# IPFW and NAT on 7.0 without recompiling kernel?



## k1piee (May 7, 2009)

Hi!

I have a openVPN server on a FreeBSD 7.0 server and it works great, but I want to make all my traffic go trough the VPN when I'm connected to it, and I think I need to use NAT for that right?
So my question is, do I have to recompile my kernel for that? Or can I use the 7.0 stock kernel? Or can I just bridge the tap0 interface with my vr0 interface and get it to work?
Really need some help with this!


----------



## k1piee (May 7, 2009)

Forgot to say that I'm using IPFW as a firewall atm!


----------



## SirDice (May 8, 2009)

There shouldn't be a need to recompile your kernel. As soon as IPFW tries to start it will load the needed kernel modules automagically.


----------



## phoenix (May 9, 2009)

Note: the default rule for IPFW is "deny ip from any to any", so don't load the ipfw module when logged in via a remote connection.  You'll be kicked off.    Had that a happen one too many times over the years.


----------



## k1piee (May 10, 2009)

Great thanks alot for the answers!
But I'm not really sure how to write the NAT rule though as I'm not so good with writing firewall rules..

This is my firewall-script atm:
(/usr/local/etc/ipfw.rules)

```
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ssh (22), http (80), openvpn (1194) etc
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 80 in
$IPF 160 allow tcp from any to any 80 out
$IPF 210 allow udp from any to any 1194 in
$IPF 215 allow udp from any to any 1194 out

# allow some inbound icmps - echo reply, dest unreach, source quench,
# echo, ttl exceeded.
$IPF allow icmp from any to any icmptypes 0,3,4,8,11

# deny and log everything
$IPF 500 deny log all from any to any
```

And I want to NAT the traffic that comes from tun0 to be able to go out through vr0.

Does anyone know how to write the right rule and where to put it in the script?
I would really appreciate the help. 
Thanks!


----------



## blackjack (May 12, 2009)

I think you must add the rules


```
$IPF 90 divert natd ip from $local_network to any via $if_out
$IPF 100 divert natd ip from any to $local_network via $if_out
```


----------



## k1piee (May 12, 2009)

Thanks alot for the answer!

But if thats is suppose to work then there must be something wrong with my OpenVPN config, cause I can't reach the internet with the client I connect to the VPN-server with..
I connect all fine and can ping the VPN-server, but the strange thing is that the default gateway is set to an IP that I cant even ping. The server looks like this:



```
[root@server~]#ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        inet 10.9.0.1 --> 10.9.0.2 netmask 0xffffffff 
        Opened by PID 17469
```

I can ping 10.9.0.1 but not 10.9.0.2
and my client gets this:


```
client:~#ifconfig tun0
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.9.0.6  P-t-P:10.9.0.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:667 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:428128 (418.0 KiB)
```


```
client:~#route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.9.0.5        0.0.0.0         255.255.255.255 UH    0      0        0 tun0
94.255.162.90   94.255.131.1    255.255.255.255 UGH   0      0        0 eth0
94.255.131.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.9.0.0        10.9.0.5        255.255.255.0   UG    0      0        0 tun0
0.0.0.0         10.9.0.5        0.0.0.0         UG    0      0        0 tun0
```

What is going on here? 
Why is the default gateway set to 10.9.0.5 and not 10.9.0.1?

This is my server.conf


```
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3
```

And this is my client.conf:

```
client
dev tun
proto udp
remote server.com 1194
nobind
user nobody
group nogroup
persist-key
persist-tun
mute-replay-warnings
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
cipher AES-256-CBC
comp-lzo
verb 3
```

Is there anyone that knows whats wrong here?
Thanks!


----------



## k1piee (May 13, 2009)

okey never mind about the openvpn-configs because I tried the exact same configs on my linux machine and added:
iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
and it worked like a charm.
So there must be something wrong with my firewall or I have missed something in my rc.conf or something else.
Is there something wrong in my rc.conf?:


```
blanktime="600"
hostname="omg.nu"
ifconfig_vr0="DHCP"
inetd_enable="YES"
keymap="swedish.iso"
linux_enable="YES"
saver="rain"
scrnmap="NO"
sshd_enable="YES"
ipfw_load="YES"
ipdivert_load="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="vr0"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tun"
```

Is there anything else I have to do to make NAT work? Something I have to turn on manually, some sysctl stuff I have to make?
It could be that something isnt turned on because I havnt rebooted my server for 180 days, but I would really want to make this without having to reboot it.


----------



## varda (May 16, 2009)

*Builds an ipfw kld with nat support enabled*

In order to have ipfw with nat support enabled you need to have kernel sources and to recompile ipfw.

Add to /etc/make.conf or exports by some convinient for you way to environment variable:

```
CFLAGS+= -DIPFIREWALL -DIPFIREWALL_NAT -DIPFIREWALL_FORWARD -DIPFIREWALL_DEFAULT_TO_ACCEPT -DIPSTEALTH
```
Then you may recompile ipfw from /usr/src/sys/modules/ipfw something like:

```
make clean && make cleandir && make obj && make depend && make all && make install && make clean && make cleandir
```
Or simplify this process as you prefer.
Now add following strings to /boot/loader.conf

```
ipfw_load="YES"
ipfw_nat_load="YES"
ipdivert_load="YES"
dummynet_load="YES"
libalias_load="YES"
```
Check output during boot to remove extra or nonexistent modules if I've made a mistake.

That's all, after reboot you will have full featured ipfw which  by default accepts incoming connections.

Also you can make checks and tests without rebooting system by `kldoad` listed above modules by hand.

All your ipfw divert and nat rules should to work now.

Good luck.


----------



## k1piee (May 17, 2009)

thanks alot for the answer!
I just tried that and I seriously thought it would work now, I even rebooted the server but I still can't get it to work...
There must be something with my firewall script because I have tried everything and I'm getting really tiered of this..
Why wont this work for me?
I'm seriously considering switching back to running linux on the server because this is just to much


----------



## k1piee (May 26, 2009)

Would just like to say that I made it work now. It was the firewall-script that was the problem  just one thing is that the traffic doesnt go through the VPN if it is going to the same network, for example the VPN-server is on 94.255.130.xyz and I want to connect to 94.255.130.zyx then it wont go through the tunnel, but its fine if it doesnt but if you know why I would be happy to know how to fix it 
Thanks alot for the help!


----------

