ok. but what does work? what is a reasonable script for simple nat?
-------------------------------------------- bycn82 <[email protected]> schrieb am Di, 23.6.2015: Betreff: Re: ipfw3 An: [email protected] CC: "[email protected]" <[email protected]> Datum: Dienstag, 23. Juni, 2015 18:53 Uhr what is the result? line 100 allow allline 200 nat 1 tcp via xxx sure it doesnt work On 23 June 2015 at 21:36, <[email protected]> wrote: now i write a small script: kldload ipfw3_nat ipfw3 add allow all ipfw3 nat 1 config if bnx1 ipfw3 add nat 1 tcp via bnx1 But nat/firewalling still dont work. Any more suggestions? -------------------------------------------- bycn82 <[email protected]> schrieb am Di, 23.6.2015: Betreff: Re: ipfw3 An: [email protected] CC: "[email protected]" <[email protected]> Datum: Dienstag, 23. Juni, 2015 02:46 Uhr you can write a script to load the modules and firewall rules first. On 22 June 2015 at 23:39, <[email protected]> wrote: yes, you are right: There is no traffic out via bnx1. It's for a business company. So no teamviewer is possible. Is there anything else what could be wrong, maybe in rc.conf? What about natd_enable ? -------------------------------------------- bycn82 <[email protected]> schrieb am Mo, 22.6.2015: Betreff: Re: ipfw3 An: [email protected] CC: "[email protected]" <[email protected]> Datum: Montag, 22. Juni, 2015 17:27 Uhr yes, if you are using the latest DragonflyBSD source,then you can print the NAT records like "ip show nat translation" on cisco routers. On 22 June 2015 at 23:22, <[email protected]> wrote: That is a good question. Is "tcpdump -nettti bnx1" the right command to verify this? -------------------------------------------- bycn82 <[email protected]> schrieb am Mo, 22.6.2015: Betreff: Re: ipfw3 An: [email protected] Datum: Montag, 22. Juni, 2015 17:11 Uhr but do you have any traffic go out via bnx1 ? On 22 June 2015 at 23:08, <[email protected]> wrote: ok. i try it on another machine with 4.3 and without the options in kernel config. The result is the same. Some data: Internal NIC: bnx0, 192.168.100.188/24 External NIC: bnx1, 192.168.10.229/24 rc.conf: gateway_enable="YES" defaultrouter="192.168.10.200" Then: kldload ipfw3_nat ipfw3 nat 1 config if bnx1 ipfw3 add nat 1 tcp via bnx1 The outputs: kldstat: kernel acpi.ko ehci.ko xhci.ko ipfw3_nat.ko ipfw3_basic.ko ipfw3.ko libalias.ko ipfw3 show: 00100 0 0 nat 1 tcp via bnx1 65535 699 51067 deny ipfw3 nat show config: ipfw nat 1 config if bnx1 Is something wrong? -------------------------------------------- bycn82 <[email protected]> schrieb am Mo, 22.6.2015: Betreff: Re: ipfw3 An: [email protected] CC: "[email protected]" <[email protected]> Datum: Montag, 22. Juni, 2015 15:33 Uhr your rules are correct.and you don't need to add the options in kernel config file, that belongs to IPFW please provide output of below commands:1. kldstat2. ipfw3 show3. ipfw3 nat show config On 22 June 2015 at 21:08, <[email protected]> wrote: Sorry, but this dont work. My external nic is ue0 and my internal nic is em0. I run 4.3 and a kernel with the following options: options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE What i do: In /etc/rc.conf: gateway_enable="YES" Then: kldload ipfw3_nat ipfw3 nat 1 config if ue0 ipfw3 add nat 1 tcp via ue0 The result is that NAT don't work. What is wrong with my configuration? Have i forgotten something? -------------------------------------------- bycn82 <[email protected]> schrieb am Mo, 22.6.2015: Betreff: Re: ipfw3 An: [email protected] CC: "[email protected]" <[email protected]> Datum: Montag, 22. Juni, 2015 01:47 Uhr hi, sorry for lacking of documentation. below are sample steps to use in-kernel NAT with ipfw3. Step1: make sure the ipfw3_nat module was loaded dev03#kldstat | grep ipfw3_nat 5 1 0xffffffff83242000 3000 ipfw3_nat.ko if the modules was not loaded, then below command to load the kernel module dev03#kldload ipfw3_nat Step2: prepare NAT config dev03#ipfw3 nat 1 config if em0ipfw nat 1 config if em0 which means it will do MASQUERADE using interface em0. Step3: NAT the traffic. NAT is just ip translate. so both direction should go through the same NAT config. dev03#ipfw3 add nat 1 tcp via em0 this means both in and out traffic on interface em0 will be filtered/ translated by NAT config id 1. hope this helps, please try it and if you have any question, just let me know, and if you can help to come up with an tutorial by rephrasing this and append with your experience, that would be very helpful. http://www.dragonflybsd.org/docs/ipfw2/ is an wiki, there is a "edit page" link. regards,bycn82 On 22 June 2015 at 02:31, <[email protected]> wrote: Can someone give me detailed/complete instructions how to realize simple working nat with ipfw3 (including rc.conf and configuration files). The informations on these sites turns out to be sadly sparse for me: https://www.dragonflybsd.org/docs/ipfw2/ http://www.dragonflybsd.org/docs/ipfw2/modules/
