Date: Mon, 8 Jul 2019 15:23:43 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Yuri <yuri@rawbw.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: How to set up ipfw(8) NAT between an alias and the main IP address, when the alias is in another network? Message-ID: <8c0f4366-f3e3-dbd6-c8e3-6644951c40d7@yandex.ru> In-Reply-To: <8e388abc-f2ac-b070-cf86-a4d3971ac095@rawbw.com> References: <8e388abc-f2ac-b070-cf86-a4d3971ac095@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --pVX86c9KJZ2d6995nUtQOJyUTxraDAORf Content-Type: multipart/mixed; boundary="U0yERktjwO716mcUZzWzmKt44OwVdEngr"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Yuri <yuri@rawbw.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Message-ID: <8c0f4366-f3e3-dbd6-c8e3-6644951c40d7@yandex.ru> Subject: Re: How to set up ipfw(8) NAT between an alias and the main IP address, when the alias is in another network? References: <8e388abc-f2ac-b070-cf86-a4d3971ac095@rawbw.com> In-Reply-To: <8e388abc-f2ac-b070-cf86-a4d3971ac095@rawbw.com> --U0yERktjwO716mcUZzWzmKt44OwVdEngr Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 06.07.2019 11:01, Yuri wrote: > My network interface looks like this: > $fw nat 1 config redirect_addr 192.168.100.2 192.168.1.2 redirect_addr > 192.168.1.2 192.168.100.2 if sk0 unreg_only reset >=20 > $fw add 1001 nat 1 tcp from 192.168.100.2/32 to any via sk0 keep-state >=20 > $fw add 1002 check-state >=20 >=20 > The rule 1001 has keep-state, therefore it should process both outgoing= > tcp and incoming response packets. But the outbound packets are NATted,= > but the inbound ones are not. >=20 > What is wrong, and how to fix this script? 'keep-state' creates state for TCP connection that is not yet translated, thus it won't handle the reply packet, that has translated address/port. --=20 WBR, Andrey V. Elsukov --U0yERktjwO716mcUZzWzmKt44OwVdEngr-- --pVX86c9KJZ2d6995nUtQOJyUTxraDAORf Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAl0jNdAACgkQAcXqBBDI oXqSiQf9HgbJEsSBjVUXhGLwDkUEiJvFZbZ/hA6MMxEq2s7xxy+L9RvJ9XWEsu82 r8FRwpFk2RNtGFyUoYUk9hUCSLx8Ukt3RMoaUb8un3XEYZIzzlraa+z0il59UCm0 pxr4KVM3I/1fFpn6TrlwV0OL/ZvzI3DzQoMqZvUvAUydYChPDSVbtOc02GL2zFNx UACQCRwU5yohxFmKmU6F2T6lzmrGn4kGz1DvdSFZGp2GdQEAKJFSPeLH0apopyMW aM7DzteMgQcfthq8fb2/KKSdA3XD6v1ZHHFVlY1nVXBpIwGqzk5V8hdt9O1jGk6V oLQ500Ldj9oPFovfpU0Jw16qxDUkdg== =wl+Y -----END PGP SIGNATURE----- --pVX86c9KJZ2d6995nUtQOJyUTxraDAORf--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8c0f4366-f3e3-dbd6-c8e3-6644951c40d7>