Enabling NAT for Systems Without Static IP Addresses

If all the systems on your network have real static IP addresses that are valid on the Internet, you're done setting up your gateway router. You can now configure the other systems on the network to use the host simba as their gateway. These hosts will send to their default gateway any traffic that they do not know how to deliver. The default gateway system will then worry about handling this traffic and directing it to its proper destination on the Internet.

Note

This section and the ones that follow assume that you already have a working Internet connection on the system that you want to configure as the gateway to the Internet. If this is not the case, see Chapter 23 for setting up network access on a LAN (this chapter also applies to you if you are accessing the Internet through DSL or a cable modem). If you need to configure an Internet connection over a modem, see Chapter 24, "Networking with PPP and 802.11."

Most of the time, however, if you are configuring an Internet gateway, the other systems on the network will not have a real IP address that is valid on the wider Internet. Instead, they will just be using internal IP addresses, valid only within the local network, such as the commonly used 10.0.1.xxx, 192.168. xxx.xxx, or 172. xxx.xxx.xxx addressing schemes. If this is the case, you still have a little more work to do. You will have to enable NAT on your gateway for these other systems to be able to access the Internet.

If you are using PPP over a dial-up Internet connection, the method used to enable NAT will depend on whether you are using user PPP or kernel PPP. If you have not set up an Internet connection yet, I recommend you use user PPP if you want to use NAT because it is the easier of the two to configure to work with NAT. (See Chapter 24 for more information on user PPP and kernel PPP.)

If you are using kernel PPP or you need to set up NAT for an Internet connection that is not PPP, the procedure is a bit more complex.

The NAT setup procedure has been divided into the following two sections. You only need to read the section appropriate to your situation.

Using User PPP

The user PPP program in FreeBSD has NAT capability built into it, so it is very easy to enable. You can simply use the -nat option to ppp to enable NAT. Simply add it to whatever other options you are currently using to start PPP (see Chapter 24 and the online Handbook for more details).

The only other thing you should need to do is configure your Windows, Macintosh, or other client to use the new gateway server. This will be covered later on in this chapter in the "Configuring Clients to Use the New Gateway" section.

Using Kernel PPP or a Dedicated Ethernet Connection to the Internet

If you are using kernel PPP, or you have a dedicated Internet connection (DSL, cable, T1, OC3, and so on), the configuration is a little more complicated. In this case, you will need to use the NAT daemon (natd), which requires a firewall in order to work. To enable the firewall, you will need to build a new kernel. This is not difficult to do, however. You can simply add the following two lines to your kernel configuration file:

options IPFIREWALL options IPDIVERT

You can add to the kernel configuration file various other options that have to do with the firewall, such as logging. A detailed discussion of firewalls is beyond the scope of this chapter, but you may want to read the "Enabling and Configuring the Firewall" section of Chapter 30, "Network Security," before you build a new kernel with firewall support. This way, you won't have to build yet another kernel if you later decide you want another option for the firewall that you didn't include in the kernel the first time around.

Also, if you are unclear about how to build a new kernel, see Chapter 18, "Kernel Configuration," for more details.

After you have finished building a new kernel, you will need to enable natd.

Configuring and Enabling `natd`

The NAT daemon natd can be enabled either by configuring network settings in Sysinstall or by manually editing the /etc/rc.conf file. Once again, if you already have basic networking set up, it is easier to simply make the necessary changes manually rather than go through Sysinstall, so this is the method we are going to cover here.

Open the file /etc/rc.conf in your favorite text editor and add the following lines:

natd_enable="YES" natd_interface="ppp0"

The natd_interface line in this example assumes that you have a modem connection to the Internet and that it is on the interface ppp0. If you have a dedicated connection over an Ethernet device (such as DSL, cable, T1, or OC3), you should replace ppp0 with whatever network interface your connection to the outside world runs on.

A few other options to natd are available that control things such as logging. If you are interested in the other options, see the man page for natd.

Don't exit and save the modified rc.conf file yet because there is at least one more option you have to add. This has to do with the firewall.

Enabling and Configuring the Firewall

At a minimum, you will need to add the following line to /etc/rc.conf to enable the firewall:

firewall_enable="YES"

There are various ways to configure the firewall rules, and you should see Chapter 30 for full details. Here is a quick description of my preferred method.

In addition to the previous line, add the following line to /etc/rc.conf:

firewall_type="/usr/local/etc/firewall.conf"

Save the changes you made to /etc/rc.conf and exit your editor. You can then create the file /usr/local/etc/firewall.conf, in which you simply list the firewall rules (except for the default rule, which by default will deny anything that is not specifically allowedsee Chapter 30 for more details).

If you do not want to deny any types of network traffic and simply want to pass everything through, use the following rules in /usr/local/etc/firewall.conf (replacing ed0 with your Ethernet interface):

add divert natd all from any to any via ed0 add allow all from any to any

Using this rule has the same effect as not having a firewall at all because it simply passes all traffic and doesn't deny anything.

Note

Allowing people to see the firewall rules that your system is using can be a security hazard, so you should set the permissions on the file so that only root can read it. The command chmod 600 /usr/local/etc/firewall.conf will do the trick.

Caution

The firewall rules described previously are very insecure because they allow all types of network traffic from any source and will happily pass that content to any one of the systems that is using this gateway. This compromises the security of your network, and is not a recommended configuration. Again, see the section "Configuring a Firewall" in Chapter 30 for information on how to configure the firewall to block potentially dangerous types of traffic.

After you have completed all the preceding steps, reboot the system for the kernel changes to take effect and for the firewall and natd to load, or use the /etc/rc.d/ipfw restart command. Your gateway should now be configured. The only thing left to do is to inform the clients of the existence of the gateway. The configuration of various clients will be covered next. For the client types that are not covered, see your system documentation.