Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 01 Jul 2013 16:17:36 +0700
From:      Eugene Grosbein <eugen@grosbein.net>
To:        Sami Halabi <sodynet1@gmail.com>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "Paul A. Procacci" <pprocacci@datapipe.com>, freebsd-ipfw <freebsd-ipfw@freebsd.org>
Subject:   Re: DNAT in freebsd
Message-ID:  <51D14930.1060502@grosbein.net>
In-Reply-To: <CAEW%2BogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO%2BxuELznsgVo0XZ%2BA@mail.gmail.com>
References:  <CAEW%2BogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com> <20130629002959.GB20376@nat.myhome> <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com> <51D006F6.6060809@grosbein.net> <CAEW%2Bogbx15KiayBHFJ7T1YVGQ2pwm1ArQaSrjUk6XUOBgVPggA@mail.gmail.com> <51D04FA8.8080900@grosbein.net> <CAEW%2BogZQ1bHOBNvxkLqnFRrR_b4=e%2BYx9wUjWC8YYr__QsBe3w@mail.gmail.com> <CAEW%2BogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO%2BxuELznsgVo0XZ%2BA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 01.07.2013 14:30, Sami Halabi wrote:
> Hi,
> 
> I've tried the following:
> 
> em1 - ip 10.0.1.1/24 <http://10.0.1.1/24>;
> em2 - ip 11.0.3.1/24 <http://11.0.3.1/24>;
> route add 11.0.4.0/24 <http://11.0.4.0/24>; 11.0.3.2
> 
> ipfw flush
> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> 
> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> 
> 
> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> 
> what i see in tcpdump and logs is that the rule 1000 converts the ip correctly
> 10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
> while the 2000 rule does nothing...

man ipfw says:

     To let the packet continue after being (de)aliased, set the sysctl vari-
     able net.inet.ip.fw.one_pass to 0.

By default, rule 1000 "consumes" aliased packets and they do not hit rule 2000 at all.
So, you need to set sysctl net.inet.ip.fw.one_pass=0

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51D14930.1060502>