From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jul  1 09:17:52 2013
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id A3436A86;
 Mon,  1 Jul 2013 09:17:52 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5])
 by mx1.freebsd.org (Postfix) with ESMTP id EE4E91BC2;
 Mon,  1 Jul 2013 09:17:51 +0000 (UTC)
Received: from eg.sd.rdtc.ru (localhost [127.0.0.1])
 by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r619HfGT044150;
 Mon, 1 Jul 2013 16:17:41 +0700 (NOVT)
 (envelope-from eugen@grosbein.net)
Message-ID: <51D14930.1060502@grosbein.net>
Date: Mon, 01 Jul 2013 16:17:36 +0700
From: Eugene Grosbein <eugen@grosbein.net>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/20130415 Thunderbird/17.0.5
MIME-Version: 1.0
To: Sami Halabi <sodynet1@gmail.com>
Subject: Re: DNAT in freebsd
References: <CAEW+ogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com>
 <20130629002959.GB20376@nat.myhome>
 <CAEW+ogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com>
 <51D006F6.6060809@grosbein.net>
 <CAEW+ogbx15KiayBHFJ7T1YVGQ2pwm1ArQaSrjUk6XUOBgVPggA@mail.gmail.com>
 <51D04FA8.8080900@grosbein.net>
 <CAEW+ogZQ1bHOBNvxkLqnFRrR_b4=e+Yx9wUjWC8YYr__QsBe3w@mail.gmail.com>
 <CAEW+ogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO+xuELznsgVo0XZ+A@mail.gmail.com>
In-Reply-To: <CAEW+ogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO+xuELznsgVo0XZ+A@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>,
 "Paul A. Procacci" <pprocacci@datapipe.com>,
 freebsd-ipfw <freebsd-ipfw@freebsd.org>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2013 09:17:52 -0000

On 01.07.2013 14:30, Sami Halabi wrote:
> Hi,
> 
> I've tried the following:
> 
> em1 - ip 10.0.1.1/24 <http://10.0.1.1/24>
> em2 - ip 11.0.3.1/24 <http://11.0.3.1/24>
> route add 11.0.4.0/24 <http://11.0.4.0/24> 11.0.3.2
> 
> ipfw flush
> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> 
> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> 
> 
> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> 
> what i see in tcpdump and logs is that the rule 1000 converts the ip correctly
> 10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
> while the 2000 rule does nothing...

man ipfw says:

     To let the packet continue after being (de)aliased, set the sysctl vari-
     able net.inet.ip.fw.one_pass to 0.

By default, rule 1000 "consumes" aliased packets and they do not hit rule 2000 at all.
So, you need to set sysctl net.inet.ip.fw.one_pass=0