<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(0,0,0)">you can write a script to load the modules and firewall rules first.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 22 June 2015 at 23:39, <span dir="ltr"><<a href="mailto:nans_nans1@yahoo.de" target="_blank">nans_nans1@yahoo.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">yes, you are right: There is no traffic out via bnx1.<br>
It's for a business company. So no teamviewer is possible.<br>
<br>
Is there anything else what could be wrong, maybe in rc.conf?<br>
What about natd_enable ?<br>
<br>
</span><span class="">--------------------------------------------<br>
bycn82 <<a href="mailto:bycn82@gmail.com">bycn82@gmail.com</a>> schrieb am Mo, 22.6.2015:<br>
<br>
Betreff: Re: ipfw3<br>
An: <a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a><br>
CC: "<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>" <<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>><br>
</span> Datum: Montag, 22. Juni, 2015 17:27 Uhr<br>
<br>
yes,<br>
if you are<br>
using the latest DragonflyBSD source,then you can<br>
<div class="HOEnZb"><div class="h5"> print the NAT records like "ip show nat<br>
translation" on cisco routers. <br>
On 22 June 2015 at 23:22,<br>
<<a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a>><br>
wrote:<br>
That is a<br>
good question. Is "tcpdump -nettti bnx1" the right<br>
command to verify this?<br>
<br>
<br>
<br>
--------------------------------------------<br>
<br>
bycn82 <<a href="mailto:bycn82@gmail.com">bycn82@gmail.com</a>><br>
schrieb am Mo, 22.6.2015:<br>
<br>
<br>
<br>
Betreff: Re: ipfw3<br>
<br>
An: <a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a><br>
<br>
Datum: Montag, 22. Juni, 2015 17:11 Uhr<br>
<br>
<br>
<br>
but do you<br>
<br>
have any traffic go out via bnx1 ?<br>
<br>
On 22 June 2015 at 23:08,<br>
<br>
<<a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a>><br>
<br>
wrote:<br>
<br>
ok. i try it on another machine with<br>
<br>
4.3 and without the options in kernel config. The result<br>
is<br>
<br>
the same.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Some data:<br>
<br>
<br>
<br>
Internal NIC: bnx0, <a href="http://192.168.100.188/24" rel="noreferrer" target="_blank">192.168.100.188/24</a><br>
<br>
<br>
<br>
External NIC: bnx1, <a href="http://192.168.10.229/24" rel="noreferrer" target="_blank">192.168.10.229/24</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
rc.conf:<br>
<br>
<br>
<br>
gateway_enable="YES"<br>
<br>
<br>
<br>
defaultrouter="192.168.10.200"<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Then:<br>
<br>
<br>
<br>
kldload ipfw3_nat<br>
<br>
<br>
<br>
ipfw3 nat 1 config if bnx1<br>
<br>
<br>
<br>
ipfw3 add nat 1 tcp via bnx1<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
The outputs:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
kldstat:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
kernel<br>
<br>
<br>
<br>
acpi.ko<br>
<br>
<br>
<br>
ehci.ko<br>
<br>
<br>
<br>
xhci.ko<br>
<br>
<br>
<br>
ipfw3_nat.ko<br>
<br>
<br>
<br>
ipfw3_basic.ko<br>
<br>
<br>
<br>
ipfw3.ko<br>
<br>
<br>
<br>
libalias.ko<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3 show:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
00100 0 0 nat 1 tcp via bnx1<br>
<br>
<br>
<br>
65535 699 51067 deny<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3 nat show config:<br>
<br>
<br>
<br>
ipfw nat 1 config if bnx1<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Is something wrong?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--------------------------------------------<br>
<br>
<br>
<br>
bycn82 <<a href="mailto:bycn82@gmail.com">bycn82@gmail.com</a>><br>
<br>
schrieb am Mo, 22.6.2015:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Betreff: Re: ipfw3<br>
<br>
<br>
<br>
An: <a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a><br>
<br>
<br>
<br>
CC: "<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>"<br>
<br>
<<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>><br>
<br>
<br>
<br>
Datum: Montag, 22.<br>
<br>
Juni, 2015 15:33 Uhr<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
your rules<br>
<br>
<br>
<br>
are correct.and you<br>
<br>
<br>
<br>
don't need to add the<br>
<br>
options in kernel config file,<br>
<br>
<br>
<br>
that belongs to IPFW<br>
<br>
<br>
<br>
please provide<br>
<br>
<br>
<br>
output of below commands:1.<br>
<br>
<br>
<br>
kldstat2. ipfw3<br>
<br>
<br>
<br>
show3. ipfw3 nat<br>
<br>
<br>
<br>
show config<br>
<br>
<br>
<br>
On 22 June 2015 at 21:08,<br>
<br>
<br>
<br>
<<a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a>><br>
<br>
<br>
<br>
wrote:<br>
<br>
<br>
<br>
Sorry,<br>
<br>
<br>
<br>
but this dont work.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
My external nic is ue0 and my internal nic is em0.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
I run 4.3 and a kernel with the following options:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
options IPFIREWALL<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
options IPDIVERT<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
options IPFIREWALL_DEFAULT_TO_ACCEPT<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
options IPFIREWALL_VERBOSE<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
What i do:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
In /etc/rc.conf: gateway_enable="YES"<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Then:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
