# NAT problem



## zsolt (Mar 6, 2014)

Hello, 

I have a FreeBSD box configured as a router at my home. I have 2 Intel PCI NIC-s and an Atheros wireless network adapter inside. 
1 Ethernet adapter (em0) is connected by PPPoE to the internet (tun0), the second (em1) is configured as a gateway to internal LAN and the wireless adapter is configured as access point (ath0). All is working good except NAT!!! 

Here is my configuration of the network interfaces in rc.conf:


```
# I N T E R N E T  B Y  P P P O E
 ppp_enable="YES"
 ppp_profile="RDS"
 ppp_mode="ddial"
 ppp_nat="YES"
```


```
# L O C A L  A R E A  N E T W O R K
 ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0 media auto"
```


```
# W I R E L E S S  A. P.
 wlans_ath0="wlan0"
 create_args_wlan0="wlanmode hostap"
 ifconfig_wlan0="inet 192.168.2.1 netmask 255.255.255.0 ssid freebsdap mode 11g
 hostapd_enable="YES"
```

I am using Transmission torrent client on the inside LAN and on the laptop connected by Wifi to the server - and I configured port 30000 for incoming connections. Of course port 30000 is closed when checked in Transmission. I double checked with utorrent, too. It doesn't matter if I check the open port from wireless connection or from cable - result is that is not working.  This port I opened in the firewall (IPFW) and also I am using the NAT of the PPP connection. 

IPFW: 

```
$cmd 00405 allow tcp from any to me 30000 in via $pif setup limit src-addr 2
```

and

/etc/ppp/ppp.conf is looking like this:


```
default:
 set log Phase tun command
 set ifaddr 10.0.0.1/0 10.0.0.2/0
 nat enable yes
RDS:
 set device PPPoE:em0
 set authname *********
 set authkey *********
 set dial
 set login
 add default HISADDR
 set redial 3 20
# N A T
 nat port tcp 192.168.2.2:30000 30000
 nat port tcp 192.168.1.2:30000 30000
```

I am thinking that it is a routing problem, but can't figure it out yet on my own. Here is how my routing table looks like:

```
# netstat -nr
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.0.0.1           UGS         0    10022   tun0
10.0.0.1           link#6             UH          0        0   tun0
86.126.231.116     link#6             UHS         0        0    lo0
127.0.0.1          link#4             UH          0        0    lo0
192.168.1.0/24     link#2             U           0        0    em1
192.168.1.1        link#2             UHS         0        0    lo0
192.168.2.0/24     link#5             U           0    11275  wlan0
192.168.2.1        link#5             UHS         0        0    lo0
```

While checking the port 30000 if it is opened by Transmission I had the idea to check with `tcpdump` the packets. From a laptop connected by WIFI into the server by `ssh` I ran `tcpdump`. My IP of laptop is 192.168.2.2.  So, running `tcpdump` on tun0 gives me the following: 

`#tcpdump -n -v -i tun0 | grep 30000`

```
91.121.60.42.42380 > 192.168.1.2.30000: Flags [S], cksum 0x3c6f (correct), seq 2504297804, win 5840, options [mss 1440,sackOK,TS val 3359806967 ecr 0,nop,wscale 6], length 0
```

From what `tcpdump` returns shouldn't the IP address be 192.168.2.2 instead of 192.168.1.2 ??? No computer has IP address 192.168.1.2 on my network. All are powered off except the laptop.  Later I tried to reconfigure the WLAN to 192.168.1.0 but NAT still not working, so I still suspect that I have some routing problems.

Hope somebody can understand my problem.

Kind regards,


----------



## SirDice (Mar 7, 2014)

I would suggest using the NAT functionality of IPFW or PF instead. You'll have much more control. Also, because you're routing between interfaces you have to enable routing by adding to /etc/rc.conf:

```
gateway_enable="YES"
```


----------



## SirDice (Mar 7, 2014)

SirDice said:
			
		

> I would suggest using the NAT functionality of IPFW or PF instead. You'll have much more control. Also, because you're routing between interfaces you have to enable routing by adding to /etc/rc.conf:
> 
> ```
> gateway_enable="YES"
> ```





> From what tcpdump returns shouldn't the IP address be 192.168.2.2 instead of 192.168.1.2 ??? No computer has IP address 192.168.1.2 on my network.


You have two redirections on the same port. The second one overrules the first as you can redirect a port to one IP address only.


----------



## zsolt (Mar 7, 2014)

Thanks for you're kind support SirDice! Routing is enabled in my rc.conf file. I deleted last line in ppp.conf file. Now I have only one entry for port 30000. 
So, I tried once again the port check from my laptop (port 30000) in Transmission bittorrent client. My laptop IP address is still 192.168.2.2 and I am connected on wireless to my server. Here is the result: 


```
# tcpdump -n -v -i tun0 | grep 30000
91.121.60.42.55200 > 192.168.2.2.30000: Flags [S], cksum 0x33c9 (correct), seq 4033316018, win 5840, options [mss 1440,sackOK,TS val 3401782911 ecr            0,nop,wscale 6], length 0
```

looks like the redirection is fine now. The ip addreess 91.121.60.42 is the Transmission site, but the torrrent client still says port 30000 is closed.
I have tried to tcpdump the wlan0 interface of the server: 


```
# # tcpdump -n -v -i wlan0 | grep 91.121.60.42
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes
    192.168.2.2.1477 > 91.121.60.42.80: Flags [F.], cksum 0xa7cd (correct), seq 531133985, ack 3993755890, win 17115, length 0
    192.168.2.2.1478 > 91.121.60.42.80: Flags [S], cksum 0xc757 (correct), seq 3782957544, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    91.121.60.42.80 > 192.168.2.2.1477: Flags [.], cksum 0xd188 (correct), ack 1, win 6432, length 0
    91.121.60.42.80 > 192.168.2.2.1478: Flags [S.], cksum 0xedc4 (correct), seq 3537047538, ack 3782957545, win 5840, options [mss 1440,nop,nop,sackOK], length 0
```

Still the torrent client reports 30000 is a closed port. 
What else to check? I don't know what else to do...


----------



## zsolt (Mar 9, 2014)

Finally, I have found the source of my problem! I guess its pure luck. The problem was in the firewall. More exactly in the firewalls configuration file, the line which is responsible of letting in the connections from the outside on port 30000. 

Initially it was: 

```
$cmd 00405 allow tcp from any to me 30000 in via $pif setup limit src-addr 2
```

and I have changed to this:

```
$cmd 00405 allow tcp from any to any 30000 in via $pif setup limit src-addr 2
```

Strange situation I might say. I am not sure if its a bug in IPFW or maybe my rc.conf is configured wrongly, but after this modification in my firewall everything is working really good. Digging in the man page here is the difference of using *me* and *any* rule fields:


```
addr: [not] {any | me | me6 | table(number[,value]) | addr-list |addr-set}

	    [b]any[/b]     matches any IP address.
	    [b]me[/b]      matches any IP address configured on an interface in the  system.
```

I hope these informations will be of help for others in the future. The examples in the handbook uses quite a lot the "me" rule field.


----------

