Date: Fri, 28 Mar 2008 17:35:53 +0000 From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk> To: freebsd-ipfw@freebsd.org Subject: IPFW / if_bridge / NAT Message-ID: <47ED2C79.5080601@jcornwall.me.uk>
next in thread | raw e-mail | index | archive | help
Hi, I have a FreeBSD 7.0 machine bridging two segments of a network: vr0 <---> bridge0 <---> vr1 bridge0 has both unregistered and public IP aliases. In addition to bridging, I need the machine to perform NAT on packets originating from an unregistered subnet (192.168.1.0/24) outbound on interface vr1 to a public IP and back again. No NAT'ing should occur behind vr1. I initially tried to set this up with ipfw diverting packets to natd like this: divert natd any from any to any via vr1 This seemed to NAT packets outbound correctly, but the replies were never NAT'd back to the private IPs. I believe the presence of the bridge affects ipfw's ability to divert the appropriate packets. This configuration partly works: divert natd any from 192.168.1.0/24 to any divert natd any from any to <public IP> However NAT'ing then predictably occurs behind interface vr1 which causes internal routing problems. None of my attempts to NAT directly on the bridge0 interface managed to perform any packet rewriting at all. This may be a problem with my sysctl settings, many of which I'm unsure about: net.link.bridge.pfil_onlyip: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.ipfw: 0 net.link.bridge.ipfw_arp: 0 net.inet.ip.fw.one_pass: 1 Is anyone able to suggest a IPFW/bridge/configuration that will NAT only across the vr1 interface of the if_bridged network? Thanks, -- Jay L. T. Cornwall http://www.jcornwall.me.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47ED2C79.5080601>