# nat trouble on FreeBSD 12



## doughy (Jul 22, 2019)

I'm trying to get a fresh install of FreeBSD12 to act as a NAT gateway.  I setup all the options in rc.conf and rebooted.  I can ping from any internal address to the inside NIC on the NAT server and have made sure that forwarding was enabled on the Server and still can't hit the outside internet.  The handbook says to make sure the following options are in hte kernel:


```
options IPFIREWALL 
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
```

Are these in the default kernel?


----------



## obsigna (Jul 22, 2019)

These options are not meant to be entries of /etc/rc.conf but would be placed into the configuration file of a custom kernel, in case you wanted to build one. However, this is actually not necessary for getting NAT working on FreeBSD 12. On my BLog, I wrote an article on how to achieve this. It is in German language, however, with the aid of an online translator you might be able to follow the instructions:
German: https://obsigna.com/articles/1406605561.html
English: https://www.translatetheweb.com/?from=de&to=en&a=https://obsigna.com/articles/1406605561.html


----------



## doughy (Jul 25, 2019)

I added the options to the kernel per the NAT configuration in the handbook and built a new kernel and still cannot get NAT to work.  Any ideas what I'm doing wrong?  I've never had a problem using nat on FreeBSD till now


----------



## japoc (Jul 27, 2019)

Can you show the content of your rc.conf and the firewall rules you're using?


----------



## doughy (Jul 27, 2019)

rc.conf:


```
ifconfig_re0="dhcp"
ifconfig_em0="192.168.0.1 netmask 255.255.255.0"
defaultrouter="192.168.0.1"

moused_enable="YES"

ntpdate_enable="YES"
ntpd_enable="YES"

# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable

dumpdev="AUTO"
#firewall_enable="YES"
#firewall_type="OPEN"
natd_enable="YES"
natd_interface="em0"
natd_flags=""
gateway_enable="yes"
ipv6_gateway_enable="yes"
sddm_enable="yes"
```

pf.conf:

```
ext_if="re0"
int_if="em0"

nat on $ext_if from $int_if to any -> ($ext_if)
pass in all
```


----------



## japoc (Jul 27, 2019)

If you want to use the pf firewall (I assume you do since you're using a /etc/pf.conf file to define your rules), you should add the following lines to your /etc/rc.conf:

```
pf_enable="YES"
pf_rules="/etc/pf.conf"
```
To start the pf firewall immediately (without rebooting):

`# service pf start`

Also, your pf.conf surprises me. If you intend to access the global internet from the machines that use the inside NIC, then what you meant to do was probably "pass out all" instead of "pass in all".


----------



## doughy (Jul 28, 2019)

Is it necessary to use pf or can I just configure rc.conf to have the needed entries?  I've tried not using pf and then using pf with the rules I showed and no luck.


----------



## japoc (Jul 28, 2019)

I understand. I guess it's possible to use natd to do that without pf, but I've never tried. pf can do nat by itself (it doesn't need natd).
What I would do:
remove the lines:

```
natd_enable="YES"
natd_interface="em0"
natd_flags=""
```
from your /etc/rc.conf. There should be no reference left to natd.

Then, modify your /etc/pf.conf so that it looks like the following:


```
ext_if="re0"
int_if="em0"
int_if_network = $int_if:network

nat on $ext_if inet from $int_if_network to any -> ($ext_if)
pass out quick on $ext_if inet from ($ext_if) to any keep state
pass from $int_if_network to any keep state # not sure this one is necessary, you might try without
```

If you access the machine remotely via ssh on port 22, don't forget to add the following to your pf.conf (just after the nat rule).


```
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22
```

Otherwise you'd lose access to the host.

I would advise now to reboot. That would ensure natd is not running, that pf reloaded all the rules, and that ipfw is not running at the same time from your previous attempts with it.
After reboot you should be able to access the internet from your internal network.

I added "inet" to your rules, so, they're rules for IPv4 only. I guess that's what you want since your local network seems to be IPv4 only. (digression: it's possible to use nat on IPv6 using pf, but you can't use the ($exf_if) parenthesis extension for it, you would need to use $ext_if:0 instead, see https://forums.freebsd.org/threads/...al-scope-of-an-ipv6-address-in-pf-conf.71298/ ).


----------



## doughy (Jul 28, 2019)

I got it to work using pf and avoiding natd but I'd still like to know why natd isn't working as it should.  Is anyone else having this problem?


----------



## SirDice (Jul 29, 2019)

> FreeBSD's built-in NAT daemon, natd(8), works in conjunction with IPFW to provide network address translation.



30.4.4. Configuring NAT

It's not meant to be used 'stand-alone'.


----------



## doughy (Jul 30, 2019)

What is the benefit of using ipfw with natd opposed to just using pf?  I have a small network I'm setting up that has a firewall with the inside interface going straight to a server using a crossover cable.  The server has an interface going to a WAP and I'm wondering if I should use pf on the server or natd with ipfw.  Also should I use pf or natd and ipfw on the firewall?

Thanks for any advice.


----------



## SirDice (Jul 30, 2019)

doughy said:


> Also should I use pf or natd and ipfw on the firewall?


That's entirely up to you. Some people swear by PF, some IPFW. While there are some technical differences, a lot of it is personal preference. Just try them both and see which one you like.


----------

