On Wed, Nov 13, 2019 at 4:13 PM Morgan Wesström < freebsd-datab...@pp.dyndns.biz> wrote:
> > |iptables --table nat --append POSTROUTING --out-interface eth0 -j > > MASQUERADE > > As I understand iptables, this is the normal/only way to provide NAT for > any subnet. > > > ||One of the comments in another tutorial I was reading says that the > > MASQUERADE rule is resource intensive, but if I understand it correctly, > > the only alternative would be to put a specific rule in place for each > > client. I don't think I want to do that > > I wonder what their reference was. When you're using iptables you only > have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did > NAT without problems... > See my follow up message. It's the SNAT directive. The tutorial I was looking at was https://www.karlrupp.net/en/computer/nat_tutorial > > > ||Comments? > > Well, I am concerned we couldn't identify what mechanism was responsible > for the already working NAT for 192.168.1.0/24. We wouldn't want to end > up with two competing mechanisms activated at the same time and the rule > you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 - > the latter which was already working. > True enough. > There should be init scripts on that router to start all services. Maybe > they can give a clue on what's going on and how Netgear choses to > activate their services. > This thing seems to have a very convoluted startup. Not at all like most Linux systems I've seen. The file I found where they had added some rules was definitely not where I expected it to be, and there are no MASQUERADE commands in it. > > Whatever you do, just verify that the router's admin interface is not > accessible from the Internet after you've added your rules! > Definitely. I assume the way to test that would be to attempt to access my router from the outside the same way I would when I log in from the inside. Phil > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"