From owner-freebsd-net@FreeBSD.ORG Sun Sep 23 16:09:52 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C338116A41A for ; Sun, 23 Sep 2007 16:09:52 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: from av9-2-sn3.vrr.skanova.net (av9-2-sn3.vrr.skanova.net [81.228.9.186]) by mx1.freebsd.org (Postfix) with ESMTP id 6BE0F13C478 for ; Sun, 23 Sep 2007 16:09:52 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: by av9-2-sn3.vrr.skanova.net (Postfix, from userid 502) id 4398337F8B; Sun, 23 Sep 2007 17:49:49 +0200 (CEST) Received: from smtp3-2-sn3.vrr.skanova.net (smtp3-2-sn3.vrr.skanova.net [81.228.9.102]) by av9-2-sn3.vrr.skanova.net (Postfix) with ESMTP id 2F90A37F6C; Sun, 23 Sep 2007 17:49:49 +0200 (CEST) Received: from melissa.chdevelopment.se (90-227-26-163-no68.tbcn.telia.com [90.227.26.163]) by smtp3-2-sn3.vrr.skanova.net (Postfix) with ESMTP id DA39E37E49; Sun, 23 Sep 2007 17:49:48 +0200 (CEST) Message-ID: <46F68B1C.6020303@chdevelopment.se> Date: Sun, 23 Sep 2007 17:49:48 +0200 From: Christer Hermansson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.6) Gecko/20070811 SeaMonkey/1.1.4 MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <46F5FF0A.7030203@psg.com> In-Reply-To: <46F5FF0A.7030203@psg.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: randy@psg.com Subject: Re: nat and ipfw - divert or builtin X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Sep 2007 16:09:52 -0000 Randy Bush wrote: > freebsd-current i386 / soekris > > i used to use ipfw to divert to natd. so, when i went to configure a > new nat box nat box today, i was 82.3% there when i hit a bunch of nat > stuff in ipfw that i do not remember seeing before. it appears that > ipfw will nat all on its own without natd and divert. > > what's the trade-off? which should i use? > I only have experience with ipdivert, but I got a tip in this mailing list about using ipnat with ipfw and also about this integrated variant so it seems to be at least 3 different ways to go for nat when running ipfw: divert ipnat ipfw's integrated nat I believe the integrated version makes configuration simpler. I would choose the old classic divert with ipfw if it is for a important network that must work, but if I was running -current I would try the integrated variant beacuse it seems to be simpler to use. -- Christer Hermansson