IPFW natd problem

G

gats

I have gone through nearly all the natd ipfw postings here but cannot seem to find a solution. I have set up a FreeBSD router with windows clients in the range of 169.254.0.0/24. I have also followed to the letter how to setup natd from the handbook. I am able to get to the internet from the external IP and from the internal IP of the server, however I am not able to get to the internet from the clients.

My ipfw -a list look like below

Code: 
00050    34    3989 divert 8668 ip4 from any to any via bge0
00100     0       0 allow ip from any to any via lo0
00200     0       0 deny ip from any to 127.0.0.0/8
65000   141   14842 allow ip from any to any
65535 19514 2456258 allow ip from any to any

I have noted that the loopback interface is getting no traffic at all and i believe it should. What is the solution to this?

My natd.conf looks like below:

Code: 
defaultrouter="41.191.77.33"
gateway_enable="YES"
hostname="XXXXXXXXXXX"
ifconfig_bge0="inet x.x.x.x netmask 255.255.255.0"
#inetd_enable="YES"
keymap="us.iso"
sshd_enable="YES"
rinetd_enable="YES"
squid_enable="YES"
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
natd_enable="YES"
natd_interface="bge0"
#natd_flags="-f /etc/natd.conf"
apache22_enable="YES"
mysql_enable="YES"
My /etc/sysctl.conf looks like below:

Code: 
net.inet.ip.fw.one_pass=0
net.inet.ip.forwarding=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
Can anyone help with this? I am wits' end now.
 
Are you sure the gateway on the client machine is set up correctly?

If your server is 10.0.0.1 and your client is 10.0.0.2 that's on the bge0 interface.
then make sure the gateway for your client is 10.0.0.1

Can you show us the output of this command on the client machine:
$ netstat -rn
 
My netstat -nr is as below:

Code: 
Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            41.191.77.33       UGS         4  1515144   bge0
41.191.77.0/24     link#1             U           0       50   bge0
41.191.77.34       link#1             UHS         0   749573    lo0
127.0.0.1          link#10            UH          0       81    lo0
169.254.0.0/24     link#7             U           5    19944    vr0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UH          lo0
fe80::%lo0/64                     link#10                       U           lo0
fe80::1%lo0                       link#10                       UHS         lo0
ff01:a::/32                       fe80::1%lo0                   U           lo0
ff02::%lo0/32                     fe80::1%lo0                   U           lo0
 
What are the DNS settings of the clients? Where they are taking DNS information from? Try pinging a domain name by its IP number and by its name and let us have the results of this experiment.
 
The gateway and DNS settings of the clients are the IP of the inside interface of the FreeBSD router. I am able to ping the outside interface of the FreeBSD router but unable to ping the gateway of the outside interface which is the default gateway shown in netstat -nr.

See below
Client gateway and DNS 169.252.0.101
ping to outside google
Code: 
C:\Users\Gats\Desktop>ping [url]www.google.com[/url]
Ping request could not find host [url]www.google.com[/url]. Please check the name and try again.

ping to outside interface

Code: 
C:\Users\Gatonye\Desktop>ping 41.191.77.34

Pinging 41.191.77.34 with 32 bytes of data:
Reply from 41.191.77.34: bytes=32 time=202ms TTL=40
Reply from 41.191.77.34: bytes=32 time=206ms TTL=40
Reply from 41.191.77.34: bytes=32 time=205ms TTL=40
Reply from 41.191.77.34: bytes=32 time=216ms TTL=40

ping to outside interface gateway

Code: 
C:\Users\Gatonye\Desktop>ping 41.191.77.33

Pinging 41.191.77.33 with 32 bytes of data:
Request timed out
Request timed out
Request timed out
Request timed out
Request timed out
 
So it is clearly an DNS problem. Your server (gateway) can not make a domain name resolution. Enable named in your rc.conf and configure properly named.conf to forward and add a line to resolv.conf like:

Code: 
nameserver 127.0.0.1

Let me know what will be the results.

cutter
 
I don't want to configure the FreeBSD box as a DNS server, I just want to make it a router so that the windows clients behind it are able to access the internet

Anyhow I have done the changes that you recommended and still no change. :(

Please note that I even cannot reach the outside gateway of the server or ping any IP on the internet/outside our network or the FreeBSD box.
 
Oops, may be I have misunderstood something. How do you connect to internet, modem or router? I suppose bge0 is the server side to the router. What is the internal IP of the router?
 
I connect to the internet via a router sitting on the ISP side. The freebsd FreeBSD server I am configuring is to act as the router and enable ICS for the clients. The internal IP is 169.254.0.101. And here I thought ICS on Freebsd FreeBSD would be easy :) It was so much easier on Ubuntu and Suse.
 
If I understand you correctly, the internal IP of the router is 169.254.0.101, right? So, your defaultrouter should be 169.254.0.101 (private network) and not the public IP assigned to you by your ISP. Your bge0 adapter connected to the router should be in that range, for example 169.254.0.102. What is the IP for your second NIC vr0, which is on the side of your private network? It should be configured in a different range along with your clients connected to it. Also at that troubleshooting stage I would allow flow to 127.0.0.1. You didn't check a ping to IP (not name) of google.com as requested.
 
Since internal ip is 169.254.0.101 then on the other network card change IPs to the range 10.0.0.XXX or any other recommended.

Also change your default gateway on the client to the 10.0.0.XXX (IP of the other network card run on FreeBSD)

If I understood correctly then this is what it should look like:

Code: 
Router <----> FreeBSD machine <------> Windows Client 
Router connected to [B][color="Green"]bge0[/color][/B] with IP: 169.254.0.101

FreeBSD machine([B][color="Green"]bge0[/color][/B]: 192.254.0.XXX |  [B][color="Green"]vr0[/color][/B]: 10.0.0.XXX ) 
[[B][color="green"]vr0[/color][/B] is the other interface card connected to Windows]

Windows Client (gateway: 10.0.0.XXX and assigned IP in 10.0.0.XXX range)
 
Be aware that use of 169.254.0.0/16 addresses is strongly discouraged, I wouldn't be surprised if FreeBSD treats them as completely non-routable. It's better to use RFC1918 addresses as private addresses.
 
Correct:

Code: 
Comment:        This is the "link local" block. It was set
Comment:        aside for this special use in the Standards
Comment:        Track document
Comment:        It is allocated for communication between hosts
Comment:        on a single link. Hosts obtain these addresses
Comment:        by auto-configuration, such as when a DHCP
Comment:        server cannot be found.
Comment:        A router MUST NOT forward a packet with an IPv4
Comment:        Link-Local source or destination address,
Comment:        irrespective  of the router's default route configuration
Comment:        or routes obtained from dynamic routing protocols.
Comment:        A  router which receives a packet with an IPv4
Comment:        Link-Local source or destination address MUST NOT
Comment:        forward the packet. This prevents forwarding of
Comment:        packets back onto the network segment from which
Comment:        they originated, or to any other segment.

Use 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12 networks.
 
In the situation that I am in in, it is nearly impossible to change to the other IPs that you recommended, there are plenty other services running on other servers within our local network using the same 169.254.X.X network.

Is there any other way to work around this?
Sorry for taking too long to reply, had gone for a short vacation
 
You must log in or register to reply here.
Back
Top