On 2017-06-21, Josh Grosse <j...@jggimi.net> wrote: > On 2017-06-21 11:36, lu jian wrote: >> Hi >> >> I have an i386 machine with two network interfaces, one of which >> connect to the uplink ISP via pppoe, the other connects to the WAN >> port of a wireless router to which all LAN machines and cell phones >> connect (via wifi). >> >> The problem is that this i386 machine (which I intend as a firewall) >> can access the internet, but all LAN machines cannot. >> >> Hint: my wireless router can obtain dhcp address from the i386 machine. >> >> These two network interfaces on the i386 are bge0 and fxp0. >> >> 1) Configuration for fxp0: >> # cat /etc/hostname.fxp0 >> up >> # cat /etc/hostname.pppoe0 >> inet 0.0.0.0 255.255.255.255 NONE \ >> pppoedev fxp0 authproto chap \ >> authname 'account' authkey '123' up >> dest 0.0.0.1 >> >> !/sbin/route add default -if pppoe0 0.0.0.1 >> >> 2) Configuration for bge0: >> # cat /etc/hostname.bge0 >> inet 192.168.0.1 255.255.255.0 192.168.0.255 > > This is a subnet within RFC 1918 - a private network, not > directly routea-able on the Internet. > > You must add Network Address Translation (NAT) to your PF configuration > in order > to access the Internet from that subnet. > > See the NAT section of the PF User's Guide. > > http://www.openbsd.org/faq/pf/nat.html > >
It will also need net.inet.ip.forwarding=1 in sysctl.conf. And probably PF "max-mss" rules as shown in "MTU/MSS problems" in "man 4 pppoe".
