From owner-freebsd-ipfw@FreeBSD.ORG Fri Sep 29 01:50:03 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BA3816A407 for ; Fri, 29 Sep 2006 01:50:03 +0000 (UTC) (envelope-from hwhartman@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171]) by mx1.FreeBSD.org (Postfix) with ESMTP id C14A343D45 for ; Fri, 29 Sep 2006 01:50:02 +0000 (GMT) (envelope-from hwhartman@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so217996uge for ; Thu, 28 Sep 2006 18:50:01 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=R3+DhxF5vYc0Tt5JyURcSjJ3Ax0UspmYXmppvSh7swDj77UckDnfQL7NKnSzXoXbohGKUE4oYoxQnuNVNtsailnBNtu7zWNtW6n4LFeAnkWWDIPSYh5R4iSPPPlYSuuw3GpicLTK+EOKr4a17HIWvVeM1C3d1KkJ4ab3rRZwafU= Received: by 10.66.216.6 with SMTP id o6mr1921431ugg; Thu, 28 Sep 2006 18:50:01 -0700 (PDT) Received: by 10.67.117.9 with HTTP; Thu, 28 Sep 2006 18:50:00 -0700 (PDT) Message-ID: Date: Thu, 28 Sep 2006 18:50:00 -0700 From: "Hanns Hartman" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ip address of the local user is not nat'd to its alias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 01:50:03 -0000 Hi All, I have read through a lot of the mailing list archives and have had no success with the following problem. I have a box that is functioning as a captive portal. aka think free wifi login at starbucks or the like. I have two interfaces fxp0 and fxp1 that point to two different networks that have staticly assigned ipaddrs. and a third fxp2 which is the internal network. (BTW I am running freebsd 4.11 on this box.) I have two instances of natd running on the box one assigned to each of the two external interfaces with options -snup enabled and each instance has its own port number. So the problem is that when I try to send traffic via an ipfw divert rule out one of the interfaces and I look at an ethereal trace on the box of the webserver that is the destination I am trying to get to, the source ip address is not nat'd to the interface's ip address that points to that network. so when the destination box tries to send a responce it doesn't know where to send the packets since its trying to send them to an ip on the internal network. Do any of you have any idea why the source address of the initial [SYN] would be the internal network and not the ip address of the interface that is on that network. I enabled loging on natd and I think its working because whenever I try to connect to the website I see the natd stats in the log file increase in number. thanks in advance for the help Hanns KERNEL_CONFIG ... options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_FORWARD options IPDIVERT options IPFW2 IPFW_rules /sbin/ipfw add 500 set 2 divert natd2 ip from $clientip to any in /sbin/ipfw add 600 set 2 allow ip from any to any in natd starting /sbin/natd -p natd -s -u -n fxp1 -P /var/run/natd_fxp1.pid /sbin/natd -p natd2 -s -u -n fxp0 -P /var/run/natd2_fxp0.pid