Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 8 Sep 2014 13:55:49 -0600
From:      John Nielsen <lists@jnielsen.net>
To:        John Case <case@SDF.ORG>
Cc:        freebsd-net@freebsd.org
Subject:   Re: When to use and not use divert/natd ...
Message-ID:  <366D397B-4521-4E5B-8AB0-2E218192C2AD@jnielsen.net>
In-Reply-To: <Pine.NEB.4.64.1409060308140.2500@faeroes.freeshell.org>
References:  <Pine.NEB.4.64.1409060308140.2500@faeroes.freeshell.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sep 5, 2014, at 9:15 PM, John Case <case@SDF.ORG> wrote:

> For many years I would build FreeBSD firewalls and they would be very, =
very simple - I just set gateway_enable=3D"yes" in rc.conf and =
everything just worked.
>=20
> However, these firewalls *always* had real, routable IPs no both =
sides. Both interfaces had real, routable IPs.
>=20
> Now I have a firewall that has two non-routable IPs for its =
interfaces, and is connected to a internet router with the real IP.  =
When I try to builda  very simple firewall  it does not work, and I am =
forced to use ipdivert and natd.
>=20
> If I use ipdivert and natd, it works just fine.
>=20
> So, am I correct that I can create a simple gateway without =
natd/divert as long as both interfaces are real IPs, but if both =
interfaces are non-routable IPs, I am forced to use divert/natd ?

Just think about the 'routing' aspect. In your current scenario it =
sounds like the Internet-connected device is doing NAT. It knows about =
its public IP and its private subnet. It sounds like you have a second =
private subnet behind your FreeBSD machine about which the =
Internet-connected device knows nothing. For packets to get from the =
Internet-connected device to your second subnet one of two things needs =
to happen:
 1) The Internet-connected device has a static route to the second =
subnet (so it knows to use your FreeBSD machine as the gateway), or
 2) The FreeBSD machine performs NAT (a second time), so the =
Internet-connected device send traffic to it even though it knows =
nothing about the subnet behind it.

I would prefer 1) as it's simpler and double-NAT isn't generally a good =
thing. However, if you don't have a way to add a route to the =
Internet-connected device then 2) isn't necessarily bad.

In your previous all-routable-IPs setups something was presumably =
advertising the route for you. The new setup isn't much different in =
principle.

JN

PS: Using the in-kernel NAT with IPFW is simpler and more efficient than =
using natd...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?366D397B-4521-4E5B-8AB0-2E218192C2AD>