From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 07:30:19 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6240BE68; Mon, 1 Jul 2013 07:30:19 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pb0-x230.google.com (mail-pb0-x230.google.com [IPv6:2607:f8b0:400e:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id 396BE12AB; Mon, 1 Jul 2013 07:30:19 +0000 (UTC) Received: by mail-pb0-f48.google.com with SMTP id ma3so4478470pbc.21 for ; Mon, 01 Jul 2013 00:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cLigPQSbNHcbGbeLgUFZmy/FWIiMryDw8Rb0O29PLc8=; b=Ypa1Ffj5L3AoL51y/BKMDv0o6hZpHigRVZanxcUW2CGFyOBwO54NzWYGggJsT/JGSg LpVnAng/okt9FwIa7cRofyZJS4UWFdrJD7U6zAsBPQO8UjodFM7PJ2yDPpXJiu7RXzem tmD34Qmb5SsfDH+tcPFVdueGEE15L1yh0wpZDXzZYr/+KaE3MShoTtEPMOptXK6haTpJ qF24xkKKQ0EgA2Y96sD/2M5zuKNX3SxhVuPPuys24HX1GLo2d0sqmsJswjh0A0c6WVZY v9zqPkatFK9F6gpsuSx7KhsN13E30TSolcIx7VLlQOWzX+8nbyDGEtzvYuAYJJ64quxw OuZw== MIME-Version: 1.0 X-Received: by 10.68.35.131 with SMTP id h3mr22567607pbj.140.1372663818975; Mon, 01 Jul 2013 00:30:18 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Mon, 1 Jul 2013 00:30:18 -0700 (PDT) In-Reply-To: References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> Date: Mon, 1 Jul 2013 10:30:18 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 07:30:19 -0000 Hi, I've tried the following: em1 - ip 10.0.1.1/24 em2 - ip 11.0.3.1/24 route add 11.0.4.0/24 11.0.3.2 ipfw flush ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 what i see in tcpdump and logs is that the rule 1000 converts the ip correctly 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 while the 2000 rule does nothing... Thanks in advance, Sami On Sun, Jun 30, 2013 at 11:27 PM, Sami Halabi wrote: > Hi Eugene, > > It simply doesn't work for me, the reverse option doesn't work properly > for me.... it keeps translating the source instead of the destination... > > > On Sun, Jun 30, 2013 at 6:32 PM, Eugene Grosbein wrote: > >> On 30.06.2013 18:48, Sami Halabi wrote: >> > Hi, >> > I don't understand how reverse mode works exactly, and didn't find a >> good example. >> > >> > >> > can you try and help on the configuration? >> >> Well, that's pretty simple. Generally, NAT translates source IP address >> of the packet >> keeping destination IP intact. You need both of source and >> destination addresses get translated. Reverse NAT translates does, >> well, reverse thing: it translates destination IP keeping source IP >> intact. >> So, you just need setup two ipfw nat instances, one "general" and one >> "reverse" >> and pass your packets through both instances. >> >> Eugene Grosbein >> >> >> > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert