# natd shows it's working - except it's not



## heb (Apr 4, 2014)

In short: natd appears to be working - or so it says - but something seems to be bogging it.

The setup is rather simple:
External device is nfe0. Internal device ue0. External device is connected to our building's internet provider, which gives out a 10.84.0.0/16 address. Internal device is 10.10.10.1 and is connected to a access point. isc-dhcpd is set up to give out 10.10.10.0/24-addresses on the internal network.

ICMP is getting through and works. From machines on the internal network I appear to be able to ping any address on the internet (I usually try with 8.8.8.8 but others also works). TCP and UDP services (DNS, http, SMTP, etc.) is not working.

Starting natd from console (`/sbin/natd -dynamic -l -s -v -interface nfe0`) gives a lot of data such as:

```
In  {default}[UDP]  [UDP] 17.173.254.222:16384 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.222:16384 -> 10.10.10.12:16403
In  {default}[UDP]  [UDP] 17.173.254.222:16385 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.222:16385 -> 10.10.10.12:16403
In  {default}[UDP]  [UDP] 17.173.254.223:16386 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.223:16386 -> 10.10.10.12:16403
Out {default}[UDP]  [UDP] 10.10.10.12:16403 -> 17.173.254.222:16384 aliased to
           [UDP] 10.84.168.67:16403 -> 17.173.254.222:16384
Out {default}[UDP]  [UDP] 10.10.10.12:16403 -> 17.173.254.222:16385 aliased to
           [UDP] 10.84.168.67:16403 -> 17.173.254.222:16385
Out {default}[UDP]  [UDP] 10.10.10.12:16403 -> 17.173.254.223:16386 aliased to
           [UDP] 10.84.168.67:16403 -> 17.173.254.223:16386
In  {default}[UDP]  [UDP] 17.173.254.222:16384 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.222:16384 -> 10.10.10.12:16403
In  {default}[UDP]  [UDP] 17.173.254.222:16385 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.222:16385 -> 10.10.10.12:16403
In  {default}[UDP]  [UDP] 17.173.254.223:16386 -> 10.84.168.67:16403 aliased to
           [UDP] 17.173.254.223:16386 -> 10.10.10.12:16403
Out {default}[UDP]  [UDP] 10.10.10.12:61250 -> 185.37.37.37:53 aliased to
           [UDP] 10.84.168.67:61250 -> 185.37.37.37:53
In  {default}[UDP]  [UDP] 185.37.37.37:53 -> 10.84.168.67:61250 aliased to
           [UDP] 185.37.37.37:53 -> 10.10.10.12:61250
Out {default}[UDP]  [UDP] 10.10.10.12:16403 -> 17.173.254.222:16384 aliased to
           [UDP] 10.84.168.67:16403 -> 17.173.254.222:16384
Out {default}[UDP]  [UDP] 10.10.10.12:16403 -> 17.173.254.222:16385 aliased to
```

However - clients does not appear to be able to even do the name resolution 



My rc.conf

```
hostname="trygvelie.dyndns.dk"
keymap="danish.iso.kbd"
sshd_enable="YES"
powerd_enable="YES"
dumpdev="AUTO"

# network if

ifconfig_nfe0="DHCP"
ifconfig_ue0="inet 10.10.10.1 netmask 255.255.255.0"

# gateway

gateway_enable="YES"
natd_enable="YES"
natd_interface="nfe0"
natd_flags="-f /etc/natd.conf"
dhcpd_enable="YES"

# firewall

firewall_enable="YES"
firewall_type="open"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
```

My natd.conf:

```
use_sockets
same_ports
interface nfe0
dynamic
unregistered_only
```

My ipfw.rules is shaved down to an absolute minimum:


```
#!/bin/sh

cmd="/sbin/ipfw -q add"

/sbin/ipfw -q -f flush

$cmd 500 divert 8668 all from any to any via nfe0
$cmd 1000 allow ip from any to any via lo0
$cmd 65000 allow ip from any to any
```

`kldstat` gives me:

```
Id Refs Address            Size     Name
 1   30 0xffffffff80200000 15f0310  kernel
 2    1 0xffffffff81a12000 59ec     if_axe.ko
 3    1 0xffffffff81a18000 2aa8     uether.ko
 4    1 0xffffffff81a1b000 4e18     ng_ubt.ko
 5    5 0xffffffff81a20000 affe     netgraph.ko
 6    1 0xffffffff81a2b000 9143     ng_hci.ko
 7    3 0xffffffff81a35000 102b     ng_bluetooth.ko
 8    1 0xffffffff81a37000 be53     ng_l2cap.ko
 9    1 0xffffffff81a43000 19d55    ng_btsocket.ko
10    1 0xffffffff81a5d000 37c7     ng_socket.ko
11    2 0xffffffff81a61000 109bd    ipfw.ko
12    1 0xffffffff81a72000 4c16     ipdivert.ko
```

And `uname -a` gives:

```
FreeBSD trygvelie.dyndns.dk 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
```

I've been trying all sorts of things, but the outcome always seems to be the same: ICMP gets through - nothing else, so now I'm thinking that I may be missing out the obvious. Any pointers would be greatly appreciated.


----------



## tingo (Apr 6, 2014)

Have you looked at the output from `# ipfw show`? It shows you which rules are being used and which are not.  Usually you can find out any obvious mistakes from that.


----------



## heb (May 4, 2014)

I have now reached the conclusion that I'm not capable of making it work. Though I can't find any documentation that support it, I'm quite convinced that it is the ue-device that is the issue. Perhaps because it's an USB device.
I tried on a fresh, where I took out a Soekris (NET4801-50) that I knew I could get it working on, and set that one up in parallel (with differences only being in hardware and disk-layout). The Soekris-installation I got working pretty much straight away, while the same filter-rules, natd-config and rc.conf didn't get me anywhere on the laptop.

@tingo, thank you for your advice. It didn't help me, but it's still good advice


----------



## wblock@ (May 4, 2014)

Consider switching to pf(4), where NAT is internal to the firewall rather than an external daemon.  In the firewall rules, it's just:

```
nat on $ext_if from $internal_net to any -> ($ext_if)
```


----------



## heb (May 4, 2014)

wblock@ said:
			
		

> Consider switching to pf(4), where NAT is internal to the firewall rather than an external daemon.  In the firewall rules, it's just:
> 
> ```
> nat on $ext_if from $internal_net to any -> ($ext_if)
> ```


I did try pf initially on the laptop (after my first failed attempts with ipfw), but not being able to getting that to work (basically following the simple gateway with NAT example in the handbook), I reverted to trying with ipfw, as it is the firewall I have the most experience with. I will try on another Soekris/laptop run with pf at some point, though  Thanks.


----------

