Gateway not forwarding packets

Stuart Henderson stu at
Thu Sep 6 01:24:52 BST 2001

> If you're using private addresses on the inside of your network you'll
> also need to enable 'nat' (network address translation).  There's an
> option in rc.conf to switch it on, but you'll need to also compile in
> ipfw and divert sockets.  [Look at the natd man page].

If you want the LAN machine (xx.74/ to be hidden from
the outside world, able to make outgoing connections but not accept
incoming ones (or, only accept a few ports statically mapped from
xx.76, ie http://xx.76/ forwarded to, then
NAT is exactly what you need - in that case you would just set the
internal machine to have and not xx.76.

:::::::::::::      ::::::::::::::::      :::::::::::::
:: ADSL    ::      :: BSD        ::      :: LAN     ::
:: router  :: <--> xx.76    192.168 <--> :: 192.168 ::
:::::::::::::      ::::::::::::::::      :::::::::::::

This is probably a bit easier than the other scenario...

> > After scouring mail archives in which everyone seems to 
> > just say "set gateway_enable="YES" in your rc.conf" ( which 
> > I have done ), nothing seems to work.  I have two network 
> > cards in the box, one with IP the other a
> > LAN IP of, the machine on the LAN im currently 
> > trying to test with has IPs and a LAN IP of 
> >, sounds to me like you might want the LAN machine to be
available directly from the outside world, using the BSD box as a
firewall, am I right?

If that's what you're trying to do, you can't do this by using
a gateway - you would need to run BSD as a bridge, since you don't
have access to change the routing table on the ADSL router (the
router wouldn't know to send packets via the BSD box).

:::::::::::::      :::::::::::      :::::::::::
:: ADSL    :: <--> :: BSD   :: <--> :: LAN   ::
:: router  ::      :: xx.76 ::      :: xx.74 ::
:::::::::::::      :::::::::::      :::::::::::

If you want to set the FreeBSD box as a bridge, it would be inline
between the router and the rest of the network. You would continue to
set the gateway on the LAN machines to xx.73, the BSD machine would
silently pass the packets on, doing any firewalling necessary.

You would only give one of the NICs on the BSD box an IP address,
it doesn't matter which. There's more on this in the handbook here: I think that
it would be easiest to set this up using just "real" internet
addresses before adding NAT into the mix (you'd only need NAT if
you have more LAN machines than IP addresses). You'll probably
have to experiment a little to have NAT and bridging working at
once (particularly as regards to where each IP address should
be bound - I would guess that you'd have both bound to the 
internal NIC and use natd -a xx.76, but I haven't tried it).

If you are bridging you would not expect to see the bridge in
a traceroute from internal machines to the outside world (or the
ADSL router), since it just copies the packet from one NIC to
the other - it doesn't decrement the time-to-live IP header.

For both of these scenarios you probably only want the ADSL router
connected to the "outside" NIC on the BSD machines, and you'd plug
everything else into the other NIC - the BSD machine would be the
only connection between the two sides. (If you are bridging, it
would work since the bridge learns which IP address is on which
NIC and forwards packets from interface to interface as needed).

I hope this helps rather than confuses (:

ps: actually, there is one other option: assign a number of real
IP addresses to the BSD machine, RFC1918 addresses to machines on
the LAN, and use NAT to do a one-to-one mapping i.e. any port on
xx.74 on the BSD box is mapped to the same port on -
this would not however work with peer-to-peer protocols which
pass the IP address as part of the protocol - the main culprits
here would be peer-to-peer apps and possibly H323 (NAT already
knows how to modify ftp and I think also IRC-dcc).

More information about the Ukfreebsd mailing list