# FreeBSD Gateway and NAT Problem



## khashmeshab (Nov 5, 2010)

Hello everybody,

I'm a 5 years user of FreeBSD and good documentations and already asked questions in community support forums, have converted me to an expert installer of FreeBSD for servers.

The already asked questions in forums and the documentations of FreeBSD solved all of my problems until now. So this is the first time I'm posting here to ask you experts a question.

Recently I've bought a new cheap FreeBSD VPS from nqhost.com and tried to configure it as a PPTP VPN server. After many attempts I have successfully installed and configured PPTP and MPD5 on it and successfully connected from a Windows XP client to my new VPN server.

But I cannot configure it as an Internet gateway. I can ping server but not outside hosts. The Internet connection of the server is OK.

So, I'm sending my configuration files here to anyone who can help me to solve this issue. I have configured many gateways using IPNAT without any problem, but I need this way especially for this server.

Thank you very much,
Masoud Gheysari M.

/etc/rc.conf:

```
# -- sysinstall generated deltas -- # Mon Nov  1 19:39:55 2010
# Created: Mon Nov  1 19:39:55 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
keymap="us.iso"
ifconfig_re0="inet 178.63.209.71 netmask 255.255.255.224"
defaultrouter="178.63.209.65"
sshd_enable="YES"
hostname="srv-b.karsha.biz"
#apache22_enable="YES"
#mysql_enable="YES"
squid_enable="YES"
mpd_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="re0"
natd_flags="-f /etc/natd.conf"
```

/etc/natd.conf:

```
redirect_port tcp 127.0.0.1:3128 80
redirect_address 192.168.13.1 178.63.209.71
```

/usr/local/etc/mpd5/mpd.conf:

```
default:
	load pptp_server

pptp_server:
	set ippool add mypool 192.168.13.2 192.168.13.254
	create bundle template B
	set iface enable proxy-arp
	set iface idle 1800
	set iface enable tcpmssfix
	set ipcp yes vjcomp
	set ipcp ranges 192.168.13.1/32 ippool mypool
	set ipcp dns 213.133.99.99 213.133.98.98
	set bundle enable compression
	set ccp yes mppc
	set mppc yes e40
	set mppc yes e128
	set mppc yes stateless
	set nat address 178.63.209.71
	set iface enable nat
        create link template L pptp
        set link action bundle B
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set link keep-alive 10 60
        set link mtu 1460
        set pptp self 0.0.0.0
        set link enable incoming
```

uname -a:

```
FreeBSD srv-b.karsha.biz 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Fri Nov  5 15:54:09 IRST 2010     root@srv-b.karsha.biz:/usr/obj/usr/src/sys/KARSHA  i386
```

/usr/src/sys/i386/conf/KARSHA is attached to post.


----------



## manilaboy1vic (Nov 6, 2010)

Are you using natd or ipnat??

Your rc.conf shows natd..

Heres my code:


```
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""

[vic@yeaguy ~]$ cat /etc/ipnat.rules 
#map sis0 10.1.1.0/24 -> 67.177.249.55/32 portmap tcp/udp 10000:60000
#map sis0 10.1.1.0/24 -> 67.177.249.55/32
#rdr sis0 67.177.249.55/32 port 5800 -> 10.1.1.2 port 5800
#rdr sis0 67.177.249.55/32 port 5900 -> 10.1.1.2 port 5900
#rdr sis0 67.177.249.55/32 port 8080 -> 10.1.1.200 port 8080

map wlan0  10.1.1.0/24 -> 192.168.1.169/32 portmap tcp/udp 10000:60000
map wlan0 10.1.1.0/24 -> 192.168.1.169/32

#rdr wlan0  192.168.1.169/32 port 5800 -> 10.1.1.197 port 5800
#rdr wlan0 192.168.1.169/32 port 5900 -> 10.1.1.197 port 5900

#map atuwi0 192.168.0.0/24 -> 72.130.1.46/32 portmap tcp/udp 10000:60000
#map atuwi0 192.168.0.0/24 -> 72.130.1.46/32

[vic@yeaguy ~]$ cat /etc/rc.conf 
gateway_enable="YES"
defaultrouter="192.168.1.1"
```

Also did you put the correct options for NAT in the kernel and recompile?


----------



## khashmeshab (Nov 7, 2010)

Hi,

Thank you for your response. I have used IPNAT many times ago without any problem, but this is the first time I decided to use NATD as my NAT program. I think it will have more performance on FreeBSD because it was developed as a native assistant for IPFW. And of course I love IPFW!

So, I resolved my problem myself! The problem was on the NATD.CONF and IPFW rules. First I changed my natd.conf file and added some options to it:

```
port 8668
dynamic yes
same_ports
use_sockets
redirect_address 192.168.13.1 178.63.209.71
```

After this, I couldn't connect to server neither could ping it. So I've added a firewall rule:

```
ipfw add 25 allow all from any to any
```

Then, I could connect to my VPN server but no routing and NAT were available. So I removed the recently added firewall rule (25) and BOOM! I can connect to the outside world now.
So I decided to change the firewall rule to this:

```
ipfw add 10 allow tcp from any to 178.63.209.71 dst-port 1723
ipfw add 20 allow tcp from 178.63.209.71 1723 to any
ipfw add 30 allow gre from any to 178.63.209.71
ipfw add 40 allow gre from 178.63.209.71 to any
```

And make it permanent. And it completely resolved the problem. Now I can connect to VPN server and use the internet without any problem.

The recognized problem is so complicated for me to describe! (Because as you see, I'm a little poor in English and I'm dying now!). But it's LOGICAL.


----------



## khashmeshab (Nov 8, 2010)

Hello again,

Since my VPN server is up and running, I'm providing a public temporary test account for Iranians who needs to surf Internet anonymously with high speed and security. It's just for Iranians but because I owe this to the FreeBSD OS and community, then I send login credentials here to everyone who is interested on it to test:

Server Address: srv-b.karsha.biz
Username: karsha
Password: 97621567
Expiration Date: Nov 21, 2010 (1 week from now)

I sell this VPN service with unlimited traffic for less than $1 a month. NQHost.com doesn't limit VPS traffics neither doesn't place any limit on connectivity and they provide a very fast connection (about 40 MB/s) to their customers. I have bought this package for as little as $7 a month! Yesterday on a peak time, we had 18 users connected and none of them experienced low speed. The CPU usage was on 0%!

I will be happy if you send your feedback here or contact us.


----------

