From owner-freebsd-net@FreeBSD.ORG Mon Jul 1 10:05:26 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 51A7CAB8; Mon, 1 Jul 2013 10:05:26 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) by mx1.freebsd.org (Postfix) with ESMTP id 27A8E1E2F; Mon, 1 Jul 2013 10:05:26 +0000 (UTC) Received: by mail-pa0-f41.google.com with SMTP id bj3so4856496pad.14 for ; Mon, 01 Jul 2013 03:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gUFcWIn+6Egf9Ma3ts4dElHxIs62/t4Ou0SvBAhgtXs=; b=A9nsDXcTk3SIvwpT7yqCQNdlvbqbyAnR0ZjHQ+nmklX5m2rjC9Ec4wL7MIozka1ut/ vZUuIMPE7WyC31vr5LojVTT+t0l05W3FTOK7WzLJdaKwVe8fXSTY4VioqEexh/fmFd22 +puuWRBHX35BjGu7ifwIlg2UNu9vbPgHCIpiRtRItUHQK628WcbUtwhbLZTp82KmQuAv gVSs+0gqmlKlaOA5teERr/ArRdwJzcdoBbzMI9zOW40XN8uoYi9rtYqGaNVGD/+8iibS Gtr7rXEKsoFSoKU0gefQi2YmECOXNx53dRRr0UMa6OQFcvrSQPDh/4WpUzOrnYxaykr+ GgCw== MIME-Version: 1.0 X-Received: by 10.68.252.36 with SMTP id zp4mr23153576pbc.51.1372673125951; Mon, 01 Jul 2013 03:05:25 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Mon, 1 Jul 2013 03:05:25 -0700 (PDT) In-Reply-To: <51D14930.1060502@grosbein.net> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> Date: Mon, 1 Jul 2013 13:05:25 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 10:05:26 -0000 Hi, forgot to mention that but this sysctl is already set to 0. i see in the logs packets pass 1000 rule. Sami On Mon, Jul 1, 2013 at 12:17 PM, Eugene Grosbein wrote: > On 01.07.2013 14:30, Sami Halabi wrote: > > Hi, > > > > I've tried the following: > > > > em1 - ip 10.0.1.1/24 > > em2 - ip 11.0.3.1/24 > > route add 11.0.4.0/24 11.0.3.2 > > > > ipfw flush > > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 > > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 > > > > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 > > > > what i see in tcpdump and logs is that the rule 1000 converts the ip > correctly > > 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 > > while the 2000 rule does nothing... > > man ipfw says: > > To let the packet continue after being (de)aliased, set the sysctl > vari- > able net.inet.ip.fw.one_pass to 0. > > By default, rule 1000 "consumes" aliased packets and they do not hit rule > 2000 at all. > So, you need to set sysctl net.inet.ip.fw.one_pass=0 > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert