From owner-freebsd-net@freebsd.org Mon Dec 23 16:48:05 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4FC661CBC57 for ; Mon, 23 Dec 2019 16:48:05 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "www.viklenko.net", Issuer "Let's Encrypt Authority X3" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47hQJg70Fpz3Ly7 for ; Mon, 23 Dec 2019 16:48:03 +0000 (UTC) (envelope-from artem@viklenko.net) Received: from [10.0.31.12] (ua1.etadirect.net [91.198.140.16] (may be forged)) (authenticated bits=0) by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id xBNGlpSu036051 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 23 Dec 2019 18:47:56 +0200 (EET) (envelope-from artem@viklenko.net) To: freebsd-net@freebsd.org From: Artem Viklenko Subject: ipfilter nat rewrite Organization: Art&Co. Message-ID: Date: Mon, 23 Dec 2019 18:47:50 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (alf.viklenko.net [192.168.32.61]); Mon, 23 Dec 2019 18:47:56 +0200 (EET) X-Rspamd-Queue-Id: 47hQJg70Fpz3Ly7 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.66 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[viklenko.net:s=alf-mail]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[viklenko.net:+]; DMARC_POLICY_ALLOW(-0.50)[viklenko.net,reject]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(-1.66)[ipnet: 2001:470::/32(-4.66), asn: 6939(-3.56), country: US(-0.05)]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Dec 2019 16:48:05 -0000 Hi, All! Sorry if this list is wrong place for questions about IPFilter (didn't found more appropriate freebsd mailling list and one mentioned in some docs seems to be dead). But maybe someone can answer it or point in right direction. I need to rewrite source and destination IPs on packet sent via ipsec interface. Ipnat part is ok. But after rewrite packet I need the route entry for rewrited destination IP to point to desired ipsec interface. Without this route entry packet goes via default route. Is there any way using ipfilter to force packet to be sent via desired interface? Or I need to combine ipnat with some other firewall like pf (route-to) or ipfw (fwd)? Thanks in advance! -- Regards!