Robert Huff wrote: > Christopher Cowart writes: > >> > 2) NAT still doesn't work. Still connected, but can't surf to >> > www.google.com using Firefox. >> >> My kernel conf: >> | options IPFIREWALL >> | options IPFIREWALL_VERBOSE >> | options IPFIREWALL_VERBOSE_LIMIT=100 >> | options IPFIREWALL_FORWARD >> | options IPFIREWALL_NAT >> | options LIBALIAS > > I do not have "options IPFIREWALL_FORWARD" (it's commented out) > because the attached comment says: > > enable xparent proxy support > > Since that machine doesn't do proxy ... is this necessary?
Should be fine. >> My (abbreviated) ipfw.rules script: >> | /sbin/ipfw -q nat 1 config if vlan98 log reset unreg_only same_ports >> | $CMD allow all from any to any via lo0 >> | $CMD nat 1 ip4 from any to any >> | $CMD allow icmp from any to any >> | $CMD deny log ip from any to me >> | $CMD allow ip4 from any to any > > Not an ipfw guru, but don't see anything that contradicts what > I have. Do you have gateway_enable="YES" in your /etc/rc.conf? $ sysctl -a net.inet.ip.forwarding net.inet.ip.forwarding: 1 Is the interface mentioned in the nat config the interface with the public IP? Try putting `$CMD count log ip from any to any' rules to see if traffic is matching where you expect it to; I have found this incredibly useful in the past, because interface and direction tags are not always intuitive (especially once you get fwd rules, which luckily you don't have). -- Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley
pgpCBhRmMXKVg.pgp
Description: PGP signature