Date: Fri, 28 Mar 2008 21:27:27 +0000 From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk> To: freebsd-ipfw@freebsd.org Subject: Re: IPFW / if_bridge / NAT Message-ID: <47ED62BF.4070100@jcornwall.me.uk> In-Reply-To: <200803281118.20653.fjwcash@gmail.com> References: <47ED2C79.5080601@jcornwall.me.uk> <200803281118.20653.fjwcash@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Freddie Cash wrote: >> This seemed to NAT packets outbound correctly, but the replies were >> never NAT'd back to the private IPs. I believe the presence of the >> bridge affects ipfw's ability to divert the appropriate packets. This >> configuration partly works: >> divert natd any from 192.168.1.0/24 to any >> divert natd any from any to <public IP> > Have you tried restricting your rules to only the vr1 interfaces, with > <public IP> configured directly on vr1: > > divert natd ip from 192.168.1.0/24 to any out xmit vr1 > divert natd ip from any to <public IP> in recv vr1 Ah, there are recv/xmit semantics as well as in/out. I need to read the man page more thoroughly! However, this doesn't seem to work. It has the same symptoms as a single 'any to any via vr1' diversion: outbound packets are rewritten correctly (verified at the destination) but the replies are never rewritten. 00601 3 180 divert 8668 ip from 192.168.1.0/24 to any out xmit vr1 00602 0 0 divert 8668 ip from any to <public ip> in recv vr1 Nothing ever reaches the second rule. I think the bridge changes ipfw filtering properties, because the simple 'any to any via vr1' is mentioned a lot in the literature. It just doesn't work here? -- Jay L. T. Cornwall http://www.jcornwall.me.uk/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47ED62BF.4070100>