From owner-freebsd-questions@FreeBSD.ORG Tue Nov 27 15:07:06 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C730E16A417 for ; Tue, 27 Nov 2007 15:07:06 +0000 (UTC) (envelope-from quakenet1@optusnet.com.au) Received: from mail15.syd.optusnet.com.au (mail15.syd.optusnet.com.au [211.29.132.196]) by mx1.freebsd.org (Postfix) with ESMTP id 66B1E13C44B for ; Tue, 27 Nov 2007 15:07:06 +0000 (UTC) (envelope-from quakenet1@optusnet.com.au) Received: from [10.0.0.3] (c220-239-172-188.belrs4.nsw.optusnet.com.au [220.239.172.188]) by mail15.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id lARF73nJ021774; Wed, 28 Nov 2007 02:07:04 +1100 In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <219A86D3-597D-4369-A0DA-5D1F14D80D43@optusnet.com.au> Content-Transfer-Encoding: 7bit From: Jerahmy Pocott Date: Wed, 28 Nov 2007 02:06:42 +1100 To: Ted Mittelstaedt X-Mailer: Apple Mail (2.752.2) Cc: FreeBSD Questions Subject: Re: Difficulties establishing VPN tunnel with IPNAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Nov 2007 15:07:06 -0000 On 27/11/2007, at 5:49 PM, Ted Mittelstaedt wrote: >> -----Original Message----- >> From: Jerahmy Pocott [mailto:quakenet1@optusnet.com.au] >> Sent: Sunday, November 25, 2007 4:48 AM >> To: Ted Mittelstaedt >> Cc: FreeBSD Questions >> Subject: Re: Difficulties establishing VPN tunnel with IPNAT >> >> >> Perhaps, but I'v heard a lot of good things about IPF and IPNAT, >> especially since the nat is all in kernel where as natd is >> userland, so >> there is a slight performance boost possibly there as well.. >> > > I will address this one point here since it's enough to make > someone scream, it's such an old chestnut. > > natd is always criticized because going to userland is slow. So, > people who have slowness problems think that is the issue. > > In reality, the problem is that the DEFAULT setup and man page > examples for natd use the following ipfw divert rule: > > /sbin/ipfw -f flush > /sbin/ipfw add divert natd all from any to any via ed0 > /sbin/ipfw add pass all from any to any > > This produces a rule such as the following: > > 00050 divert 8668 ip from any to any via de0 > > The problem though, is this is wrong. What it is doing is that > ALL traffic that comes into and out of the box - no matter what > the source and destination is - will be passed to the natd translator. > > What you SHOULD be using is a set of commands such: > > ipfw add divert natd ip from any to [outside IP address] in recv > [outside > interface] > ipfw add divert natd ip from not [outside IP address] to any out recv > [inside interface] xmit [outside interface] That does make a lot of sense! How ever the 2nd rule is slightly confusing me.. Shouldn't it be something like: divert natd ip from [internal net range] to any out via [outside if]? Cheers, J.