# NAT: it doesn't go



## queshaw (Dec 14, 2010)

I am running FreeBSD 8.1 on am64, and am attempting to have it work as a router.

/etc/rc.conf:


```
hostname="blarg.blarg.blarg"

ifconfig_re1="DHCP"
ifconfig_re0="10.0.0.1"

gateway_enable="YES"

firewall_enable="YES"
firewall_type="OPEN"

natd_enable="YES"
natd_interface="re0"
natd_flags="-redirect_address 10.0.0.2 192.168.1.100"

dhcpd_enable="YES"
dhcpd_ifaces="re0"
```

/boot/loader.conf:


```
ipfw_load="YES"
ipdivert_load="YES"

net.inet.ip.forwarding="YES"
net.inet.ip.fw.default_to_accept="1"
```

The result is that a host on the LAN (10.0.0.255) can not see outside the LAN. What can I do?


----------



## queshaw (Dec 14, 2010)

I had better add:

/usr/local/etc/dhcpd.conf:


```
# is this the broadcast address on this network or the target network?

option broadcast-address 10.255.255.255;

option domain-name "blarg.blarg";                                           


# Is this, this computer's router, or this router?

option routers 10.0.0.1;                                                     

option subnet-mask 255.255.255.0;                                               

default-lease-time 600;                                                         
max-lease-time 7200;                                                            

ddns-update-style interim;                                                      
log-facility local7;                                                            
subnet 10.0.0.0 netmask 255.0.0.0 {
  range 10.0.0.2 10.0.0.2;                                               
  option subnet-mask 255.0.0.0;                                                 
  option broadcast-address 10.255.255.255;

  # is this this computer's router or this computer?
  option routers 10.0.0.1;
}
```


----------



## SirDice (Dec 14, 2010)

You have some subnet issues my friend. If you define 10.0.0.0/24 as a subnet, 10.0.0.255 is the subnet broadcast address. It cannot be a host address.


----------



## aragon (Dec 14, 2010)

Also, why are you trying to NAT between two RFC1918 subnets?  There should be no need for NAT...


----------



## queshaw (Dec 14, 2010)

Ultimately, I'm trying to install openbsd on an alix board using pxe boot (I would then switch to using that computer as my router and use the computer running freebsd as my desktop). I left out this part in the subnet definition in dhcpd.conf:


```
host host {
    hardware ethernet 00:0f:c9:14:e2:80;
    fixed-address 10.0.0.2;
    filename "pxeboot";
  }
```

The alix succeeds in booting, but then the install fails. I am assuming it is because NAT is not working.

The subnet broadcast address is wrong? Not according to my memory, and not according to http://www.subnet-calculator.com.

The computer on the 10.0.0.0 network gets a DHCP offer and binds to 10.0.0.2. From that computer, I can reach the other NIC (it happens to be 192.168.1.7), but not 192.168.1.1.

kldstat shows ipfw.ko and ipdivert.ko. I don't know how to proceed. What can I check beyond simply: it doesn't work?


----------



## SirDice (Dec 14, 2010)

queshaw said:
			
		

> The subnet broadcast address is wrong?


Yes.


> Not according to my memory, and not according to http://www.subnet-calculator.com.


That's because you are using a Class A subnet in a classless fashion. Look at your subnet mask.

http://en.wikipedia.org/wiki/Subnetwork


----------



## queshaw (Dec 14, 2010)

Sorry, I still don't get it. 10.0.0.2 is a host address among the 24 bits of possible host addresses in the 10.0.0.0 network. No?

The following is not right?


```
Host: 00001010 00000000 00000000 00000010
Netmask: 11111111 00000000 00000000 00000000
```


```
Network: 10.0.0.0
Host: 10.0.0.2
Possible host addresses: 10.255.255.255
```

ifconfig re0:


```
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
```

I know there are 2 subnet masks in the config file, one outside the subnet definition. But, if I make them both 255.0.0.0, I get the same result.

I also tried reversing the masks, in case this is what you are suggesting, i.e.:


```
netmask 255.255.255.0
broadcast 10.0.0.255
```

and I get the same result.


----------



## SirDice (Dec 14, 2010)

Yes, that's all correct.

Now look at the subnet mask your DHCP server is giving out.


----------



## queshaw (Dec 14, 2010)

It matches. Using what I originally had (netmask 255.0.0.0), the dhcp client's interface is bound to:


```
inet 10.0.0.2 netmask 0xff000000 broadcast 10.255.255.255
```

This is also what Freebsd comes up with for netmask and broadcast, when I specify:


```
ifconfig_re0="10.0.0.1"
```

in rc.conf.

If I use the reverse mask, what the dhcp client gets also matches. In that case the interface is bound to:


```
inet 10.0.0.2 netmask 0xffffff00 broadcast 10.0.0.255
```

I think the first is correct. Either way, the host can't see past the router's other NIC.


----------



## SirDice (Dec 14, 2010)

Ah. I hadn't taken my meds on time.. There are two different subnet-mask options in your dhcpd.conf. And it's not common practice to use a complete class A network. I don't recommend it too. Even though, theoretically, you can have thousands of hosts in a class A, practically you shouldn't exceed more then 1000 hosts in a broadcast domain. 

As Aragon also noted, there's no need for NAT. Just turn it off. Turn off the firewall too, just to test. Remove the net.inet sysctls from your /boot/loader.conf. It's not the correct place for them. The *net.inet.ip.forwarding* will get set by *gateway_enable* so you don't have to specify it. The other one is set to it's default.

Make sure the 10.0.0.0/8 (and not /24 as I assumed) hosts use 10.0.0.1 as default gateway. Ping the default gateway to make sure that works. Then, from those same hosts, ping the address of the re1 interface. This will verify if the FreeBSD box is set up correctly. 

Verify, from the FreeBSD machine, that you get a proper IP address on re1 and the default gateway is set correctly. If that's another router you will need to log in there and add a static route so that 10.0.0.0/8 gets routed to the address of re1.

That last step is the tricky bit. You are probably better off with a static IP address on re1. That'll make things easier. Even better would be if you have a DMZ or pass-through option on your modem/router, some modem/routers have this. Using that you might be able to get your external internet IP address on re1.


----------



## queshaw (Dec 15, 2010)

queshaw said:
			
		

> ```
> ifconfig_re1="DHCP"
> ifconfig_re0="10.0.0.1"
> 
> ...



Wrong interface...


```
natd_interface="re1"
natd_flags=""
```

got NAT working.


----------

