Gateways – installing natd/ipfw

13 Comments / By /

Gateways – installing natd/ipfw

Please note: if you are running PPP, then you don’t want natd.  PPP has aliasing
built in.  Unfortunately, I’ve never used PPP, so I suggest you follow the Pedantic PPP Primer of the FreeBSD Handbook or perhaps just see the man
pages for information on -alias.

What’s a gateway?

A gateway allows one computer to talk to an outside network and channel requests from
other computers.  If you have more than one computer, it makes sense to have one of
them act as the gateway to your ISP.  It allows all of your computers to share a
single modem.  It’s easy and it’s cheap.

One of the best ways to create a gateway
is by using ipfw and natd (more information on natd). 
ipfw is an Internet Packet Firewall (more information on
firewalls).  Even though you may not want a firewall, it’s the best way to
achieve a gateway.

Installation instructions

These instructions are taken directly from the FreeBSD natd manual.  Please refer
to that document for further information.  This section assumes that the network card
which is attached to your ISP is ed0.   You should substitute your own
interface if necessary.

The following steps will get you going.  However, at the end of this
section, I’ll show you how to make these changes permanent.

1. You need FreeBSD version 2.2 or higher

Obtaining FreeBSD is not covered in this section.  Please refer to the Installing FreeBSD section of the FreeBSD handbook.

2. Build a custom kernel

I highly recommend you read Configuring the FreeBSD Kernel
section of the FreeBSD handbook
Please pay special attention to the Building and Installing
a Custom Kernel section.  The rest of this section contains the highlights for
those that know how to build a kernel.

Include these options in your new kernel.

options IPFIREWALL
options IPDIVERT

If this is the first time you’ve created a new kernel, you may wish to reboot and
install that new kernel.  Make sure your kernel reboots safely with no error
messages.  If all you have done is the above changes, it should go very smoothly.

3. Create a gateway/firewall

Ensure your machine acts as a gateway and a firewall by including the following lines
in /etc/rc.conf:

gateway_enable=YES
firewall_enable=YES

4. Configure your interface

Make sure your network cards are already configured.  Sorry, but I don’t cover
that here.  If you’re using ppp, make sure you start ppp before
running natd.

5. Add natd to your services

Ensure the following line appears in /etc/services:

natd     8668/divert  # Network Address Translation socket

6. Start natd

This can be added to /etc/rc.local (NOTE:  /etc/rc.local is
deprecated; use /usr/local/etc/rc.d/ instead; see Starting
stuff at boot time and Starting stuff at boot time).  
Remember to change ed0 to your external network card (i.e. the one that goes to
your ISP).

natd -interface ed0

7. Redirect the traffic to natd

You will need at least the following commands.  Remember to change ed0
to your external network card (i.e. the one that goes to your ISP).

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any

See FreeBSD natd manual for more
information.

8. Reboot

In order for the changes you’ve made to take effect, you’ll need to reboot.

Things
should run smoothly now.

Making these changes permanent

These steps will ensure that natd is configured when you need to reboot.

Make
sure the following is in /etc/rc.conf.  Remember to change ed0
to your external network card (i.e. the one that goes to your ISP).  These lines tell
the system that you will be using natd, the interface which needs to be diverted,
and the flags which natd needs.  In this case, we’ll be adding our flags to a file
for ease of maintenance..

natd_enable="YES"
natd_interface="ed0"
natd_flags="-f /etc/natd.conf"

Then make sure the following is in /etc/natd.conf.  Remember to change ed0
to your external network card (i.e. the one that goes to your ISP).

interface ed0
use_sockets yes
same_ports yes

The last two lines should ensure that DCC works correctly under IRC.  If you are
using DHCP, you should also add the following line:

dynamic yes

If it doesn’t work

If the above does not get things working for you, then please add your comments. Perhaps my
instructions are defective.  I don’t think so, but please tell me of any problems you
had and what you did to correct them.

