From owner-freebsd-net@FreeBSD.ORG  Sun Jul  7 01:29:22 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 53128B89
 for <freebsd-net@freebsd.org>; Sun,  7 Jul 2013 01:29:22 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com
 [IPv6:2607:f2f8:a450::66])
 by mx1.freebsd.org (Postfix) with ESMTP id 349151C0F
 for <freebsd-net@freebsd.org>; Sun,  7 Jul 2013 01:29:22 +0000 (UTC)
Received: from chombo.houseloki.net
 (montesse-2-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:19b9::2])
 by yoshi.bluerosetech.com (Postfix) with ESMTPSA id 1D5EAE606E;
 Sat,  6 Jul 2013 18:29:21 -0700 (PDT)
Received: from [IPv6:fc00:970::e8c0:c3d5:508d:b926] (unknown
 [IPv6:fc00:970::e8c0:c3d5:508d:b926])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 424FD9B;
 Sat,  6 Jul 2013 18:29:19 -0700 (PDT)
Message-ID: <51D8C472.9050103@bluerosetech.com>
Date: Sat, 06 Jul 2013 18:29:22 -0700
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Sami Halabi <sodynet1@gmail.com>
Subject: Re: DNAT in freebsd
References: <CAEW+ogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com>
 <20130629002959.GB20376@nat.myhome>
 <CAEW+ogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com>
 <51D006F6.6060809@grosbein.net>
 <CAEW+ogbx15KiayBHFJ7T1YVGQ2pwm1ArQaSrjUk6XUOBgVPggA@mail.gmail.com>
 <51D04FA8.8080900@grosbein.net>
 <CAEW+ogZQ1bHOBNvxkLqnFRrR_b4=e+Yx9wUjWC8YYr__QsBe3w@mail.gmail.com>
 <CAEW+ogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO+xuELznsgVo0XZ+A@mail.gmail.com>
 <51D14930.1060502@grosbein.net>
 <CAEW+ogYW9YWZr6TnzqZ+Hv_e_fFo-MKW1hTdWfw7w=qaCFw3Yg@mail.gmail.com>
 <51D15D06.9030300@grosbein.net>
 <CAEW+ogZB9m+5FLyB2NXFbp=uSpvCq6fn4SPVZe2W58yQ-S_z4w@mail.gmail.com>
 <CAEW+ogYef6esFDkxRefht1z==zdr5bsYv6S-FPgTyZ36GPR_Mg@mail.gmail.com>
 <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org>
 <51D3A35C.8070305@freebsd.org>
 <CAEW+ogY8A3javUR=g5pP5iqa3yYfEToHuRg0J-ihnV8EV2U9SA@mail.gmail.com>
In-Reply-To: <CAEW+ogY8A3javUR=g5pP5iqa3yYfEToHuRg0J-ihnV8EV2U9SA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-net@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jul 2013 01:29:22 -0000

On 7/3/2013 4:06 AM, Sami Halabi wrote:
> Hi Julian,
>
> I appreciate your willing to help me.
>
> My Situation in short is:
>
> ----------- [a]     ------------------------- [b] -------------
> internet B |---BGP---|84.xx.yy.1  192.168.0.1|-----|192.168.0.2/24
> 193.xx.yy.2|         |Aem1   Cem3      D  em0|  |  | neighbour
> -----------         -------------------------   | --------------
>      |                         |                 |
>     [Q]                        |                 |
>                          your networks        private network
>
> I Have control only over the middle machine, so i cant establish a tunnel.
> So I want it to act as MAN IN THE MIDDLE/ proxy.
> every packet comes from private network to 192.168.0.1 ie:
> packet hdr: src: 192.168.0.2 dst 192.168.0.1
> should be translated as:
> packet hdr: src: 84.xx.yy.1 dst 193.xx.yy.2
> ports and data untouched.
>
> and every packet from 193.xx.yy.2 (incoming/setup...) as:
> packet hdr: src: 193.xx.yy.2 dst: 84.xx.yy.1
> to be translated as:
> packet hdr: src: 192.168.0.1 dst 192.168.0.2
>
> btw: any other packet from src other than 193.xx.yy.2  to dst 84.xx.yy.1
> should be dropped.

I believe this will work:

binat on em1 from 193.xx.yy.2 to 84.xx.yy.1 -> 192.168.0.1 \
   static-port tag netA
binat on em0 from 192.168.0.2 to 192.168.0.1 -> 84.xx.yy.1 \
   static-port tag netB

redir from any to 84.xx.yy.1 -> 192.168.0.2 tagged netA
redir from any to 192.168.0.1 -> 193.xx.yy.2 tagged netB