From owner-freebsd-ipfw@FreeBSD.ORG  Tue Oct  2 17:30:34 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 12A0E16A41B
	for <freebsd-ipfw@freebsd.org>; Tue,  2 Oct 2007 17:30:34 +0000 (UTC)
	(envelope-from igorpopov@newmail.ru)
Received: from mx1.mail.wbt.ru (mx1.mail.wbt.ru [80.250.64.6])
	by mx1.freebsd.org (Postfix) with ESMTP id 833B513C494
	for <freebsd-ipfw@freebsd.org>; Tue,  2 Oct 2007 17:30:33 +0000 (UTC)
	(envelope-from igorpopov@newmail.ru)
Received: from moon.wbt.ru ([80.250.66.38])
	by mx1.mail.wbt.ru (Exim) with esmtp 
	sent  from <igorpopov@newmail.ru>
	id 1Ichyo-0009KQ-8r; Tue, 02 Oct 2007 16:40:06 +0300
From: Igor Popov <igorpopov@newmail.ru>
Organization: Home
To: freebsd-ipfw@freebsd.org
Date: Tue, 2 Oct 2007 16:35:09 +0300
User-Agent: KMail/1.9.6
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200710021635.10753.igorpopov@newmail.ru>
X-ACL-Warn: X-AV 1 1191332406
X-ACL-Warn: X-AV 2 1191332406
X-ACL-Warn: X-AV 3 1191332406
X-SpamTest-Version: SMTP-Filter Version 3.0.0 [0255], KAS30/Release
X-SpamTest-Info: Not protected
Cc: pf@benzedrine.cx
Subject: Bridge NAT ALTQ
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Oct 2007 17:30:34 -0000

	Hi, all.
I have machine that works like bridge for external routing ip addresses and 
NAT for range of rfc1918 addresses.


# uname -a
FreeBSD bignat.isp.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Sep 28 11:52:21 
UTC 2007     root@bignat.isp.ru:/usr/obj/usr/src/sys/BIG_NAT  amd64


# ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 80.0.68.12 netmask 0xfffffffc
        inet 80.0.68.13 netmask 0xfffffffc
        inet 80.0.68.14 netmask 0xfffffffc
        inet 80.0.68.15 netmask 0xfffffffc
        inet 80.0.70.130 netmask 0xffffffff
 
# ifconfig bridge0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 4e:33:45:7b:a9:74
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: msk0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:0e:0c:a4:3a:cd
        media: Ethernet autoselect (1000baseTX <full-duplex>)
        status: active

# ifconfig msk0
msk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=18<VLAN_MTU,VLAN_HWTAGGING>
        inet 80.0.68.20 netmask 0xfffffff8 broadcast 80.0.68.23
        ether 00:0e:0c:a4:3a:cc
        media: Ethernet autoselect (1000baseTX <full-duplex,flag0>)
        status: active

# netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            80.0.68.17       UGS         0   576233   msk0
10                 lo0                URS         0       10    lo0
80.0.68.12       80.0.68.12       UH          0        0    lo1
80.0.68.13       80.0.68.13       UH          0        0    lo1
80.0.68.14       80.0.68.14       UH          0        0    lo1
80.0.68.15       80.0.68.15       UH          0        0    lo1
80.0.68.16/29    link#1             UC          0        0   msk0
80.0.68.17       00:11:bb:a6:15:80  UHLW        2        0   msk0   1199
80.0.68.18       00:11:93:0c:44:1b  UHLW        5        0   msk0    467
80.0.68.20       00:0e:0c:a4:3a:cc  UHLW        1      164    lo0
80.0.70.130      80.0.70.130      UH          0        0    lo1
127.0.0.1          127.0.0.1          UH          0      786    lo0
127.0.0.2          127.0.0.2          UH          0        5    lo0
127.0.0.3          127.0.0.3          UH          0        0    lo0
127.0.0.4          127.0.0.4          UH          0        0    lo0
172.16/12          lo0                URS         0        0    lo0
192.168.0/16       lo0                URS         0        2    lo0
192.168.128/19     80.0.68.18       UGS         0 16282333   msk0
192.168.160/19     80.0.68.18       UGS         0   159008   msk0


int_if="em0"
ext_if="msk0"
bridge_if="bridge0"                                                                                                                                        

# NAT
nat-anchor "ftp-proxy/*"

nat on $ext_if inet from <nat_main> 	  to !(self) -> 80.0.68.12/30  bitmask
nat on $ext_if inet from <nat_unlim>      to !(self) -> 80.0.70.130


#...

#
# bridge
#
pass  in  on $int_if inet from { <isp> <nat_main> <nat_unlim> } to any

pass  out on $int_if inet from  any    to  { <isp> <nat_main> <nat_unlim> } 
queue(q_ext q_eacks)
pass  out on $int_if inet from <isp>   to  { <isp> <nat_main> <nat_unlim> } 
queue(q_int q_iacks)
pass  out on $int_if inet from <peers> to  { <isp> <nat_main> <nat_unlim> } 
tos 0x20 queue(q_peers)

pass      on $ext_if inet all

#....

# pfctl -vv -sr
...

@8 pass in on em0 inet from <isp:5> to any
  [ Evaluations: 31962419  Packets: 9822781   Bytes: 3723656443  States: 
0     ]
@9 pass in on em0 inet from <nat_main:1> to any
  [ Evaluations: 22606139  Packets: 12632981  Bytes: 4251228990  States: 
0     ]
@10 pass in on em0 inet from <nat_unlim:1> to any
  [ Evaluations: 22606139  Packets: 114847    Bytes: 27950859    States: 
0     ]
@11 pass out on em0 inet from any to <isp:5> queue(q_ext, q_eacks)
  [ Evaluations: 55912371  Packets: 6342607   Bytes: 1937428659  States: 
0     ]
@12 pass out on em0 inet from any to <nat_main:1> queue(q_ext, q_eacks)
  [ Evaluations: 8999665   Packets: 0         Bytes: 0           States: 
0     ]
@13 pass out on em0 inet from any to <nat_unlim:1> queue(q_ext, q_eacks)
  [ Evaluations: 8999665   Packets: 0         Bytes: 0           States: 
0     ]
@14 pass out on em0 inet from <isp:5> to <isp:5> queue(q_int, q_iacks)
  [ Evaluations: 8999665   Packets: 722131    Bytes: 129079550   States: 
0     ]
@15 pass out on em0 inet from <isp:5> to <nat_main:1> queue(q_int, q_iacks)
  [ Evaluations: 722131    Packets: 0         Bytes: 0           States: 
0     ]
@16 pass out on em0 inet from <isp:5> to <nat_unlim:1> queue(q_int, q_iacks)
  [ Evaluations: 722131    Packets: 0         Bytes: 0           States: 
0     ]
@17 pass out on em0 inet from <peers:6> to <isp:5> tos 0x20 queue q_peers
  [ Evaluations: 8999665   Packets: 1934927   Bytes: 1063519866  States: 
0     ]
@18 pass out on em0 inet from <peers:6> to <nat_main:1> tos 0x20 queue q_peers
  [ Evaluations: 3185036   Packets: 0         Bytes: 0           States: 
0     ]
@19 pass out on em0 inet from <peers:6> to <nat_unlim:1> tos 0x20 queue 
q_peers
  [ Evaluations: 3185036   Packets: 0         Bytes: 0           States: 
0     ]

...

As you can see only bridged ip flows are queued via ALTQ, but not NATed, I can 
not understand where is a problem. When it was router ALTQ works properly.

-- 
Give your very best today.  Heaven knows it's little enough.