JAN Feb MAR
Previous capture 15 Next capture
2013 2014 2015
171 captures
28 May 03 - 24 Dec 14
sparklines
Close Help
30.10. Network Address Translation
Prev Chapter 30. Advanced Networking Next

30.10. Network Address Translation

Contributed by Chern Lee.

30.10.1. Overview

FreeBSD's Network Address Translation (NAT) daemon, natd(8), accepts incoming raw IP packets, changes the source to the local machine, and injects these packets back into the outgoing IP packet stream. The source IP address and port are changed such that when data is received back, it is able to determine the original location of the data and forward it back to its original requester.

The most common use of NAT is to perform what is commonly known as Internet Connection Sharing.

30.10.2. Setup

Due to the diminishing IP address space in IPv4 and the increased number of users on high-speed consumer lines such as cable or DSL, people are increasingly in need of an Internet Connection Sharing solution. The ability to connect several computers online through one connection and IP address makes natd(8) a reasonable choice.

Most commonly, a user has a machine connected to a cable or DSL line with one IP address and wishes to use this one connected computer to provide Internet access to several more over a LAN.

To do this, the FreeBSD machine connected to the Internet must act as a gateway. This gateway machine must have two NICs: one connects to the Internet router and the other connects to a LAN. All the machines on the LAN are connected through a hub or switch.

Note:

There are many ways to get a LAN connected to the Internet through a FreeBSD gateway. This example will only cover a gateway with at least two NICs.

Network Layout

A setup like this is commonly used to share an Internet connection. One of the LAN machines is connected to the Internet and the rest of the machines access the Internet through that gateway machine.

30.10.3. Boot Loader Configuration

The kernel features for natd(8) are not enabled in the GENERIC kernel, but they can be loaded at boot time by adding a couple of options to /boot/loader.conf:

ipfw_load="YES"
ipdivert_load="YES"

Additionally, the net.inet.ip.fw.default_to_accept tunable option should be set to 1:

net.inet.ip.fw.default_to_accept="1"

Note:

It is a good idea to set this option during the first attempts to setup a firewall and NAT gateway. This sets the default policy of ipfw(8) to be more permissive than the default deny ip from any to any, making it slightly more difficult to get locked out of the system right after a reboot.

30.10.4. Kernel Configuration

When modules are not an option or if it is preferable to build all the required features into a custom kernel, the following options must be in the custom kernel configuration file:

options IPFIREWALL
options IPDIVERT

Additionally, the following may also be suitable:

options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE

30.10.5. System Startup Configuration

To enable firewall and NAT support at boot time, the following must be in /etc/rc.conf:

gateway_enable="YES" 1
firewall_enable="YES" 2
firewall_type="OPEN" 3
natd_enable="YES"
natd_interface="fxp0" 4
natd_flags="" 5

1

Sets up the machine to act as a gateway. Running sysctl net.inet.ip.forwarding=1 would have the same effect.

2

Enables the firewall rules in /etc/rc.firewall at boot.

3

This specifies a predefined firewall ruleset that allows anything in. See /etc/rc.firewall for additional types.

4

Indicates which interface to forward packets through. This is the interface that is connected to the Internet.

5

Any additional configuration options passed to natd(8) on boot.

These /etc/rc.conf options will run natd -interface fxp0 at boot. This can also be run manually after boot.

Note:

It is also possible to use a configuration file for natd(8) when there are too many options to pass. In this case, the configuration file must be defined by adding the following line to /etc/rc.conf:

natd_flags="-f /etc/natd.conf"

A list of configuration options, one per line, can be added to /etc/natd.conf. For example:

redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80

For more information about this configuration file, consult natd(8).

Each machine and interface behind the LAN should be assigned IP addresses in the private network space, as defined by RFC 1918, and have a default gateway of the natd(8) machine's internal IP address.

For example, client A and B behind the LAN have IP addresses of 192.168.0.2 and 192.168.0.3, while the natd(8) machine's LAN interface has an IP address of 192.168.0.1. The default gateway of clients A and B must be set to that of the natd(8) machine, 192.168.0.1. The natd(8) machine's external Internet interface does not require any special modification for natd(8) to work.

30.10.6. Port Redirection

The drawback with natd(8) is that the LAN clients are not accessible from the Internet. Clients on the LAN can make outgoing connections to the world but cannot receive incoming ones. This presents a problem if trying to run Internet services on one of the LAN client machines. A simple way around this is to redirect selected Internet ports on the natd(8) machine to a LAN client.

For example, an IRC server runs on client A and a web server runs on client B. For this to work properly, connections received on ports 6667 (IRC) and 80 (HTTP) must be redirected to the respective machines.

The syntax for -redirect_port is as follows:

     -redirect_port proto targetIP:targetPORT[-targetPORT]
                 [aliasIP:]aliasPORT[-aliasPORT]
                 [remoteIP[:remotePORT[-remotePORT]]]

In the above example, the argument should be:

    -redirect_port tcp 192.168.0.2:6667 6667
    -redirect_port tcp 192.168.0.3:80 80

This redirects the proper TCP ports to the LAN client machines.

Port ranges over individual ports can be indicated with -redirect_port. For example, tcp 192.168.0.2:2000-3000 2000-3000 would redirect all connections received on ports 2000 to 3000 to ports 2000 to 3000 on client A.

These options can be used when directly running natd(8), placed within the natd_flags="" option in /etc/rc.conf, or passed via a configuration file.

For further configuration options, consult natd(8)

30.10.7. Address Redirection

Address redirection is useful if more than one IP address is available. Each LAN client can be assigned its own external IP address by natd(8), which will then rewrite outgoing packets from the LAN clients with the proper external IP address and redirects all traffic incoming on that particular IP address back to the specific LAN client. This is also known as static NAT. For example, if IP addresses 128.1.1.1, 128.1.1.2, and 128.1.1.3 are available, 128.1.1.1 can be used as the natd(8) machine's external IP address, while 128.1.1.2 and 128.1.1.3 are forwarded back to LAN clients A and B.

The -redirect_address syntax is as follows:

-redirect_address localIP publicIP
localIPThe internal IP address of the LAN client.
publicIPThe external IP address corresponding to the LAN client.

In the example, this argument would read:

-redirect_address 192.168.0.2 128.1.1.2
-redirect_address 192.168.0.3 128.1.1.3

Like -redirect_port, these arguments are placed within the natd_flags="" option of /etc/rc.conf, or passed via a configuration file. With address redirection, there is no need for port redirection since all data received on a particular IP address is redirected.

The external IP addresses on the natd(8) machine must be active and aliased to the external interface. Refer to rc.conf(5) for details.

Prev Up Next
30.9. PXE Booting with an NFS Root File System Home 30.11. IPv6

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.