Home arrow Networking arrow Public IP behind NAT
Public IP behind NAT PDF
Monday, 05 March 2007

If you have a small LAN with private IPs, and your ISP assigned a small subnet of public IPs to you, you can assign public IPs to your LAN stations. This task can be accomplished with Static NAT feature of your FreeBSD.


You will setup your FreeBSD box to act as router with NAT, you will asign private IPs to your computers on LAN, then you will configure your firewall to do static nat for that public IP.

It is recommended to put on a separate LAN your machines that will have public ip's.

Internet  <--------- FreeBSD  Router <-------- SWITCH ----- LAN Machine
                          WAN IF              LAN IF
                                                    10.0.0.1                               10.0.0.2


In order to assign public IP to your LAN machine you must:
- assign a private IP for that machine (10.0.0.2 for example);
- configure Static NAT for your firewall so your machine will be seen from internet as a public machine;
- you must have a public IP given from your ISP, routed to your main public IP.


To configure static nat for your firewall, you will have to distinct setups: If your FreeBSD router uses ipfw firewall and natd, you will use "-redirect_address" option from natd. If your FreeBSD router uses PF, you will use binat feature of pf.

Configure your IPFW + NATD firewall to assign public IPs to your LAN Machine
--------------------------------------------------------------------------------------------------------

Add (append) the following lines to your rc.conf file

# --------- rc.conf file --------------------
natd_enable="YES"
natd_interface="fxp0"
#natd_flags=""
natd_flags="-f /etc/natd.conf"
#--------- end rc.conf file -----------------



Create /etc/natd.conf file (or edit if you already have it), and add the following lines:

# -------- natd.conf ----------
use_sockets yes
same_ports yes
interface fxp0
dynamic yes
unregistered_only yes
redirect_address 10.0.0.2 88.140.130.1
# -------- end natd.conf ----

 
where 88.140.130.1 is your public IP you want to assign to a LAN computer with ip 10.0.0.2

Last step is to add a divert rule in your ipfw firewall rules, at the beginning to divert all traffic from/to 88.140.130.1  to static nat.

In case you have no exceptions and want to divert all traffic from lan, you should use the following rules:

#ipfw add divert 8668 ip from any to any via fxp0
#ipfw add divert 8668 ip from any to me in recv fxp0

In case you want to divert only specific traffic, for example all private ips and this ip only (88.140.130.1), you should use these rules:

#ipfw add divert 8668 ip from any to 88.140.130.1 dst-ip 88.140.130.1 via fxp0
#ipfw add divert 8668 ip from any to any src-ip 10.0.0.0/16 via fxp0
#ipfw add divert 8668 ip from any to me in recv fxp0

Configure your PF firewall to assign public IPs to your LAN Machine
--------------------------------------------------------------------------------------------------------

If you do not use ipfw + natd, and you have PF firewall, then you must use PF's BINAT feature.

Edit pf.conf file, add the following line

# ------ pf.conf --------
binat pass on fxp0 inet from 10.0.0.2 to any -> 88.140.130.1
# ------

Then reload your pf rules (pfctl -f /etc/pf.conf).


fxp0 is external interface of your FreeBSD Router.


Last Updated ( Monday, 05 March 2007 )
 

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?