Network Address Translation

Network address translation allows you to have a private internal network that is separate from the Internet, but yet can receive information from it. Translation allows for you to have many hosts on an internal network use the Internet via a single gateway connection. The gateway server generally must have two NIC cards, one connected to a hub or switch (not using the uplink of the hub), and the other connected to your Internet connection. In this case a cable modem. This is how I have setup network address translation on my own FreeBSD server with a cable modem. For information on how I setup my cable modem, please refer to this page. Once your cable modem is up and running, this is what you need to allow other machines on your internal network to use the same connection.

The first thing that you have to do is assign your client machines an ip address that is reserved for internal networks. There are different network classes set aside to choose from. You can use any of the following addresses:

10.0.0.0 --> 10.255.255.255 (1 class A block)
172.16.0.0 --> 172.31.255.255 (16 class B blocks)
192.168.0.0 --> 192.168.255.255 (256 class C blocks)

I use one class C block since there are only 3 other clients on my network, but you are free to use whichever you prefer.

In order to use network address translation, you will have to enable firwalling in the kernel and in /etc/rc.conf. If you setup Road Runner the way that I describe on this page, you will have to compile your kernel with firewall support. These are the options that I added to my kernel configuration file:


#  The `bpfilter' pseudo-device enables the Berkeley Packet Filter.  Be
#  aware of the legal and administrative consequences of enabling this
#  option.  The number of devices determines the maximum number of
#  simultaneous BPF clients programs runnable.
pseudo-device   bpfilter 4      #Berkeley packet filter

# The networking settings for Road Runner.  
options         IPFIREWALL
options         IPFIREWALL_VERBOSE
options         "IPFIREWALL_VERBOSE_LIMIT=100"
options         IPDIVERT

The first thing to notice is the Berkeley packet filter. This is needed for the network address translation daemon, or natd. Of the options that I have specified for the firewall, the only ones that are needed are IPFIREWALL and IPDIVERT. The others are optional. See the LINT file in the /usr/src/sys/i386/conf directory or the FreeBSD handbook for more details. Don't forget to create 4 bpf devices in /dev with "MAKEDEV bpf0". Repeat for devices bpf1, bpf2, and bpf3. This gives you a total of 4 bpfilter devices. Actually you only need one I believe, but I always make 4.

Once the kernel has been compiled, and the bpf devices installed, you must turn on the firewall and natd in the /etc/rc.conf file. This is part of my /etc/rc.conf file:

    
### Basic network options: ###
hostname="myname.my.domain"     # Set this!
nisdomainname="NO"              # Set to NIS domain if using NIS (or NO).
firewall_enable="YES"           # Set to YES to enable firewall functionality
firewall_type="open"            # Firewall type (see /etc/rc.firewall)
firewall_quiet="NO"             # Set to YES to suppress rule display
natd_enable="YES"               # Enable natd (if firewall_enable == YES).
natd_interface="fxp0"           # Public interface to use with natd.
natd_flags="-u -m -dynamic"     # Additional flags for natd.
tcp_extensions="NO"             # Disallow RFC1323 extensions (or YES).
# Note: interface fxp0 is setup in rc.roadrunner
network_interfaces="ed0 lo0"    # List of network interfaces (lo0 is loopback).
ifconfig_ed0="inet 192.168.1.1  netmask 255.255.255.0"
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.

The hostname above is not really relevant. I set my hostname with my Road Runner login. I configure all interfaces except fxp0, which is my main NIC connected directly to the cable modem. The ed0 card is the secondary NIC connected to one of the ports on my 4 port hub. The other client machines are also connected to this 4 port hub. The uplink on the hub is not used. I find the natd options above to work out really well. This should only translate unregistered ip addresses (internal), try to keep the same ports when altering outgoing packets, and automatically handle a change of ip address on the main NIC. You might not have all of these options in your /etc/rc.conf file. They should be in /etc/defaults/rc.conf. Copy them from there and place them in /etc/rc.conf. You should only make changes to /etc/rc.conf or some other local config file and NOT the files in /etc/defaults. I also set the firewall type to open. This is an easy way to get going. If you want to setup a firewall that actually does something, you are on your own. I suggest you read the Firwalls FAQ for information on what a firewall is and how it works. Since my machine is acting as a gateway between the two networks, it is necessary to turn on the gateway feature in /etc/rc.conf as well.


defaultrouter="NO"              # Set to default gateway (or NO).
static_routes=""                # Set to static route list (or leave empty).
gateway_enable="YES"            # Set to YES if this host will be a gateway.
router_enable="NO"              # Set to YES to enable a routing daemon.
router="routed"                 # Name of routing daemon to use if enabled.
router_flags="-q"               # Flags for routing daemon.
mrouted_enable="NO"             # Do multicast routing (see /etc/mrouted.conf).
mrouted_flags=""                # Flags for multicast routing daemon.
ipxgateway_enable="NO"          # Set to YES to enable IPX routing.
ipxrouted_enable="NO"           # Set to YES to run the IPX routing daemon.
ipxrouted_flags=""              # Flags for IPX routing daemon.
arpproxy_all=""                 # replaces obsolete kernel option ARP_PROXYALL.
forward_sourceroute="NO"        # do source routing (only if gateway_enable is s
et to "YES")
accept_sourceroute="NO"         # accept source routed packets to us

All that is needed is gateway_enable="YES" and the sourceroute options set to NO (that is a good secure suggestion anyway). This should get you started. It is helpful to add an entry in /etc/hosts for any internal hosts, such as:


# Host Database
# This file should contain the addresses and aliases
# for local hosts that share this file.
# In the presence of the domain name service or NIS, this file may
# not be consulted at all; see /etc/host.conf for the resolution order.
#
#
127.0.0.1               localhost localhost.my.domain myname.my.domain
192.168.1.1             server server.my.domain
192.168.1.2             todd todd.my.domain
192.168.1.3             laptop laptop.my.domain
#

The client machines on your network should be easy to setup. All that is usually needed is to set their default gateway to the address of the second NIC on the gateway server. In my case I set all the client machines to use 192.168.1.1 as the default gateway. Assign the client machine whichever internal ip address that you wish, and ideally have added to /etc/hosts and everything should work well. Once the server is rebooted, an "ipfw list" as root will show your firewall rules:


00100 divert 8668 ip from any to any via fxp0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 allow ip from any to any
65535 deny ip from any to any

You can add more rules if you wish in /etc/rc.firewall. Check the FreeBSD handbook for more information about that and other networking questions.

Back to FreeBSD Projects and Notes

shaun rowland

Last modified: Sun Jul 7 02:15:04 EDT 2002