From owner-freebsd-net@FreeBSD.ORG Wed Sep 12 09:13:51 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D4BC5106566C for ; Wed, 12 Sep 2012 09:13:51 +0000 (UTC) (envelope-from adpacifyer@gmail.com) Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 947888FC08 for ; Wed, 12 Sep 2012 09:13:51 +0000 (UTC) Received: by obbun3 with SMTP id un3so2841066obb.13 for ; Wed, 12 Sep 2012 02:13:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=epHM+r2bT+Yvg4OVacEes4qwpW6uY9cWhHqoWmOiJ9I=; b=OGW6lRo4eomfdfuEDcyiKvrK6tkA+7hP0fRBvLKqJngO/efGqQi9JzQW4bw+XRN1IF wcLB3fxYSwYVNlum1MNE9HoZxDyNjE0h1RZgFR2fd64ijOuRsSadCH9d6RSK8RA8I8TM s2xdJ++Ep72sliQOVOc9jK1w3iSxy6Xo3YQ3iv6yy+wRikPcAtWx5GPNYzAjWIzToKbJ miGK4DZoUpNpEMGwl5/t0qNZbNih25kpuWTC/IQvp8u6QpRTHe/tNSuULPfkgE5cHXuP lWqYcy9ryzfGN32DCP7Ggwr2HfY4+iBEjdvek0gipil1z6g5OIy34pI7C/Lm7vBrwaTG JzIA== MIME-Version: 1.0 Received: by 10.60.31.39 with SMTP id x7mr21758055oeh.66.1347441230706; Wed, 12 Sep 2012 02:13:50 -0700 (PDT) Received: by 10.76.11.10 with HTTP; Wed, 12 Sep 2012 02:13:50 -0700 (PDT) Date: Wed, 12 Sep 2012 12:13:50 +0300 Message-ID: From: Oleg Tarasov To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW NAT instances sharing same aliasing table problem X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 09:13:51 -0000 Hi all, I have a network with two gateways. GW1 is primary gateway and GW2 is secondary. I need to be able to map GW2 port to a service inside of my network. That is done using redirect_port NAT directive but the problem is that all computers inside the network have a default gateway pointing to GW1 so returning packets are routed through GW1 and the goal is not achieved. So the solution to this situation is a second NAT instance on GW2 masquarading sender IP address with the internal address of GW2. Here is the picture. Internet | | | em0 (a.b.c.d) GW2 | em1 (192.168.0.2) | | | 192.168.0.111 Service So basicly what comes into mind: ipfw nat 1 config ip a.b.c.d redirect_port 192.168.0.111:80 80 ipfw nat 2 config ip 192.168.0.2 ... ipfw add 300 nat 1 all from any to any via em0 ipfw add 301 nat 2 all from any to 192.168.0.111 80 out via em1 ipfw add 302 nat 2 all from 92.168.0.111 80 to me in via em1 ... I have given an example (which will probably not work) just to give a basic idea of how can the goal be achieved. But here we meet something unexpected. When the packets are passed to nat 2 they probably meet already existing entry formed by nat 1 and no actual action is performed. I have been struggling against a wall to make this work but could not get it working thist way. But one day I tried replacing nat 2 instance with natd daemon divert and everything instantly started working. So it seems ipfw nat instances share the same aliasing table like it should do when using global option. IMO this should be fixed. P.S. Maybe I was missing some unclear option to prevent this from happening?