Site Navigation

Date:      Mon, 4 May 2026 12:50:18 -0400
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: NAT problems 14.3+
Message-ID:  <51a4773f-25d7-406b-b1b1-d738fd97ae8e@denninger.net>
In-Reply-To: <2F1D9FC8-81BA-484D-B7B0-DE94A22392CC@connectedserver.com>
References:  <27FFB189-7608-4A97-AD87-21EC64CBC975@connectedserver.com> <30c2d1b4-d96e-4e25-b2d9-264fdcda2d7e@yandex.ru> <FCC37B22-A051-40B3-BEA0-5458064FCBBF@connectedserver.com> <09e445e7-bea5-41cb-9ffc-9e1268a142de@yandex.ru> <1614DF5F-C565-40AA-A85C-F52A9B9FAA3B@connectedserver.com> <56621F4A-0FDC-4772-BB3B-A68F5230C63B@connectedserver.com> <2F1D9FC8-81BA-484D-B7B0-DE94A22392CC@connectedserver.com>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]
n 5/4/2026 10:28, Rob Bloemers wrote:
> FWIW
>
> Avoiding in-kernel IPFW NAT and using the rc.firewall / type open with natd in userspace, nat seems to function fine for my jails.
>
>> On 3 May 2026, at 12:54, Rob Bloemers <bsd@connectedserver.com> wrote:
>>
>> I've tried this setup now on three different machines at three different providers, and each time my simple NAT breaks and i'm still clueless on the why. And it prevents me from moving quite a few machines from 14.3 to newer releases. What works fine on 14.3 breaks on 14.4 or newer, which even worse results on 15.0. Even the ipfw nat example from the freebsd manual does not work. I'm sure i cant be the only one with this issue?
>>
>> Really hope somebody can replicate this for him/herself to confirm this and/or give me a solution for my problem.
>>
>> Kind Regards
>> Rob

Precisely what is not working on 14.4?  I've missed some of this but 
that message caught my eye.

I ask because:

FreeBSD 14.4-STABLE (GENERIC) #0 stable/14-n273840-e5ed09ffd592-dirty: 
Thu Mar 26 14:22:11 EDT 2026

IpGW External gateway

And I am using in-kernel ipfw NAT (config file is in 
/usr/local/etc/ipfw.local and is quite-extensive as the configuration 
here is a bit complex):

...

#
# Set up interfaces and set abbreviations
#
iif="ix1"
oif="ix0"
pubif="ix1.3"
#
# Declare networks
# First, all internal addresses are on 192.168.0.0/16.
#
inet="192.168.0.0/16"

# Reassemble UDP packets before continuing so fragmented ones work
#
         ${fwcmd} add 50 reass all from any to any in
....

         ${fwcmd} nat 100 config if ${oif} log same_ports reset 
redirect_port ......(many)

....

#
# Now pick up all *outbound* packets that originated from an inside address
# (including IPSEC tunneled stuff) and put them through NAT.  We then have
# a packet with a local source address and we can allow it to be sent.
# Therefore, if the packet is outbound let it pass and be done with it.
#
         ${fwcmd} add 8002 nat 100 ip4 from 192.168.0.0/16 to any xmit 
${oif}
         ${fwcmd} add 8006 deny log ip4 from 192.168.0.0/16 to any xmit 
${oif}

All works as expected and when I went from 14.3 -> 14.4 I did not have 
to make any adjustments.

I've not yet moved to 15.x on this box but will somewhere in the 
not-so-distant future.

-- 
Karl Denninger
karl@denninger.net
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10
	`�H
e0�	*�H��


���0��0���
YS�Jt��D�U��/�NxC�и0
	*�H��


0v10	UUS10U	Tennessee10U

Denninger.Net10UDenninger Root1"0 	*�H��

	
admin@denninger.net0
240509210803Z
440504210803Z0]10	UUS10U	Tennessee10U

Denninger.net1"0 UDenninger.Net Signing Int0�
"0
	*�H��



�
0�

�

�GKR����sߣ��טC���ߺ�M�QOH%q�j�-"r$�I'�Ǣ�"s~��]*x!Ή�k%���=���s�)�d�Zs��O�pb'0��3���b�g�<��vn�1L��lj�֠|��wUp��.~'Ġ���)���˿ί.
������ഈC������~6��d*�{_[�|���M�y�fؔ<~8a�����w����Mv�ux���L�aQj��mjS�2HG���,�g?�j=�L	J���i���

��
60�
20U�n�xAŢ@B��zL$�a.0��U#��0���DV➋��K���ߏpɡz�x0v10	UUS10U	Tennessee10U

Denninger.Net10UDenninger Root1"0 	*�H��

	
admin@denninger.net��A"խB�����6~��0U

�0

�0U

�
0:U3010/�-�+�)http://www.denninger.net/root-revoked.crl0
	*�H��


�
|V�=�6
�rR����q����?�Ѓ�����/�@vfN�!<ث�<S4l�S�8��'��Z��&��AjHM��3�R+/�2��T����.@�(I�֩�1o��VY������G�r�
g���ߢ�r��o�-���x.��y���� �NL�"Q�BB����Q�s��k8u[W,Vޅ�~�á®��
/)���pP}��i{7m��h��̨$W,2�x-+�v0�-��/-Y��s*4p6�!�F����d-L`Z��FR~3Ɏ��#Z�SJz��5-�	K���S5'1�"k
Uީq0f_�D�MC�&u)N3H���J��WQ��`�a[y;��������uTg�?eR�?��(�ܗ�vE�Q����s?��
O)��.S��nq���

