From owner-freebsd-ipfw@freebsd.org Tue Feb 9 22:17:51 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1C8FDAA2DDB for ; Tue, 9 Feb 2016 22:17:51 +0000 (UTC) (envelope-from travis@netviscom.com) Received: from mail.nvc-core.net (mail.netviscom.com [40.138.111.235]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F03C4304 for ; Tue, 9 Feb 2016 22:17:50 +0000 (UTC) (envelope-from travis@netviscom.com) Received: from localhost (localhost [127.0.0.1]) by mail.nvc-core.net (Postfix) with ESMTP id 96F5E90254DF for ; Tue, 9 Feb 2016 16:41:23 -0500 (EST) Received: from mail.nvc-core.net ([127.0.0.1]) by localhost (mail.nvc-core.net [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id d5VuDdZlWWRg for ; Tue, 9 Feb 2016 16:41:23 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mail.nvc-core.net (Postfix) with ESMTP id 01AFC90254E0 for ; Tue, 9 Feb 2016 16:41:23 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.nvc-core.net Received: from mail.nvc-core.net ([127.0.0.1]) by localhost (mail.nvc-core.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id eE9YmRZPIiZ6 for ; Tue, 9 Feb 2016 16:41:22 -0500 (EST) Received: from mail.nvc-core.net (mail.netvisioncommunications.net [40.138.111.235]) by mail.nvc-core.net (Postfix) with ESMTP id CA24F90254DF for ; Tue, 9 Feb 2016 16:41:22 -0500 (EST) Date: Tue, 9 Feb 2016 16:41:22 -0500 (EST) From: Travis Garrison To: freebsd-ipfw@freebsd.org Message-ID: <2063391521.585875.1455054082796.JavaMail.zimbra@netviscom.com> Subject: ipnat configuration MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [40.138.111.235] X-Mailer: Zimbra 8.6.0_GA_1169 (ZimbraWebClient - GC48 (Win)/8.6.0_GA_1169) Thread-Topic: ipnat configuration Thread-Index: TSaVQlwptzlcue+ycfrFVEZ27JWoUg== X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Feb 2016 22:17:51 -0000 I am working on an ipnat configuration to replace our aging Cisco FWSM. We have several private IP subnets that we would like to map to several public ranges. There are more private ranges so we would actually be doing a pat. The question is on how to configure the public ip ranges so that we can use all of them in a big pool. Currently our Cisco does a 1 to 1 NAT until it runs out of addresses and then filles the rest through a single PAT ip address. We would like to do a round robin PAT and only PAT a handful addresses per public ip address. Do we need to use ippools for our setup? I am thinking of something like this ippool - public side 64.x.x.0/23 69.x.x.0/24 ipnat map em0 172.20.30.0/24 -> ippoolpublic map em0 172.20.31.0/24 -> ippoolpublic map em0 172.20.32.0/24 -> ippoolpublic map em0 172.20.33.0/24 -> ippoolpublic map em0 172.20.34.0/24 -> ippoolpublic map em0 172.20.35.0/24 -> ippoolpublic map em0 172.20.36.0/24 -> ippoolpublic map em0 172.20.37.0/24 -> ippoolpublic map em0 172.20.38.0/24 -> ippoolpublic Thank you Travis Garrison