I try to describe how i implement a daemon called NAT (Network Address Translation) about system management in this section.
Below is a part of man page related to NAT i selected. If you want to know more details, please reference man page NATD(8).
Turn on NATD
- Get FreeBSD Release 2.2 or higher. Versions before this do not support divert(4) sockets.
- You must have two ethernet cards, one connects outside (real ip), and the other inside (private ip).
- # cd /usr/src/sys/i386/conf/
- # cp GENERIC xxx (xxx is a filename what you want to assign, modify xxx for a new kernel, this way is to backup original kernel)
- Build a custom kernel with the following option:
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT |
In addition, you can add advance options below:
options DUMMYNET
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100 |
- # config xxx
- # cd /usr/src/sys/compile/xxx/
- # make depend all install
- Backup /etc/rc.conf or /etc/defaults/rc.conf, and modify it below:
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="ed0"
network_interfaces="ed0 ed1"
gateway_enable="YES" |
Which ed0 connected to internet (outside), and ed1 be a gateway which connected to localarea (inside). ed0 and ed1 are my NICs (Network Interface Card), you must make sure your NICs, maybe different with me, please reference /usr/src/sys/i386/conf/LINT, consider your NIC device.
- Make sure one line exists below in /etc/services:
- Backup /etc/rc.firewall, and re-create /etc/rc.firewall:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any |
Which ed0 connect to internet (outside).In addition, you can add advance rules below:
/sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed0 |
- Now NAT is done.
- Set class what you want to use in LAN (Local Area Network).
Class A: 10.0.0.0 - 10.255.255.255
Class B: 172.16.0.0 - 172.31.255.255
Class C: 192.168.0.0 - 192.168.255.255 |
|
Mask: 255.0.0.0
Mask: 255.255.0.0
Mask: 255.255.255.0 |
- Suppose you choose Class C.
- # sync;reboot
- # ifconfig -a
Internet: |
Gateway |
Flags |
Refs |
Use |
Netif |
Expire |
default |
211.21.242.249 |
UGSc |
2 |
3258 |
ed0 |
|
127.0.0.1 |
127.0.0.1 |
UH |
0 |
0 |
lo0 |
|
192.168 |
link#2 |
UC |
0 |
0 |
ed1 |
|
192.168.0.1 |
0:10:60:30:1e:6b |
UHLW |
0 |
1812 |
ed1 |
|
211.21.242.248/29 |
link#1 |
UC |
0 |
0 |
ed0 |
|
211.21.242.249 |
link#1 |
UHLW |
1 |
0 |
ed0 |
|
|
Figure 1 Correct state |
Practical ADSL
Figure 2 VPN Architecture
- NATD setting of ADSL
- /etc/defaults/rc.conf
natd_flags="-f /etc/defaults/natd.conf" |
- /etc/defaults/natd.conf
- Redirect Address and Redirect Port in command line:
you must alias 211.21.242.250 to ed0 first. If your outside interface doesn't active, you can't go on. |
/sbin/natd -redirect_address 192.168.0.29 211.21.242.250 |
|
after this command, 192.168.0.29 is mapping to 211.21.242.250.
