine except I have to manually
> > flush
> > the NAT table every time the router boots. below is my rc.conf and
> > ipnat.rules, I have used rc.conf to start everything at boot;
> >
> > /* rc.conf */
> >
> > gateway_enable="YES"
> > sshd_enable="YES"
> > ifconfig_rl1="inet 10.0.0.1 netmask 255.255.255.0"
> > ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
> > hostname="tweak"
> > ipfilter_enable="YES"
> > ipfilter_rules="/etc/ipf.rules"
> > ipmon_enable="YES"
> > ipmon_flags="-Ds"
> > ipnat_enable="YES"
> > ipnat_rules="/etc/ipnat.rules"
> > ppp_enable="YES"
> > ppp_mode="ddial"
> > ppp_nat="NO"
> > ppp_profile="netspace"
> > ppp_user="root"
> >
> > /* ipnat.rules */
> >
> > map tun0 192.168.0.0/24 -> 0/32
> >
> >
> > Is there something I am missing? I do not think it is ipf, as I
> have
> > configured it to allow everything in and out. Could you please CC
> me
> > if
> > you decide to help.
> >
> > Thankyou,
> >
> > caleb
> > --
> >
> >
>
> Well i use PPPoE protocol, i have never try the same ppp program
> to
> handle the NAT thing, them i disable ipnat or what...? I need to
> understand this very clear.
>
> Thanks for your tip.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
> You are not configured correctly. This statement
> ifconfig_rl0="inet 192.168.0.1 netmask 255.255.255.0"
> is forceing that ip addr to be used and its wrong.
> you have to get ip assigned by your isp.
> Follow this example. Which means you can use ipnat or ppp nat.
>
> #################### start of ppp.conf ###################
> default:
>
> set log Phase tun #use to avoid excessive log sizes
> set timeout 0 # no idle time out, will not
> disconnect
>
> dialisp:
> set device PPPoE:XXX # replace xxx with your NIC device
> name
> set authname YOURLOGINNAME # Replace with your ISP account
> username
> set authkey YOURPASSWORD # Replace with your ISP account
> password
> add default HISADDR # Add a (sticky) default route
> (Mandatory)
> enable dns # Gets the ISP's DNS IP address & places
> them
> # in resolv.conf for reference by FBSD box.
>
> ############### End of ppp.conf
> #################################
>
>
> Replace the XXX in the [set device PPPoE:XXX] statement with the
> NIC's FBSD interface name. Sometimes it will be necessary to use a
> service tag to establish your connection depending on how your ISP
> and/or the phone company has its DSL network configured. Service
> tags are used to distinguish between different PPPoE servers
> attached to a given network. You should have been given any required
> service tag information in the documentation provided by your ISP.
> If you cannot locate it there, ask your ISP's tech support
> personnel. This is the format of the command with the service tag
> added:
>
> set device PPPoE:xxxx:service_tag (in your case xxxx = rl0)
>
> The xxxx is the FBSD interface name used by PPPoE. The interface
> must be UP (IE: enabled). It is only used as a transport, and does
> not need to be assigned an IP address. This can be done
> automatically at boot time by updating the /etc/rc.conf file. The
> format of the statement to add is ifconfig_xxxx=up where xxxx is the
> NIC's FBSD interface name used by PPPoE that you specified in the
> /etc/ppp/ppp.conf file.
>
>
> ee /etc/rc.conf # add following statements
>
> ifconfig_xxxx=up # (in your case xxxx = rl0)
>
> ifconfig_tun0="DHCP" # get your ISP assigned IP address
>
>
>
> To setup user ppp to dial your ISP automatically at FBSD boot time,
> you have to add the following statements to the rc.conf file. The
> ddial option means to redial every time the connection to the ISP
> gets dropped.
>
> ee /etc/rc.conf
>
>
> # Activate user ppp auto start at boot time
> ppp_enable="YES" # Start User PPP task
> ppp_mode="ddial" # ddial, auto, background
> ppp_profile="dialisp" # section in ppp.conf to exec
>
> #ppp_nat="YES" # only if you have LAN behind this PC.
>
> # deactivate ipfilter Nat function (comment statements out)
>
> #ipnat_enable="YES"
> #ipnat_rules="/etc/ipnat.rules"
>
>
Ok fbsd_user.
/etc/ppp.conf---->
default:
set log Phase tun command
set timeout 0
prodigy:
set device PPPoE:fxp1
set MRU 1472 #tested
set MTU 1472 #tested
set authname *****
set authkey *****
set dial
set login
add default HISADDR
#i know the dns of my isp this why i dont use the dns tag here,
hardcopy on /etc/resolv.conf
/etc/ppp/ppp.linkup--->
prodigy:
!bg /sbin/ipf -y
/etc/rc.conf---->
ipfilter_enable="YES" # Set to YES to enable ipfilter functionality
ipfilter_program="/sbin/ipf" # where the ipfilter program lives
ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter, see
ipfilter_flags="" # additional flags for ipfilter
ipnat_enable="YES" # Set to YES to enable ipnat functionality
ipnat_program="/sbin/ipnat" # where the ipnat program lives
ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
ipnat_flags="" # additional flags for ipnat
ipmon_enable="YES" # Set to YES for ipmon; needs ipfilter or ipnat
ipmon_program="/sbin/ipmon" # where the ipfilter monitor program lives
ipmon_flags="-Dvn /var/log/firewall.log"
network_interfaces="lo0 fxp0 fxp1" # List of network interfaces
(or "auto").
ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
ifconfig_fxp0="inet 192.168.0.1 netmask 255.255.255.0" #Internal LAN for NAT
ifconfig_fxp1="UP"
ifconfig_tun0="DHCP"
# User ppp configuration.
ppp_enable="YES" # Start user-ppp (or NO).
ppp_mode="ddial" # Choice of "auto", "ddial", "direct" or "dedica
ppp_nat="NO" # Use PPP's internal network address translation or NO.
ppp_profile="prodigy" # Which profile to use from /etc/ppp/ppp.conf.
ppp_user="root" # Which user to run ppp as
They are correct...?
I already made the changes, but my situation is that i have one
small network on my home, this is the reason i have enable the NAT
module of IPFILTER to server the clients.
I see that i have the module of ppp that can do the NAT thing, but
IPFILTER can comunicate with ppp_nat?
I have all the possible rules of IPNAT on ppp_nat..?
One of the big problems i have is that sometimes the connection
goes down and if i look on my link appear up but no answer, someone
from this list give one tip, he say that i can try setting up the MTU
and MRU on the /etc/ppp.conf and give the example how to get that
value, this way i put that info on the file.
It supposes that this setup will bring the connection up again,
but i still have this problem, i hope with this changes will help me.
fbsd_user thanks for your great help and if you see something
wrong settings please tell me.
Thanks for time and help!!!
Greetings all.
(Sorry for my english :-) )
More information about the freebsd-questions
mailing list