From owner-freebsd-net@FreeBSD.ORG Sat Feb 21 02:10:43 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 05C374B1 for ; Sat, 21 Feb 2015 02:10:43 +0000 (UTC) Received: from phlegethon.blisses.org (phlegethon.blisses.org [50.56.97.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DAE09D49 for ; Sat, 21 Feb 2015 02:10:42 +0000 (UTC) Received: from blisses.org (cocytus.blisses.org [23.25.209.73]) by phlegethon.blisses.org (Postfix) with ESMTPSA id 3877C148F85 for ; Fri, 20 Feb 2015 21:08:20 -0500 (EST) Date: Fri, 20 Feb 2015 21:08:18 -0500 From: Mason Loring Bliss To: freebsd-net@freebsd.org Subject: NAT question Message-ID: <20150221020818.GY24491@blisses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Feb 2015 02:10:43 -0000 Hi all. With iptables, I can say something like: -t nat -A POSTROUTING -o eth0 -s 4.5.6.7/32 -d 0/0 -j SNAT --to-source 1.2.3.4 -t nat -A POSTROUTING -o eth0 -s 4.5.6.0/24 -d 0/0 -j SNAT --to-source 1.2.3.5 -t nat -A POSTROUTING -o eth0 -s 8.9.0.0/24 -d 0/0 -j SNAT --to-source 1.2.3.6 So, traffic going out from 4.5.6.7 goes into the world sourced from 1.2.3.4, whereas the rest of 4.5.6/24 goes as 1.2.3.5, and all of 8.9.0/24 comes out from 1.2.3.6. I don't see how to do this with IPFW. I assume there's some way to do it with the GENERIC kernel, so I'm assuming natd is deprecated, as it requires a custom kernel, as far as I can see. How do I accomplish this with IPFW? Or do I need to use PF for this? Or are those independent of the NAT after all and I want to use something else? If that's the case, does it require natd and a custom kernel, or is there something that works with a GENERIC kernel? (This will be 10.1, FWIW.) Thanks. -- Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come.