From owner-freebsd-net@freebsd.org Wed Mar 8 15:53:03 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90670D03A26 for ; Wed, 8 Mar 2017 15:53:03 +0000 (UTC) (envelope-from ml@netfence.it) Received: from smtp208.alice.it (smtp208.alice.it [82.57.200.104]) by mx1.freebsd.org (Postfix) with ESMTP id 4F3FF17E for ; Wed, 8 Mar 2017 15:53:01 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.ventu (82.52.25.226) by smtp208.alice.it (8.6.060.28) (authenticated as acanedi@alice.it) id 588F4293074C0D30 for freebsd-net@freebsd.org; Wed, 8 Mar 2017 16:52:42 +0100 Received: from alamar.ventu (alamar.local.netfence.it [10.1.2.18]) by soth.ventu (8.15.2/8.15.2) with ESMTP id v28FqaOb021885 for ; Wed, 8 Mar 2017 16:52:36 +0100 (CET) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.ventu: Host alamar.local.netfence.it [10.1.2.18] claimed to be alamar.ventu From: Andrea Venturoli Subject: Some questions about in-kernel NAT To: freebsd-net@freebsd.org Message-ID: Date: Wed, 8 Mar 2017 16:52:36 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Mar 2017 15:53:03 -0000 Hello. I'm using "ipfw nat" on several 10.3 boxes, but I have some questions. Let's start with a simple one: how do I list configured NATs and their details? I know I can configure a NAT with "ipfw nat 1 config ...", but how do I show what I did? Second question: _ if I issue "ipfw nat 2 config if re0", I'll see the output "ipfw nat 2 config if re0"; _ if I issue "ipfw nat 2 config ip 192.168.0.1", I'll see the output "ipfw nat 2 config ip 192.168.0.1"; _ however if I issue "ipfw nat 2 config if re0 ip 192.168.0.1", output will be "ipfw nat 2 config if re0". Does this mean the "ip" part was ignored? Are "if" and "ip" mutually exclusive? I don't think this is mentioned in the man page... Let's get to my problem now: _ at boot, my re0 interface is configured with IP 192.168.0.1, along with an alias (192.168.0.2); _ my ipfw rules get loaded, issuing a "nat 2 config ip 192.168.0.1" command; _ after that ezjail is started, featuring a jail on 192.168.0.3. From this point on, my aliased packets go out with 192.168.0.3 as source address. I have to manually run "ipfw nat 2 config ip 192.168.0.1" again, in order to have them correctly going with the desired IP. How can I avoid this (and eliminate the need of manual intervention after each boot)? Of course I could use some trick, like writing a rc.d script that runs after ezjail's, but I'd like to understand and solve (not work around) :) TIA. bye av.