From owner-freebsd-net@FreeBSD.ORG Mon Sep 8 19:56:00 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1C5A6351 for ; Mon, 8 Sep 2014 19:56:00 +0000 (UTC) Received: from webmail2.jnielsen.net (webmail2.jnielsen.net [50.114.224.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "webmail2.jnielsen.net", Issuer "freebsdsolutions.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D537F125A for ; Mon, 8 Sep 2014 19:55:59 +0000 (UTC) Received: from [10.10.1.198] (office.betterlinux.com [199.58.199.60]) (authenticated bits=0) by webmail2.jnielsen.net (8.14.9/8.14.9) with ESMTP id s88JtoD1054290 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 8 Sep 2014 13:55:52 -0600 (MDT) (envelope-from lists@jnielsen.net) X-Authentication-Warning: webmail2.jnielsen.net: Host office.betterlinux.com [199.58.199.60] claimed to be [10.10.1.198] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: When to use and not use divert/natd ... From: John Nielsen In-Reply-To: Date: Mon, 8 Sep 2014 13:55:49 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <366D397B-4521-4E5B-8AB0-2E218192C2AD@jnielsen.net> References: To: John Case X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2014 19:56:00 -0000 On Sep 5, 2014, at 9:15 PM, John Case wrote: > For many years I would build FreeBSD firewalls and they would be very, = very simple - I just set gateway_enable=3D"yes" in rc.conf and = everything just worked. >=20 > However, these firewalls *always* had real, routable IPs no both = sides. Both interfaces had real, routable IPs. >=20 > Now I have a firewall that has two non-routable IPs for its = interfaces, and is connected to a internet router with the real IP. = When I try to builda very simple firewall it does not work, and I am = forced to use ipdivert and natd. >=20 > If I use ipdivert and natd, it works just fine. >=20 > So, am I correct that I can create a simple gateway without = natd/divert as long as both interfaces are real IPs, but if both = interfaces are non-routable IPs, I am forced to use divert/natd ? Just think about the 'routing' aspect. In your current scenario it = sounds like the Internet-connected device is doing NAT. It knows about = its public IP and its private subnet. It sounds like you have a second = private subnet behind your FreeBSD machine about which the = Internet-connected device knows nothing. For packets to get from the = Internet-connected device to your second subnet one of two things needs = to happen: 1) The Internet-connected device has a static route to the second = subnet (so it knows to use your FreeBSD machine as the gateway), or 2) The FreeBSD machine performs NAT (a second time), so the = Internet-connected device send traffic to it even though it knows = nothing about the subnet behind it. I would prefer 1) as it's simpler and double-NAT isn't generally a good = thing. However, if you don't have a way to add a route to the = Internet-connected device then 2) isn't necessarily bad. In your previous all-routable-IPs setups something was presumably = advertising the route for you. The new setup isn't much different in = principle. JN PS: Using the in-kernel NAT with IPFW is simpler and more efficient than = using natd...