13 thoughts on “Gateways – installing natd/ipfw”

  1. Benjamin Lutz

    (posted by Dan Langille)

    I am in the situation of having a FreeBSD box act as gateway for net access.
    As I’m only assigned a single IP, I’m using natd for connecting my LAN to
    the net (only one machine though, so its basically "redirect_address
    10.0.0.2 0.0.0.0", heh). I too encountered the problem of not being able to
    initiate DCC’s from mIRC.

    I enabled -use_sockets and -same_ports, yet this would not help. After
    searching around on the net, I found this page:
    <A HREF="http://www.freebsd.org/cgi/query-pr.cgi?7669">http://www.freebsd.org/cgi/query-pr.cgi?7669</A&gt;.

    Let me just quote the interesting part from it:

    mIRC, a popular MS Windows-based IRC client, can determine the address
    that it should use for itself in DCC-based activities in one of two
    ways. It can query the OS for its address, or it can query the IRC
    server. In the latter case, if the connection between the box in
    question and the IRC server includes a FreeBSD box performing address
    translation via ppp -alias (or other libalias-based system), then the
    address returned is the address of the FreeBSD box. This means that
    DCC requests from the mIRC client are sent out with the FreeBSD box’s
    address encoded in the request.

    libalias includes a facility to examine outgoing packets for IRC DCC
    packets and perform the necessary translation. However, it only
    performs this if the address encoded in the DCC packet is that of a
    system being aliased. In the case where the IRC client gets its
    address from the server, then libalias will not perform this
    translation.

    Now, I’m not sure if this issue (limitation?) is natd’s or mirc’s fault; I
    suppose both are doing their job, hehe. Anyway, the workaround is changing
    mirc options from "Lookup Method: Server" to "Lookup Method: Normal". This
    will change the IP mirc uses to 10.0.0.2 (in my case), opposite to the IP
    assigned by the ISP when using server lookup. The best thing would probably
    be making mirc use the two different IP’s for normal IRC stuff and DCC. I’m
    gonna write mirc’s author about it.

    1. gromm

      Also, some IRC servers (or maybe clients) require that your inetd server be visible for DCC sends, so make sure you either forward your port 113 or run an inetd server on your firewall.

    3. Another Solution

      One thing I figured out in mIRC when using natd is that in mIRC’s DCC options you can specify a range of ports to use for DCC. Simply do this, and forward those same ports to the windows box from natd.conf and your DCC’s should work flawlessly either way.

    1. MS.KWON

      Hello Nick
      Sorry, I am not experienced in English.
      I want to know about installing IPFW/NAT.
      I know install IPFW/NAT in kernel compiling.
      I want to know install IPFW/NAT as module.
      in example
      kldstat ipfw.ko

      NAT cannnot running.
      how I install IPFW/NAT as modules.

      Have a nice day !!!!!

  3. My Name

    I recall the having the ability to write powerful statements like:

    ipfw add 100 check-state
    ipfw add 101 allow all from me to not me keep-state via tun0

    utilizing the wonderful "me" and "not" clauses.
    For some reason it is only the "me" clause that works now,
    seemingly "not" has been dropped – or perhaps the syntax has
    been changed, but I can not find the changes.

    I would appreciate any information relating to this topic.

    thanks in advance,
    sereciya@mail.csuchico.edu

  4. Krypto

    Hi, I’m using NATd on FreeBSD 4.5, used this ruleset and instructions, and cant get internet to my other machine. Problem lies with the fact that my bandwidth is DEAD. On a download i normall get 130-150kb/s, i now get 30 on THIS machine. My other machine d/ls the file at about 3kb/s. I run cable, and have NO clue why this is happening. I tried dummynet stuff, couldnt really figure out how a protocol to limit bandwidth would make it flow right.. ANY help, tutorials, rulesets to make cable work correctly bandwidth wise is MUCH appreciated.

    2. Dan Langille

      Also, this area is for comments on the article. Not for asking for help. For that, click on Forums, and post your query into the FreeBSD Support section.

    3. Brett

      I have the exact same problem, when i delete the IPFW rules (the divert one mainly), my bandwidth goes back to normal, but as soon as i add it, i get stuck on about 3k/s

Leave a Comment

Scroll to Top