From owner-freebsd-ipfw@FreeBSD.ORG  Tue Aug  5 16:15:27 2008
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7FA5A106567A;
	Tue,  5 Aug 2008 16:15:27 +0000 (UTC)
	(envelope-from proks@logos.sky.od.ua)
Received: from logos.sky.od.ua (logos.sky.od.ua [81.25.224.11])
	by mx1.freebsd.org (Postfix) with ESMTP id 31CF38FC12;
	Tue,  5 Aug 2008 16:15:27 +0000 (UTC)
	(envelope-from proks@logos.sky.od.ua)
Received: from localhost (localhost [127.0.0.1])
	by logos.sky.od.ua (Postfix) with ESMTP id 493F7102CDE;
	Tue,  5 Aug 2008 18:51:33 +0300 (EEST)
Date: Tue, 5 Aug 2008 18:51:33 +0300 (EEST)
From: "Prokofiev S.P." <proks@logos.sky.od.ua>
To: freebsd-ipfw@freebsd.org
Message-ID: <20080805181839.T23842@logos.sky.od.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-net@freebsd.org
Subject: ipfw nat/natd 
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2008 16:15:27 -0000


I have a problem at the scheme:

( gw     ) <-----> (   nat_router  ) <-----> ( https )
   real.ip0        real.ip1 10.19.90.1        10.19.90.2

If I use ipfw+natd on nat_router then redirect to https server and to 
nat_router local address 10.19.90.1 is well, but if ipfw+nat - redirect to 
nat_router local address is fail. This is bug ?


ipfw+nat schema

- on nat_router
   - ipfw rules
     ipfw nat 1 config if vlan2 log redirect_port tcp 10.19.90.1:5000 5000 \
                                    redirect_port tcp 10.19.90.2:443 443
     ipfw add 500 nat 1 log ip from any to any via vlan2 //  nat
   - iperf -s -p 5000

- on gw
   - iperf -p 5000 -c real.ip1

tcpdump -np -i vlan2 host real.ip0


18:36:08.170034 IP real.ip0.60950 > real.ip1.5000: S 3167071663:3167071663(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 785027736 0,sackOK,eol>
18:36:08.170093 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785027736>
18:36:11.170239 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785027736>
18:36:11.208523 IP real.ip0.60950 > real.ip1.5000: S 3167071663:3167071663(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 785030736 0,sackOK,eol>
18:36:11.208554 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785030736>
18:36:14.208712 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785030736>
18:36:14.448772 IP real.ip0.60950 > real.ip1.5000: S 3167071663:3167071663(0) win 65535 <mss 1460,nop,wscale 2,nop,nop,timestamp 785033936 0,sackOK,eol>
18:36:14.448802 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785033936>
18:36:17.449225 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 3232246011 785033936>
18:36:17.689771 IP real.ip0.60950 > real.ip1.5000: S 3167071663:3167071663(0) win 65535 <mss 1460,sackOK,eol>
18:36:17.689801 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,eol>
18:36:20.689736 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,eol>
18:36:20.944763 IP real.ip0.60950 > real.ip1.5000: S 3167071663:3167071663(0) win 65535 <mss 1460,sackOK,eol>
18:36:20.944794 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,eol>
18:36:23.945252 IP real.ip1.5000 > real.ip0.60950: S 655190881:655190881(0) ack 3167071664 win 65535 <mss 1460,nop,wscale 3,sackOK,eol>


Thanks all!