Configuring a NAT Gateway in FreeBSD

NAT gateway routers are widely available today for very little money; one of the most popular types of devices is a wireless access point, such as Apple's AirPort Extreme Base Station, which itself connects to your cable modem or DSL router and performs NAT for all the devices on your home network, whether they're connecting wirelessly or over wired Ethernet. Devices like this generally sell for $300 or less. You can, however, construct your own gateway router using any computer that is capable of routingfor example, your FreeBSD machine.

In this scenario, you will generally have a single Internet connection, which might be a cable modem, DSL, or even a phone modem. Suppose you have several computers inside the house or office that need to access the Internet. Figure 28.3 shows an example using an internal modem in the FreeBSD machine itself.

Note

For networks that access the Internet through a cable modem or DSL connection, your FreeBSD machine will need to have two Ethernet cards in itone to connect to the hub or switch forming the backbone of the LAN, and the other to connect to the cable modem or DSL router. This latter interface will need to be configured with the public IP address given to you by your Internet Service Provider.

In this type of setup, your system will need to have two network interfaces in it. For example, ppp0 will be the modemthe interface to the Internet. The other interface will usually be an Ethernet card (for example, ed0). This will be the interface to the internal network.

Both these interfaces will be configured with different TCP/IP network settings, placing them on different logical networks; the public interface (ppp0) is part of the real Internet, but the private interface (ed0) is using a network address that's valid only inside the network, and makes sense only to the other hosts on it.

The job of the gateway is to act as a translator between these two interfaces by passing packets back and forth between them. It connects the Internet with your internal network, making the two networks visible to one another. When an internal host contacts an external one on the Internet, the NAT gateway records the connection and translates the outgoing packets so they appear to be coming from itself. When the response comes in from the Internet over the interface ppp0, the gateway recognizes it as being part of a valid connection and passes it to the interface ed0 to be sent to the proper host on the network. Before this can occur, however, you need to enable packet forwarding so that network traffic can flow between the two interfaces.

Enabling Packet Forwarding

In order for your system to act as a gateway, it must be able to forward packets between network interfaces. Your system will be handling incoming and outgoing Internet traffic for other computers on your network, so when the system receives a packet that is not addressed to it, it needs to forward that packet to the correct destination. By default (and to conform with Internet standards), packet forwarding is turned off, so FreeBSD will drop any packet it receives that is not addressed to the system it is running on.

Enabling packet forwarding, though it can be accomplished through Sysinstall, is merely a matter of adding a single configuration line to the /etc/rc.conf file:

gateway_enable="YES"

Then, start (or restart) the routing subsystem using the following command:

# /etc/rc.d/routing restart

After you have issued this command, packet forwarding will be enabled, and the system can now forward packets between interfaces.