How to Configure NAT (Network Address Translation) on FreeBSD Operating System

by İbrahim Korucuoğlu ( @siberoloji) | Monday, March 17, 2025

Categories:

Unix

6 minute read

Network Address Translation (NAT) is a fundamental networking technique used to modify network address information in packet headers while in transit across a traffic routing device. NAT is commonly used to enable multiple devices on a local network to access the internet using a single public IP address. This is particularly useful in scenarios where the number of available public IP addresses is limited.

FreeBSD, a powerful and versatile Unix-like operating system, provides robust support for NAT configuration. This article will guide you through the process of configuring NAT on a FreeBSD system, covering the necessary steps, tools, and best practices.

Understanding NAT

Before diving into the configuration, it’s essential to understand the basic concepts of NAT:

Static NAT: Maps a single private IP address to a single public IP address. This is typically used when a specific internal device needs to be accessible from the outside world.
Dynamic NAT: Maps a private IP address to a public IP address from a pool of available public IP addresses. This is useful when multiple devices need to access the internet, but not simultaneously.
PAT (Port Address Translation): Also known as NAT Overload, PAT allows multiple devices on a local network to be mapped to a single public IP address but with a different port number. This is the most common form of NAT used in home routers.

In this guide, we will focus on configuring PAT, as it is the most commonly used form of NAT.

Prerequisites

Before configuring NAT on FreeBSD, ensure that you have the following:

A FreeBSD System: This guide assumes you have a working FreeBSD installation. The version used in this guide is FreeBSD 13.0, but the steps should be similar for other versions.
Root Access: You will need root or superuser privileges to configure NAT.
Network Interfaces: Ensure that your FreeBSD system has at least two network interfaces:
- WAN Interface: Connected to the internet (e.g., em0).
- LAN Interface: Connected to the local network (e.g., em1).
pf (Packet Filter): FreeBSD uses the pf firewall for NAT configuration. Ensure that pf is installed and enabled on your system.

Step 1: Enable Packet Filter (pf)

FreeBSD uses the pf firewall for NAT configuration. To enable pf, follow these steps:

Edit /etc/rc.conf: Open the /etc/rc.conf file in your preferred text editor (e.g., vi or nano):
```
sudo vi /etc/rc.conf
```
Add the following lines to enable pf and load the NAT rules at boot:
```
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
```
Create the /etc/pf.conf File: If the /etc/pf.conf file does not exist, create it:
```
sudo touch /etc/pf.conf
```
Start the pf Service: Start the pf service and enable it to start at boot:
```
sudo service pf start
```

Step 2: Configure NAT Rules in `/etc/pf.conf`

The /etc/pf.conf file contains the rules for the pf firewall, including NAT rules. Open the file for editing:

sudo vi /etc/pf.conf

Add the following NAT configuration to the file:

# Define network interfaces
ext_if = "em0"  # WAN interface
int_if = "em1"  # LAN interface

# Enable NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)

Explanation of the NAT Rule

ext_if and int_if: These variables define the external (WAN) and internal (LAN) network interfaces, respectively. Replace em0 and em1 with the actual interface names on your system.
nat on $ext_if: This line enables NAT on the external interface.
from $int_if:network to any: This specifies that traffic originating from the internal network ($int_if:network) and destined for any external address (any) should be translated.
-> ($ext_if): This indicates that the source IP address of the outgoing packets should be replaced with the IP address of the external interface ($ext_if).

Step 3: Enable IP Forwarding

For NAT to work, IP forwarding must be enabled on the FreeBSD system. IP forwarding allows the system to route packets between network interfaces.

Edit /etc/rc.conf: Open the /etc/rc.conf file:
```
sudo vi /etc/rc.conf
```
Add the following line to enable IP forwarding:
```
gateway_enable="YES"
```
Enable IP Forwarding Immediately: To enable IP forwarding without rebooting, run the following command:
```
sudo sysctl net.inet.ip.forwarding=1
```

Step 4: Apply the NAT Configuration

After configuring the NAT rules and enabling IP forwarding, apply the changes by reloading the pf firewall:

sudo pfctl -f /etc/pf.conf

This command reloads the pf configuration from the /etc/pf.conf file.

Step 5: Verify the NAT Configuration

To ensure that NAT is working correctly, you can perform the following checks:

Check NAT Rules: Verify that the NAT rules are active by running:
```
sudo pfctl -s nat
```
This command displays the active NAT rules. You should see the NAT rule you configured in /etc/pf.conf.
Test Connectivity: From a device on the internal network, try accessing an external website (e.g., google.com). If NAT is working correctly, the device should be able to access the internet.
Check Logs: Review the pf logs to ensure that traffic is being processed correctly:
```
sudo tcpdump -i em0
```
Replace em0 with your external interface name. This command will display real-time traffic on the external interface.

Step 6: Additional Configuration (Optional)

Depending on your network requirements, you may need to configure additional settings:

Port Forwarding: If you need to forward specific ports to an internal device, you can add port forwarding rules to /etc/pf.conf. For example, to forward port 80 (HTTP) to an internal web server:
```
rdr on $ext_if proto tcp from any to ($ext_if) port 80 -> 192.168.1.100 port 80
```
Replace 192.168.1.100 with the IP address of your internal web server.
Firewall Rules: You can add additional firewall rules to /etc/pf.conf to control traffic flow. For example, to allow SSH access from the internal network:
```
pass in on $int_if proto tcp from $int_if:network to any port 22
```
Logging: To log NAT traffic, you can add logging rules to /etc/pf.conf:
```
log (to pflog0) on $ext_if from $int_if:network to any
```

Conclusion

Configuring NAT on a FreeBSD system is a straightforward process that involves enabling the pf firewall, defining NAT rules, and enabling IP forwarding. By following the steps outlined in this guide, you can set up NAT to allow multiple devices on your local network to access the internet using a single public IP address.

FreeBSD’s pf firewall is a powerful tool that not only supports NAT but also provides advanced features such as port forwarding, traffic shaping, and logging. With a solid understanding of NAT and pf, you can create a secure and efficient network environment tailored to your specific needs.

Remember to test your configuration thoroughly and monitor the system logs to ensure that NAT is functioning as expected. With proper configuration and maintenance, your FreeBSD system will serve as a reliable gateway for your network.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< How to Use `pfctl` to Manage Firewall Rules How to Monitor Bandwidth Usage with iftop on FreeBSD >