.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: natd problem -- pass specific IP to internal machine To: freebsd-questions@freebsd.org References: <32257deb-4ef3-4d7f-bb15-94cc8743dcd5@dreamchaser.org> From: Frank Leonhardt Content-Language: en-GB In-Reply-To: <32257deb-4ef3-4d7f-bb15-94cc8743dcd5@dreamchaser.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [1.53 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.47)[-0.470]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196:c]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; DMARC_NA(0.00)[fjl.co.uk]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; MIME_TRACE(0.00)[0:+]; FROM_HAS_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RBL_SENDERSCORE_REPUT_8(0.00)[84.45.41.196:from]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; R_DKIM_NA(0.00)[] X-Spamd-Bar: + X-Rspamd-Queue-Id: 4YtHyG18Hvz3mNF On 09/02/2025 17:28, Gary Aitken wrote: > my natd has been translating fine using: > > interface xl0 > use_sockets yes > same_ports yes > unregistered_only yes > > However, I am having an issue with a particular internal system (solar > inverter) > and I would like to be able to tcpdump it on the external interface. > As no one experienced with natd has replied, an observation: After a decade or more of struggling with ipfw+natd, because it was the "FreeBSD" solution, I discovered PF and have never never looked back after fifteen years. I just wish someone had told me earlier. The FreeBSD documentation gives equal weight to multiple solutions in various places and would be better if it said "this is the old system that hardly anyone uses" more often, so you knew which to pick first. The final straw for me was to do with NAT loopback, and it required a custom kernel build to get it to work. I can't remember the details. PF, on the other hand, just works and there is at least one excellent book explaining how to use it in plain English. I use it as a NAT gateway in all sorts of places and it's really easy to configure it to do what you want. The configuration file is simple and it does what you expect (and NAT etc is built in). If anyone feels I'm missing something great I simply haven't understood about ipfw+natd I'd love to hear it. Regards, Frank.