From owner-freebsd-net@freebsd.org  Sat Jul  6 08:01:38 2019
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2CC1215E6DFF
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Sat,  6 Jul 2019 08:01:38 +0000 (UTC) (envelope-from yuri@rawbw.com)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
 by mx1.freebsd.org (Postfix) with ESMTP id 2879680D23
 for <freebsd-net@freebsd.org>; Sat,  6 Jul 2019 08:01:31 +0000 (UTC)
 (envelope-from yuri@rawbw.com)
Received: from yv.noip.me (c-67-180-169-236.hsd1.ca.comcast.net
 [67.180.169.236]) (authenticated bits=0)
 by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id x6681Nvs038313
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
 for <freebsd-net@freebsd.org>; Sat, 6 Jul 2019 01:01:24 -0700 (PDT)
 (envelope-from yuri@rawbw.com)
X-Authentication-Warning: shell1.rawbw.com: Host
 c-67-180-169-236.hsd1.ca.comcast.net [67.180.169.236] claimed to be
 yv.noip.me
To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
From: Yuri <yuri@rawbw.com>
Subject: How to set up ipfw(8) NAT between an alias and the main IP address,
 when the alias is in another network?
Message-ID: <8e388abc-f2ac-b070-cf86-a4d3971ac095@rawbw.com>
Date: Sat, 6 Jul 2019 01:01:22 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Rspamd-Queue-Id: 2879680D23
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of yuri@rawbw.com designates 198.144.192.42
 as permitted sender) smtp.mailfrom=yuri@rawbw.com
X-Spamd-Result: default: False [-4.51 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:198.144.192.32/27]; HAS_XAW(0.00)[];
 MX_GOOD(-0.01)[mx.rawbw.net];
 NEURAL_HAM_SHORT(-0.71)[-0.710,0]; RCVD_NO_TLS_LAST(0.10)[];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 R_DKIM_NA(0.00)[];
 ASN(0.00)[asn:7961, ipnet:198.144.192.0/20, country:US];
 SUBJECT_ENDS_QUESTION(1.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[236.169.180.67.zen.spamhaus.org : 127.0.0.10];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org];
 DMARC_NA(0.00)[rawbw.com]; RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-2.59)[ip: (-5.85), ipnet: 198.144.192.0/20(-3.32), asn: 7961(-3.72),
 country: US(-0.06)]; 
 RCVD_IN_DNSWL_NONE(0.00)[42.192.144.198.list.dnswl.org : 127.0.10.0];
 TO_DN_EQ_ADDR_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jul 2019 08:01:38 -0000

My network interface looks like this:

sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
     options=80009<RXCSUM,VLAN_MTU,LINKSTATE>
     ether 01:3c:47:8a:17:12
     inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
     inet 192.168.100.2 netmask 0xffffffff broadcast 192.168.100.2
     media: Ethernet autoselect (100baseTX <full-duplex>)
     status: active
     nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

The second IP address is an alias that is used for jail.

I would like to set up NAT so that this jail would access the internet 
through the same interface.


I tried this script:


fw="/sbin/ipfw -q"

$fw nat 1 config redirect_addr 192.168.100.2 192.168.1.2 redirect_addr 
192.168.1.2 192.168.100.2 if sk0 unreg_only reset

$fw add 1001 nat 1 tcp from 192.168.100.2/32 to any via sk0 keep-state

$fw add 1002 check-state


The rule 1001 has keep-state, therefore it should process both outgoing 
tcp and incoming response packets. But the outbound packets are NATted, 
but the inbound ones are not.

What is wrong, and how to fix this script?


Thank you,

Yuri