# FreeBSD NAT not working



## uair (Jan 25, 2012)

Hello,

I've turned my freebsd FreeBSD station into a NAT server. It has to two NICs, one connected to the internet and the other connected directly to my laptop. I've followed the steps in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html and got a natd running, but I get no access to the internet from my laptop (which was the original idea to set the NAT server in the first place).

I can ping from my laptop to my freebsd FreeBSD box and vice versa. My laptop has windows 7 running on it. I know I should provide more info, but I am not sure exactly what information is useful.

The LAN cable I am using for the direct connection between the freebsd FreeBSD box and the laptop is not a crossover cable, but I am not sure if this could be the source of the problem.

Thanks in advance.


----------



## SirDice (Jan 25, 2012)

Did you use the correct interface?


```
natd_interface="fxp0"
```


----------



## uair (Jan 25, 2012)

I think so. The NIC connected to the internet is xl0, and *grep natd /etc/rc.conf* produces

```
natd_enable="YES"
natd_interface="xl0"
natd_flags=""
```


----------



## SirDice (Jan 25, 2012)

Yep, that should do it. Did you also enable routing?


```
gateway_enable="YES"
```


----------



## uair (Jan 25, 2012)

Yes. This is the relevant part of my /etc/rc.conf

```
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="xl0"
natd_flags=""
```


----------



## SirDice (Jan 25, 2012)

Ok, that all looks as it should.

From your Windows laptop can you ping http://www.google.com? Or 173.194.66.99?


----------



## uair (Jan 25, 2012)

No, I've tried already. I just can ping my FreeBSD box, nothing else.


----------



## SirDice (Jan 25, 2012)

Can you ping those addresses from the FreeBSD box itself?


----------



## uair (Jan 25, 2012)

Yes, without problems. I am positive that the problem must be in the natd configuration, or maybe a stupid error I made somewhere. I've checked every step a number of times (from the laptop configuration to the FreeBSD setup of the NAT) but can't find anything wrong.


----------



## SirDice (Jan 25, 2012)

Some more trouble shooting, run
`# tcpdump -ni xl0`

And try the pings on the Windows machine. You should see some traffic being captured. What source addresses are being used?


----------



## uair (Jan 25, 2012)

Are you sure you meant xl0? xl0 is the interface connected to the internet, and I get lots of messages when I run tcpdump on it. Instead I tried
[cmd=]tcpdump -ni ale0[/cmd]
and I get

```
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ale0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:18:24.131103 IP 192.168.0.2.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14:18:24.880149 IP 192.168.0.2.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
14:18:25.644620 IP 192.168.0.2.137 > 192.168.0.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
```
When I ping http://www.google.com from the laptop, but I get nothing if I ping 173.194.66.99.


----------



## Anonymous (Jan 25, 2012)

uair said:
			
		

> Yes. This is the relevant part of my /etc/rc.conf
> 
> ```
> gateway_enable="YES"
> ...



Do you have divert rules in your firewall configuration file as described in the following handbook page?

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html.

I may be wrong, however, my understanding is that the firewall controls the packets going though natd or not.

Note also, that diverting through natd is the old method, nowadays FreeBSD comes with in-kernel NAT. How to use this in a similar configuration as you are going to setup is described here.


----------



## uair (Jan 25, 2012)

But doesn't

```
firewall_type="OPEN"
```
imply that my firewall is open (i.e. lets anything come and go by)?


----------



## Anonymous (Jan 25, 2012)

uair said:
			
		

> but doesn't
> 
> imply that my firewall is open (i.e. lets anything come and go by)?



So, how do the packets know, that they are supposed to go through natd?

My understanding is that the firewall should tell it to them.


----------



## uair (Jan 25, 2012)

rolfheinrich said:
			
		

> So, how do the packets know, that they are supposed to go through natd?
> 
> My understanding is that the firewall should tell it to them.




Sorry, but I have no understanding of how this things work


----------



## SirDice (Jan 25, 2012)

rolfheinrich said:
			
		

> So, how do the packets know, that they are supposed to go through natd?
> 
> My understanding is that the firewall should tell it to them.



All packets going out the interface (natd_interface) will be NAT'ed. The firewall has nothing to do with this.

But, to be honest, I find IPFW way to complex to configure. I personally prefer PF.


----------



## Anonymous (Jan 25, 2012)

Please have a look at natd(8)(). Scroll down to the section *RUNNING NATD* and read the subsection that starts with: "... Once natd is running, you must ensure that traffic is diverted to natd:".


----------



## uair (Jan 25, 2012)

I finally solved this problem and I want to apologize because the source of the problem was not on my FreeBSD box but on my windows 7 laptop.
I found this article
http://windows.microsoft.com/en-US/windows7/Configuring-multiple-gateways-on-a-network
and I found that was the reason behind it. I had too many gateways on the laptop.
I appreciate the help and sorry for the noise.


----------

