From owner-freebsd-net@FreeBSD.ORG Wed Dec 11 00:50:27 2013 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97741564 for ; Wed, 11 Dec 2013 00:50:27 +0000 (UTC) Received: from ns1.jnielsen.net (secure.freebsdsolutions.net [69.55.234.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 794A1105C for ; Wed, 11 Dec 2013 00:50:27 +0000 (UTC) Received: from [10.10.1.198] (office.betterlinux.com [199.58.199.60]) (authenticated bits=0) by ns1.jnielsen.net (8.14.4/8.14.4) with ESMTP id rBB0oNhb000488 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 10 Dec 2013 19:50:24 -0500 (EST) (envelope-from lists@jnielsen.net) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) Subject: Re: How to forward UDP packets to another port and get responses with port translation? From: John Nielsen In-Reply-To: <529D053D.8050700@rawbw.com> Date: Tue, 10 Dec 2013 17:51:18 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <529D053D.8050700@rawbw.com> To: Yuri X-Mailer: Apple Mail (2.1822) X-DCC-sonic.net-Metrics: ns1.jnielsen.net 1156; Body=2 Fuz1=2 Fuz2=2 X-Virus-Scanned: clamav-milter 0.97.8 at ns1.jnielsen.net X-Virus-Status: Clean Cc: net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Dec 2013 00:50:27 -0000 On Dec 2, 2013, at 3:10 PM, Yuri wrote: > I would like to translate the port in all DNS requests, so that the = server works on the different port (ex. 1053) on the same net and the = client works on the original port 53. >=20 > I am thinking about two approaches: > * forward packets into the server: > ipfw add 200 fwd 192.168.10.1,1053 udp from 192.168.10.0/24 to = 192.168.10.1 53 > The problem with routing responses is that natd(8) doesn't allow to = change the source port, only the source address. There is -alias_address = option but no -alias_port option. >=20 > * divert and natd(8): > natd -port 8668 -interface tap0 -redirect_port udp 192.168.10.1:1053 = 53 > $IPF 200 divert natd udp from 192.168.10.0/24 to 192.168.10.1 53 via = tap0 keep-state >=20 > In both cases reply packets have the source port 1053, and it isn't = clear how to make it 53. > It seems that divert only passes to natd(8) packets from one = direction, and not from the other. >=20 > Is there a way to properly translate the ports back and forth in such = simple UDP communication? A single nat instance with redirect_port _should_ do what you are asking = for; in the above it looks like the responses are bypassing the nat. Here's an untested off-the-top-of-my head snippet (using libalias rather = than natd): ipfw nat 100 config ip 192.168.10.1 redirect_port udp 192.168.10.1:1053 = 53 ipfw add 100 nat 100 ip4 from 192.168.10.0/24 to 192.168.10.1 53 ipfw add 200 nat 100 ip4 from 192.168.10.1 1053 to 192.168.10.0/24 Hope that points you in the right direction. JN