From owner-freebsd-questions@FreeBSD.ORG Sat Aug 17 22:15:42 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id E14F98C6 for ; Sat, 17 Aug 2013 22:15:42 +0000 (UTC) (envelope-from frank2@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6AA282EB9 for ; Sat, 17 Aug 2013 22:15:41 +0000 (UTC) Received: from [192.168.1.35] (mux.fjl.org.uk [62.3.120.246]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id r7HMFXAv099244 (version=TLSv1/SSLv3 cipher=DHE-DSS-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 17 Aug 2013 23:15:33 +0100 (BST) (envelope-from frank2@fjl.co.uk) Message-ID: <520FF609.9090002@fjl.co.uk> Date: Sat, 17 Aug 2013 23:15:37 +0100 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: NAT loopback using natd and ipfw Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Aug 2013 22:15:42 -0000 Does anyone know how to get NAT loopback (aka NAT hairpin or NAT reflection) working with natd and ipfw? It seems to work with the in-kernel NAT without the need for configuration, but not if you're using natd. I have a feeling it may be something do do with the ipfw "diverted-loopback" test in natd but if I experiment and get it wrong it's five hours on the motorway for me. Incidentally, I've set net.inet.ip.fw.one_pass set to 0 but it didn't help. Thanks, Frank. (By "NAT loopback" I mean the situation when you're using NAT to translate one WAN IP to many local LAN IPs (i.e. the usual). If a LAN machine tries to access the WAN IP, you need NAT to treat it as an incoming connection and port-forward it as appropriate to a LAN IP as if the packet had come from the Internet. This is not weird; it's what most home and small office routers do by default).