�8D����X�P����X3�+s飞s����3%��4�F!R���0�B��%��ٕ����\m��U���H��۶HFXu��OU��iܨ�`����M��	��'H��0��0�Ѡ
��m
 ��?��ش�<�0
	*�H��


0]10	UUS10U	Tennessee10U

Denninger.net1"0 UDenninger.Net Signing Int0
240510192659Z
290509192659Z0W10	UUS10U	Tennessee10U
Karl Denninger10Ukarl@denninger.net0�"0
	*�H��



�0�
�
�T��[I�-ΆϏdn;�Å�@שy���.u�s�~_�Z�G%<��M��Y��d�\g��v�f��n�s�a��1'6����E�gyjs�"C� [�{��~��_���K���Pn+<�*�pv���#Q�����+��H���/���7[-v��qD��V^U>�f��%�GX�)��H.��|l`�M(C�r�>е͇6����#�o��dc"Y�ljҦ�ln8�@�5S�A�0���&ۖ"���OGj?��U��DWZ5	��dDB7k-)�9�����I�zs��-�JA���v
��J��6L���$�Ն����1Sm�Y.��Lqw*��SH;E��F'�D�Ħ��H��]��M��O��������g���Q���Q�|M�ٙ��ג2Z��9y��@���y�]}6ٽe��Y9��Y2�xˆ�$T�=�e�CǺ��ǵb�n֛�{��j��|��@�LL�t�1�[D�k5:$=�	`�	�M

��
�0�
�0:+


.0,0*+
0
�http://ocsp.denninger.net:77770U

�00U

��0U%0+
+
03	`�H
��B

&$OpenSSL Generated Client Certificate0U�%�՞V
=���؁�;�bzQ0��U#��0����n�xAŢ@B��zL$�a.�z�x0v10	UUS10U	Tennessee10U

Denninger.Net10UDenninger Root1"0 	*�H��

	
admin@denninger.net�YS�Jt��D�U��/�NxC�и0U0�karl@denninger.net0
	*�H��


�

N�8��A7t���-���!w���{F��������q"�66��!<�R���1�\���	uD������E87�,������-m�y��6˹���,�)��mK��h��^�+3�����_��;�ܰ"�|��y����Wy>�r(���3P&�d1a��$�׎���&u*��<<ت��
i'��S�DJp���)Ss0����X�;��Z�B6�S(s�`[�ƅK��"7��L��+��X{T���k,�1�w1��0��

0t0]10	UUS10U	Tennessee10U

Denninger.net1"0 UDenninger.Net Signing Int��m
 ��?��ش�<�0
	`�H
e���0	*�H��

	1	*�H��


0	*�H��

	1
260504165018Z0O	*�H��

	1B@�ș�D����|��Y&2�/��E���"��������&�@���<o�����^z?��-o�\�Y�0��	+

�71v0t0]10	UUS10U	Tennessee10U

Denninger.net1"0 UDenninger.Net Signing Int��m
 ��?��ش�<�0��*�H��

	1v�t0]10	UUS10U	Tennessee10U

Denninger.net1"0 UDenninger.Net Signing Int��m
 ��?��ش�<�0�
W	*�H��

	1�
H0�
D0	`�H
e
*0	`�H
e
0
*�H��
0
*�H��

0
*�H��

0+0
*�H��

0+0	`�H
e
0	`�H
e0	`�H
e0	`�H
e0	`�H
e0	`�H
e0	`�H
e	0	`�H
e
0	*�H��



0	+��H?0+�
0+�

0+�
0+�
0	+��H?0+�
0+�

0+�
0+�
0
	*�H��



���U�v�گA g���?���,���m�t�	�8�E�3gL\�A^�0�E��`��e[It2�����7׈u5��Bf)
��2�ߜ#)�<�t��g=h��]�4\c���XZ�'�B��Ԏ��k�Q��06�`=���@��!�����E��p�����0�O���V�E���_�9�Ut��a2��F�c
l�g_R���,f�-D�
�͗[��������b�|nA���ʕ��5J�7X��K�Ο
`5�0�w<�y��(��`��y$�_[m����E���(G�����ܖ)���_�YI��G�5�B���jY���_<!�
Ꮉ#�ͷ7�u"�T�PY �x<2
���L��&�îߖ�����
*�KM��1�j�eg�C{�0">}+A���S�x���T�B�Y_K
[B��`#)nA�bXA�%TY�s���L�U��+�X�����s�6ۖЈV���<nt�`k��lr1��
�g5�N��g�M[<Hi���

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51a4773f-25d7-406b-b1b1-d738fd97ae8e>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact