Date: Wed, 14 Sep 2016 17:25:03 +0200 From: Jean-Baptiste COUPIAC <jeanbaptiste.coupiac@nfrance.com> To: freebsd-ipfw@freebsd.org Cc: network <network@nfrance.com> Subject: Ipfw + Natd + multiple instance Message-ID: <CAH22wMWDFHY-6807zDUrc%2B1DK5DK8xNAsWcgPV2wKk8_RY=ztw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello IPFWers, I'm trying to use IPfw, with several natd instances ==== igb0 (192.31.3.253/22) tun1 (10.69.0.0/24) ==== FreeBSD router ==== em0 (192.168.1.2/24) Above, my pretty simple configuration. (but I've re-write in this mail some networks/interfaces for sec reason ) My trafic comes by tun1 (an openvpn tunnel), and depending the destination, I need to NAT it via igb0 or em0. Below my natd.conf _________________ *instance default* *interface em0* *port 8668* *use_sockets yes* *same_ports yes* *instance mgmt* *interface igb0* *port 8669* *use_sockets yes* *same_ports yes* _________________ Below my rc.firewall _________________ *cmd="ipfw add"* *lans="10.0.0.0/8 <http://10.0.0.0/8>"* *vpn_lans="10.69.0.0/24,10.70.0.0/24 <http://10.69.0.0/24,10.70.0.0/24>"* *mgmt="192.31.0.0/21 <http://192.31.0.0/21>"* *ipfw -q -f flush* *$cmd 00010 divert 8668 log ip from $lans to any in via em0* *$cmd 00011 divert 8669 log ip from $mgmt to any in via igb0* *$cmd 00100 check-state* *$cmd 00110 skipto 2000 log ip from $vpn_lans to $lans out via em0 keep-state* *$cmd 00111 skipto 2200 log ip from $vpn_lans to $mgmt out via igb0 keep-state* *$cmd 01010 deny all from 'table(1)' to any dst-port 22 in* *$cmd 01011 allow log ip from any to any* *$cmd 02000 divert 8668 log ip from any to any out via em0* *$cmd 02001 allow log ip from any to $lans* *$cmd 02200 divert 8669 log ip from any to any out via igb0* *$cmd 02201 allow log ip from any to $mgmt* *$cmd 03000 deny log logamount 500 ip from any to any* *s* *same_ports yes* _________________ I use default instance to nat to LANS I use mgmt instance to nat to MGMT NAT for LANS is working good (icmp from *10.69.0.10* to *10.54.255.254*) , but NAT for MGMT does not work (icmp from* 10.69.0.10* to *192.31.0.99*): *Sep 13 17:55:18 <security.info <http://security.info>>; kimberley kernel: ipfw: 2201 Accept ICMP:8.0 10.69.0.10 192.31.0.99 in via tun1* *Sep 13 17:55:18 <security.info <http://security.info>>; kimberley kernel: ipfw: 2200 Divert 8669 ICMP:8.0 10.69.0.10 192.31.0.99 out via igb0* *Sep 13 17:55:18 <security.info <http://security.info>>; kimberley kernel: ipfw: 2201 Accept ICMP:8.0 192.31.3.253 192.31.0.99 out via igb0* *Sep 13 17:55:18 <security.notice> kimberley kernel: ipfw: limit 5 reached on entry 2201* *Sep 13 17:55:18 <security.info <http://security.info>>; kimberley kernel: ipfw: 11 Divert 8669 ICMP:0.0 192.31.0.99 192.31.3.253 in via igb0* *Sep 13 17:55:18 <security.info <http://security.info>>; kimberley kernel: ipfw: 3000 Deny ICMP:0.0 192.31.0.99 10.69.0.10 in via igb0* NAT for LAN working show: *Sep 13 17:45:01 <security.info <http://security.info>>; kimberley kernel: ipfw: 110 SkipTo 2000 ICMP:8.0 10.69.0.10 10.54.255.254 in via tun1* *Sep 13 17:45:01 <security.info <http://security.info>>; kimberley kernel: ipfw: 2001 Accept ICMP:8.0 10.69.0.10 10.54.255.254 in via tun1* *Sep 13 17:45:01 <security.info <http://security.info>>; kimberley kernel: ipfw: 110 SkipTo 2000 ICMP:8.0 10.69.0.10 10.54.255.254 out via em0* *Sep 13 17:45:01 <security.notice> kimberley kernel: ipfw: limit 5 reached on entry 110* *Sep 13 17:45:01 <security.info <http://security.info>>; kimberley kernel: ipfw: 2000 Divert 8668 ICMP:8.0 10.69.0.10 10.54.255.254 out via em0* *Sep 13 17:45:01 <security.info <http://security.info>>; kimberley kernel: ipfw: 2001 Accept ICMP:8.0 192.168.1.2 10.54.255.254 out via em0* I'm pretty stuck, can you help me please ? __ [image: NFrance Conseil] <http://www.nfrance.com/>; *Jean-Baptiste COUPIAC* Tél. : +33 5 34 45 55 00 <%20+33534455500> 4 rue Kennedy 31000 Toulouse - France | www.nfrance.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAH22wMWDFHY-6807zDUrc%2B1DK5DK8xNAsWcgPV2wKk8_RY=ztw>