but both alias address and interface name are not allowed: |
/sbin/natd -alias_address 211.21.242.250 -redirect_address 192.168.0.29 211.21.242.250 -interface ed0 |
|
Q&A
Q: |
192.168.0.* and 192.168.29.* can't route to each other |
A: |
就像個別住在兩層樓一樣,中間沒有樓梯要怎麼溝通呢! |
Q: |
$netstat -rn
Internet: |
Gateway |
Flags |
Refs |
Use |
Netif |
Expire |
default |
211.21.242.249 |
UGSc |
1 |
2421 |
ed0 |
|
127.0.0.1 |
127.0.0.1 |
UH |
0 |
2 |
lo0 |
|
192.168 |
link#2 |
UC |
0 |
0 |
ed1 |
|
192.168.0.3 |
link#2 |
UHLW |
1 |
989 |
ed1 |
|
192.168.0.4 |
0:80:c8:57:20:53 |
UHLW |
0 |
0 |
ed1 |
1126 |
192.168.0.29 |
0:80:c8:57:20:53 |
UHLW |
0 |
0 |
ed1 |
341 |
211.21.242.248/29 |
link#1 |
UC |
0 |
0 |
ed0 |
|
211.21.242.249 |
link#1 |
UHLW |
1 |
0 |
ed0 |
|
|
A: |
|
Q: |
$netstat -rn
Internet: |
Gateway |
Flags |
Refs |
Use |
Netif |
Expire |
default |
211.21.242.249 |
UGSc |
1 |
56293 |
ed0 |
|
127.0.0.1 |
127.0.0.1 |
UH |
0 |
8 |
lo0 |
|
192.168 |
link#2 |
UC |
0 |
0 |
ed1 |
|
192.168.0.1 |
0:10:60:30:1e:6b |
UHLW |
0 |
0 |
ed1 |
1056 |
211.21.242.248/29 |
link#1 |
UC |
0 |
0 |
ed0 |
|
211.21.242.249 |
link#1 |
UHLW |
2 |
0 |
ed0 |
|
|
A: |
|
Q: |
Nov 10 02:23:16 Mask natd[93]: failed to write packet back (No route to host) |
A: |
Packet send from ed0 to outside, but can't go back to ed0. There are some reasons:
- Inside: check your connection from host to router, generally router is a little black box. If router is power on and connetion is good, may be other reasons.
- Outside: pherhapes connection from router to your ISP (Internet Service Provider).
|
Q: |
Nov 12 03:05:51 Mask /kernel: arp: 192.168.0.3 is on ed1 but got reply from 00:c0:26:26:b2:29 on ed0 |
A: |
ed0 got packet from 192.168.0.3, correctlly ip address 192.168.0.3 is private ip set on ed1 (local), but there is a host set it's ip address 192.168.0.3 outside. check your local hosts, maybe one host with same level with ed0 setting was wrong. |
Q: |
$netstat -rn
Internet: |
Gateway |
Flags |
Refs |
Use |
Netif |
Expire |
default |
211.21.242.249 |
UGSc |
3 |
586798 |
ed0 |
|
127.0.0.1 |
127.0.0.1 |
UH |
0 |
2 |
lo0 |
|
192.168 |
link#2 |
UC |
0 |
0 |
ed1 |
|
192.168.0.1 |
0:10:60:30:1e:6b |
UHLW |
0 |
176461 |
ed1 |
1172 |
192.168.0.3 |
0:c0:26:26:b2:29 |
UHLW |
0 |
238 |
ed1 |
980 |
211.21.242.248/29 |
link#1 |
UC |
0 |
0 |
ed0 |
|
211.21.242.249 |
0:60:6c:8:9a:a7 |
UHLW |
2 |
0 |
ed0 |
|
211.21.242.250 |
0:a0:c:c9:0:f8 |
UHLW |
0 |
528654 |
ed0 |
|
211.21.242.252 |
0:0:e8:72:fd:67 |
UHLW |
0 |
35912 |
ed0 |
326 |
Figure 3 Wrong Status |
A: |
|
Q: |
$netstat -rn
Internet: |
Gateway |
Flags |
Refs |
Use |
Netif |
Expire |
default |
211.21.242.249 |
UGSc |
2 |
587207 |
ed0 |
|
127.0.0.1 |
127.0.0.1 |
UH |
0 |
14 |
lo0 |
|
192.168 |
link#2 |
UC |
0 |
0 |
ed1 |
|
192.168.0.1 |
0:10:60:30:1e:6b |
UHLW |
1 |
176511 |
ed1 |
1012 |
192.168.0.3 |
0:c0:26:26:b2:29 |
UHLW |
1 |
406 |
ed1 |
1138 |
211.21.242.248/29 |
link#1 |
UC |
0 |
0 |
ed0 |
|
211.21.242.249 |
0:60:6c:8:9a:a7 |
UHLW |
2 |
0 |
ed0 |
1138 |
Figure 4 Correct Status |
A: |
|
|