37. IP Network Address Translation
37.1.  1)Loading the Kernel Module
37.2.  2) Setting up the NAT Rules
37.3.  3) Loading the NAT Rules:
37.4.  4)Enable Routing between interfaces.
37.5.  5) Static Routes to Subnet Ranges
37.6.  6) Make sure that you have your interfaces configured.

After you have installed IpFilter: You will need to change three files:




This was tested using ipfilter 3.1.4 and FreeBSD 2.1.6-RELEASE

37.1.   1)Loading the Kernel Module

If you are using a Kernel Loadable Module you need to edit your /etc/rc.local file and load the module at boot time.

use the line: modload /lkm/if_ipl.o

If you are not loading a kernel module, skip this step.

37.2.   2) Setting up the NAT Rules

Make a file called /etc/natrules put in the rules that you need for your system. If you want to use the whole 10 Network. Try:

map fxp0 -> portmap tcp/udp 10000:65000

Here is an explanation of each part of the command:

map starts the command.

fxp0 is the interface with the real internet address. is the subnet you want to use.

/8 is the subnet mask. ie is the real IP address that you use.

/32 is the subnet mask, ie only use this IP address.

portmap tcp/udp 10000:65000

tells it to use the ports to redirect the tcp/udp calls through The one line should work for the whole network.

37.3.   3) Loading the NAT Rules:

The NAT Rules will need to be loaded every time the computer reboots. In your /etc/rc.local put the line: ipnat -f /etc/natrules

To check and see if it is loaded, as root type: ipnat -ls

37.4.   4)Enable Routing between interfaces.

Tell the kernel to route these addresses. In the /etc/rc.conf put the line:


Or configure it by had by putting this line in the /etc/rc.local file :

sysctl -w net.inet.ip.forwarding=1

37.5.   5) Static Routes to Subnet Ranges

Now you have to add a static routes for the subnet ranges. Edit your /etc/rc.conf, or on an older system, your /etc/sysconfig to add them at bootup.

static_routes="foo" route_foo=" -netmask 0xf0000000 -interface"

37.6.   6) Make sure that you have your interfaces configured.

I have two Intel Ether Express Pro B cards. One is on The other is on You need to configure these in the /etc/sysconfig

network_interfaces="fxp0 fxp1"
ifconfig_fxp0="inet netmask"
ifconfig_fxp1="inet netmask"

When using ftp from a client computer on the virtual network, you will need to use passive mode. Otherwise, it will time out trying to get a directory listing.