kldload ipfw3_nat<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3 nat 1 config if ue0<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3 add nat 1 tcp via ue0<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
The result is that NAT don't work.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
What is wrong with my configuration? Have i forgotten<br>
<br>
<br>
<br>
something?<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
--------------------------------------------<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
bycn82 <<a href="mailto:bycn82@gmail.com">bycn82@gmail.com</a>><br>
<br>
<br>
<br>
schrieb am Mo, 22.6.2015:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Betreff: Re: ipfw3<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
An: <a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
CC: "<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>"<br>
<br>
<br>
<br>
<<a href="mailto:users@dragonflybsd.org">users@dragonflybsd.org</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Datum: Montag, 22. Juni, 2015 01:47 Uhr<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
hi,<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
sorry for<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
lacking of documentation. <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
below are<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
sample steps to use in-kernel NAT with ipfw3.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Step1: make<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
sure the ipfw3_nat module was loaded<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
dev03#kldstat | grep<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3_nat 5 1 0xffffffff83242000<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
3000 ipfw3_nat.ko<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
if the modules was not loaded,<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
then below command to load the kernel module<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
dev03#kldload<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
ipfw3_nat<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Step2: prepare<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
NAT config<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
dev03#ipfw3 nat 1 config<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
if em0ipfw nat<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
1 config if em0<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
which<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
means it will do MASQUERADE using interface<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
em0.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Step3: NAT the<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
traffic. NAT is just ip translate. so both<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
direction should go through the same NAT<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
config.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
dev03#ipfw3<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
add nat 1 tcp via em0<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
this means both in and out traffic<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
on interface em0 will be filtered/ translated by<br>
NAT<br>
<br>
<br>
<br>
config<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
id 1.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
hope this helps, please try it and<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
if you have any question, just let me know, and<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
if you can help to come up with an tutorial by<br>
<br>
<br>
<br>
rephrasing<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
this and append with your experience, that would be<br>
<br>
<br>
<br>
very<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
helpful.<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="http://www.dragonflybsd.org/docs/ipfw2/" rel="noreferrer" target="_blank">http://www.dragonflybsd.org/docs/ipfw2/</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
is an wiki, there is a "edit page"<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
link. <br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
regards,bycn82<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 22 June 2015 at 02:31,<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<<a href="mailto:nans_nans1@yahoo.de">nans_nans1@yahoo.de</a>><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
wrote:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
Can<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
someone give me detailed/complete instructions how<br>
to<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
realize simple working nat with ipfw3 (including<br>
<br>
rc.conf<br>
<br>
<br>
<br>
and<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
configuration files).<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
The informations on these sites turns out to be<br>
sadly<br>
<br>
<br>
<br>
sparse<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
for me:<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="https://www.dragonflybsd.org/docs/ipfw2/" rel="noreferrer" target="_blank">https://www.dragonflybsd.org/docs/ipfw2/</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<a href="http://www.dragonflybsd.org/docs/ipfw2/modules/" rel="noreferrer" target="_blank">http://www.dragonflybsd.org/docs/ipfw2/modules/</a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div></div></blockquote></div><br></div>