Date: Fri, 28 Mar 2008 11:18:20 -0700 From: Freddie Cash <fjwcash@gmail.com> To: freebsd-ipfw@freebsd.org Subject: Re: IPFW / if_bridge / NAT Message-ID: <200803281118.20653.fjwcash@gmail.com> In-Reply-To: <47ED2C79.5080601@jcornwall.me.uk> References: <47ED2C79.5080601@jcornwall.me.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On March 28, 2008 10:35 am Jay L. T. Cornwall wrote: > Hi, > > I have a FreeBSD 7.0 machine bridging two segments of a network: > > vr0 <---> bridge0 <---> vr1 > > bridge0 has both unregistered and public IP aliases. In addition to > bridging, I need the machine to perform NAT on packets originating from > an unregistered subnet (192.168.1.0/24) outbound on interface vr1 to a > public IP and back again. No NAT'ing should occur behind vr1. > > I initially tried to set this up with ipfw diverting packets to natd > like this: > divert natd any from any to any via vr1 > > This seemed to NAT packets outbound correctly, but the replies were > never NAT'd back to the private IPs. I believe the presence of the > bridge affects ipfw's ability to divert the appropriate packets. This > configuration partly works: > divert natd any from 192.168.1.0/24 to any > divert natd any from any to <public IP> Have you tried restricting your rules to only the vr1 interfaces, with <public IP> configured directly on vr1: divert natd ip from 192.168.1.0/24 to any out xmit vr1 divert natd ip from any to <public IP> in recv vr1 -- Freddie Cash fjwcash@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803281118.20653.fjwcash>