From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 28 17:51:21 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DF47106566B for ; Fri, 28 Mar 2008 17:51:21 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from vps1.jcornwall.me.uk (vps1.jcornwall.me.uk [193.227.111.74]) by mx1.freebsd.org (Postfix) with ESMTP id 2088A8FC18 for ; Fri, 28 Mar 2008 17:51:21 +0000 (UTC) (envelope-from jay@jcornwall.me.uk) Received: from [82.70.152.17] (82-70-152-17.dsl.in-addr.zen.co.uk [82.70.152.17]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by vps1.jcornwall.me.uk (Postfix) with ESMTP id B824B520037 for ; Fri, 28 Mar 2008 17:35:53 +0000 (GMT) Message-ID: <47ED2C79.5080601@jcornwall.me.uk> Date: Fri, 28 Mar 2008 17:35:53 +0000 From: "Jay L. T. Cornwall" User-Agent: Thunderbird 2.0.0.12 (X11/20080227) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: IPFW / if_bridge / NAT X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2008 17:51:21 -0000 Hi, I have a FreeBSD 7.0 machine bridging two segments of a network: vr0 <---> bridge0 <---> vr1 bridge0 has both unregistered and public IP aliases. In addition to bridging, I need the machine to perform NAT on packets originating from an unregistered subnet (192.168.1.0/24) outbound on interface vr1 to a public IP and back again. No NAT'ing should occur behind vr1. I initially tried to set this up with ipfw diverting packets to natd like this: divert natd any from any to any via vr1 This seemed to NAT packets outbound correctly, but the replies were never NAT'd back to the private IPs. I believe the presence of the bridge affects ipfw's ability to divert the appropriate packets. This configuration partly works: divert natd any from 192.168.1.0/24 to any divert natd any from any to However NAT'ing then predictably occurs behind interface vr1 which causes internal routing problems. None of my attempts to NAT directly on the bridge0 interface managed to perform any packet rewriting at all. This may be a problem with my sysctl settings, many of which I'm unsure about: net.link.bridge.pfil_onlyip: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.pfil_local_phys: 0 net.link.bridge.ipfw: 0 net.link.bridge.ipfw_arp: 0 net.inet.ip.fw.one_pass: 1 Is anyone able to suggest a IPFW/bridge/configuration that will NAT only across the vr1 interface of the if_bridged network? Thanks, -- Jay L. T. Cornwall http://www.jcornwall.me.uk/