Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Sep 2012 12:13:50 +0300
From:      Oleg Tarasov <adpacifyer@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   IPFW NAT instances sharing same aliasing table problem
Message-ID:  <CAA3OJXn8cUtBN%2BmyuTktQfixy3RBq5hz8YPV0TDOg04NTZ1UjQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi all,

I have a network with two gateways. GW1 is primary gateway and GW2 is
secondary.
I need to be able to map GW2 port to a service inside of my network. That
is done using redirect_port NAT directive but the problem is that all
computers inside the network have a default gateway pointing to GW1 so
returning packets are routed through GW1 and the goal is not achieved.

So the solution to this situation is a second NAT instance on GW2
masquarading sender IP address with the internal address of GW2.

Here is the picture.


Internet
     |
     |
     | em0 (a.b.c.d)
 GW2
     | em1 (192.168.0.2)
     |
     |
     | 192.168.0.111
Service


So basicly what comes into mind:

ipfw nat 1 config ip a.b.c.d redirect_port 192.168.0.111:80 80
ipfw nat 2 config ip 192.168.0.2

...
ipfw add 300 nat 1 all from any to any via em0
ipfw add 301 nat 2 all from any to 192.168.0.111 80 out via em1
ipfw add 302 nat 2 all from 92.168.0.111 80 to me in  via em1
...

I have given an example (which will probably not work) just to give a basic
idea of how can the goal be achieved.

But here we meet something unexpected. When the packets are passed to nat 2
they probably meet already existing entry formed by nat 1 and no actual
action is performed.
I have been struggling against a wall to make this work but could not get
it working thist way.
But one day I tried replacing nat 2 instance with natd daemon divert and
everything instantly started working.
So it seems ipfw nat instances share the same aliasing table like it should
do when using global option.

IMO this should be fixed.

P.S. Maybe I was missing some unclear option to prevent this from happening?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAA3OJXn8cUtBN%2BmyuTktQfixy3RBq5hz8YPV0TDOg04NTZ1UjQ>