Mask's web site
作品集 | 大學回憶 | 我的家庭
我的最愛 > FreeBSD > NAT
   

I try to describe how i implement a daemon called NAT (Network Address Translation) about system management in this section.

Below is a part of man page related to NAT i selected. If you want to know more details, please reference man page NATD(8).


Turn on NATD

  1. Get FreeBSD Release 2.2 or higher. Versions before this do not support divert(4) sockets.
  2. You must have two ethernet cards, one connects outside (real ip), and the other inside (private ip).
  3. # cd /usr/src/sys/i386/conf/
  4. # cp GENERIC xxx (xxx is a filename what you want to assign, modify xxx for a new kernel, this way is to backup original kernel)
  5. Build a custom kernel with the following option:
    options IPDIVERT
    options IPFIREWALL
    options IPFIREWALL_DEFAULT_TO_ACCEPT
    In addition, you can add advance options below:
    options DUMMYNET
    options IPFIREWALL_VERBOSE
    options IPFIREWALL_VERBOSE_LIMIT=100
  6. # config xxx
  7. # cd /usr/src/sys/compile/xxx/
  8. # make depend all install
  9. Backup /etc/rc.conf or /etc/defaults/rc.conf, and modify it below:

    firewall_enable="YES"
    firewall_type="OPEN"
    natd_enable="YES"
    natd_interface="ed0"
    network_interfaces="ed0 ed1"
    gateway_enable="YES"

    Which ed0 connected to internet (outside), and ed1 be a gateway which connected to localarea (inside). ed0 and ed1 are my NICs (Network Interface Card), you must make sure your NICs, maybe different with me, please reference /usr/src/sys/i386/conf/LINT, consider your NIC device.
  10. Make sure one line exists below in /etc/services:
    natd 8668/divert
  11. Backup /etc/rc.firewall, and re-create /etc/rc.firewall:
    /sbin/ipfw -f flush
    /sbin/ipfw add divert natd all from any to any via ed0
    /sbin/ipfw add pass all from any to any
    Which ed0 connect to internet (outside).In addition, you can add advance rules below:
    /sbin/ipfw add deny all from 192.168.0.0:255.255.0.0 to any via ed0
  12. Now NAT is done.
  13. Set class what you want to use in LAN (Local Area Network).
    Class A: 10.0.0.0 - 10.255.255.255
    Class B: 172.16.0.0 - 172.31.255.255
    Class C: 192.168.0.0 - 192.168.255.255
    Mask: 255.0.0.0
    Mask: 255.255.0.0
    Mask: 255.255.255.0
  14. Suppose you choose Class C.
  15. # sync;reboot
  16. # ifconfig -a
Internet: Gateway Flags Refs Use Netif Expire
default 211.21.242.249 UGSc 2 3258 ed0  
127.0.0.1 127.0.0.1 UH 0 0 lo0  
192.168 link#2 UC 0 0 ed1  
192.168.0.1 0:10:60:30:1e:6b UHLW 0 1812 ed1  
211.21.242.248/29 link#1 UC 0 0 ed0  
211.21.242.249 link#1 UHLW 1 0 ed0  
Figure 1 Correct state

 

Practical ADSL


Figure 2 VPN Architecture

  1. NATD setting of ADSL
    1. /etc/defaults/rc.conf
      natd_flags="-f /etc/defaults/natd.conf"
    2. /etc/defaults/natd.conf
    3. Redirect Address and Redirect Port in command line:
      you must alias 211.21.242.250 to ed0 first. If your outside interface doesn't active, you can't go on.
      /sbin/natd -redirect_address 192.168.0.29 211.21.242.250
      after this command, 192.168.0.29 is mapping to 211.21.242.250.
      but both alias address and interface name are not allowed:
      /sbin/natd -alias_address 211.21.242.250 -redirect_address 192.168.0.29 211.21.242.250 -interface ed0

Q&A

Q: 192.168.0.* and 192.168.29.* can't route to each other
A: 就像個別住在兩層樓一樣,中間沒有樓梯要怎麼溝通呢!

 

Q: $netstat -rn
Internet: Gateway Flags Refs Use Netif Expire
default 211.21.242.249 UGSc 1 2421 ed0  
127.0.0.1 127.0.0.1 UH 0 2 lo0  
192.168 link#2 UC 0 0 ed1  
192.168.0.3 link#2 UHLW 1 989 ed1  
192.168.0.4 0:80:c8:57:20:53 UHLW 0 0 ed1 1126
192.168.0.29 0:80:c8:57:20:53 UHLW 0 0 ed1 341
211.21.242.248/29 link#1 UC 0 0 ed0  
211.21.242.249 link#1 UHLW 1 0 ed0  
A:  

 

Q: $netstat -rn
Internet: Gateway Flags Refs Use Netif Expire
default 211.21.242.249 UGSc 1 56293 ed0  
127.0.0.1 127.0.0.1 UH 0 8 lo0  
192.168 link#2 UC 0 0 ed1  
192.168.0.1 0:10:60:30:1e:6b UHLW 0 0 ed1 1056
211.21.242.248/29 link#1 UC 0 0 ed0  
211.21.242.249 link#1 UHLW 2 0 ed0  
A:  

 

Q: Nov 10 02:23:16 Mask natd[93]: failed to write packet back (No route to host)
A:

Packet send from ed0 to outside, but can't go back to ed0. There are some reasons:

  1. Inside: check your connection from host to router, generally router is a little black box. If router is power on and connetion is good, may be other reasons.
  2. Outside: pherhapes connection from router to your ISP (Internet Service Provider).

 

Q: Nov 12 03:05:51 Mask /kernel: arp: 192.168.0.3 is on ed1 but got reply from 00:c0:26:26:b2:29 on ed0
A:

ed0 got packet from 192.168.0.3, correctlly ip address 192.168.0.3 is private ip set on ed1 (local), but there is a host set it's ip address 192.168.0.3 outside. check your local hosts, maybe one host with same level with ed0 setting was wrong.

 

Q: $netstat -rn
Internet: Gateway Flags Refs Use Netif Expire
default 211.21.242.249 UGSc 3 586798 ed0  
127.0.0.1 127.0.0.1 UH 0 2 lo0  
192.168 link#2 UC 0 0 ed1  
192.168.0.1 0:10:60:30:1e:6b UHLW 0 176461 ed1 1172
192.168.0.3 0:c0:26:26:b2:29 UHLW 0 238 ed1 980
211.21.242.248/29 link#1 UC 0 0 ed0  
211.21.242.249 0:60:6c:8:9a:a7 UHLW 2 0 ed0  
211.21.242.250 0:a0:c:c9:0:f8 UHLW 0 528654 ed0  
211.21.242.252 0:0:e8:72:fd:67 UHLW 0 35912 ed0 326
Figure 3 Wrong Status
A:  

 

Q: $netstat -rn
Internet: Gateway Flags Refs Use Netif Expire
default 211.21.242.249 UGSc 2 587207 ed0  
127.0.0.1 127.0.0.1 UH 0 14 lo0  
192.168 link#2 UC 0 0 ed1  
192.168.0.1 0:10:60:30:1e:6b UHLW 1 176511 ed1 1012
192.168.0.3 0:c0:26:26:b2:29 UHLW 1 406 ed1 1138
211.21.242.248/29 link#1 UC 0 0 ed0  
211.21.242.249 0:60:6c:8:9a:a7 UHLW 2 0 ed0 1138
Figure 4 Correct Status
A:  

 

© by Mask from 2001/7.
All rights reserved.