Network Address Translation under FreeBSD.

NAT howtos for FreeBSD from Vasily Kondrashov.

It seems that FreeBSD is great OS. FreeBSD box can work as server as well and it is free. I don't think that Windows workstation straight connected to the Internet is good idea (I mean security). Setting up FreeBSD firewall can solve many problems. In the other hand you can save some money connecting your lan through the FreeBSD box - you really need only one public IP address and nobody can see your LAN from outside (If there is no errors).

You can find some instructions how to set up natd - Network Address Translation daemon - software that can solve problems listed above.

telnet and natd.

You can skip this part if you're don't know what is telnet or why do you need it.

There are questions like : Does natd allows telnet the gateway from the inside? It works (for me for example). I use FreeBSD 2.2.7 with natd 1.9 without any tricks. I can telnet my gateway form the internal LAN (Windows 95 OSR2 Russian workstations) without any problem (it seems to be slow but...) using both IP addresses of the gateway (internal "unregistered" 192.168.0.1 and public - given me by ISP).
I don't think that it is really secret that FreeBSD can deny telnet it as root by default. If you don't want to change this you can add some user to the same group with root, login with this username and then su.

Lets think that you have FreeBSD 2.2.# already installed on your machine. Let your public IP address be 111.222.33.44 and your public (external) interface is ed0. Let you have one more ethernet interface ed1 your LAN connected to. If you have /etc/rc.conf.local file then your system runs scripts placed there at the boot time. So it is convenient to place some networking starting commands there.
I am talking about a case that you're connected to your ISP and LAN via Ethernet. In the other case you should place some commands to the your /etc/rc.conf.local (PPP-concerned, for example)
!!! If you running -stable then you should do something else because of rc.conf

Getting natd.

Let's get natd now! You can install it with your system - try to find /sbin/natd file. To be sure that you have the latest version you can get it from ftp://ftp.suutari.iki.fi/pub/natd. You can get the latest version but when i try to install 2.01 I've get some problems I don't want to solve. So I recommend get natd_1.9.tar.gz with 1.9 version. Then do something as root:

tar xvfz natd_1.9.tar.gz
cd natd_1.9
make
make install

!!! I've tried to setup natd 2.01b and can say that it is not so easy. I've stopped at the make command execution because of some errors reported.
There is one more thing - libalias is not longer a part of the package since 2.#

Show the way to the LAN.

Then add route to your LAN by the string

route add -net 192.168.0.0/16 -interface ed1

Here we use so-called unregistered addresses for your LAN (see rfc 1918 and rfc 1631 for details).
You can use 65534 IP-addresses from 192.168.0.1 to 192.168.255.254 in your LAN now. Is it enough?
!!! If you use IP adresses from 1.2.3.4 to 1.2.3.44 remember that 1.2.3.4 is subnet address and 1.2.3.44 is broadcast address - don't use this addresses.

Configureing the kernel.

Then you need to configure your kernel to use such things. Let's think that you know how to configure the kernel. I'll try to make it clear.
You can see what kernel are you using now at the boot time (After pressing ENTER when OS prompts boot:). Then cd to the /sys/i386/conf. Find a file with the name of the kernel. Do ls and see what files are there
You need not file named as GENERIC, LINT, PCCARD, Makefile.i386, files.i386, devices.i386, majors.i386 or options.i386 .
Let the current kernel configuration file be yourkernel. Do

cp yourkernel natdkernel

and edit natdkernel with any text editor. You should add two lines:

options IPFIREWALL
options IPDIVERT

Then do following as root:

config natdkernel
cd ../../compile/natdkernel
make depend
make
make install

Making your firewall useful.

Then you're need to configure your firewall to work with natd:

Edit your /etc/rc.conf to set the option firewall_enable to YES
Edit your /etc/rc.firewall to add lines:
- /sbin/ipfw -f flush
- /sbin/ipfw add 1000 pass all from 127.0.0.1 to 127.0.0.1
- /sbin/ipfw add 2000 divert all from any to any via ed0 where ed0 is your EXTERNAL interface.
- /sbin/ipfw add 6500 pass all from any to any

Lines above are firewall rules. You can sort IP packets after receiveing. The first line clears rule table. The second line allows packets go from your machine to your machine. You need it. The third line tells firewall to send all packets going through the ed0 to the natd. The last line tells that all packets can go anywhere through this machine. So all packets not matching rules above are free to go they want to.

Making natd running at the right time.

Look at your /etc/services find a line natd 8668/divert there. It can be placed there by default but if it isn't... So you need this line in this file.

Configure your internal interface to use 192.168.0.1 as IP address. You can do it editing /etc/rc.conf or by executing commend like:

ifconfig ed1 192.168.0.1 up netmask 255.255.0.0 broadcast 192.168.255.255

You can plase this line to the /etc/rc.conf.local to be runned everytime machine boot. Remember - I am talking not about running -stable.

Edit your /etc/rc.conf.local to add line
/usr/local/sbin/natd -p 8668 -n ed0 -redirect_address 192.168.0.1 111.222.33.44
Note that ed0 is your external interface and 111.222.33.44 your public IP address.

Reboot your machine now.

Configure your LAN to use 192.168.0.1 as gateway and enjoy.

Your comments/questions are welcome via e-mail.

Interested in SQUID cache howto? Visit this page a little later.
SQUID allows you cache network traffic through the gateway and can increase the speed of data transfer.

This page was visited

times.