From owner-freebsd-net@FreeBSD.ORG Thu Feb 22 17:22:42 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7E1B016A403 for ; Thu, 22 Feb 2007 17:22:42 +0000 (UTC) (envelope-from ml.diespammer@netfence.it) Received: from parrot.aev.net (parrot.aev.net [212.31.247.179]) by mx1.freebsd.org (Postfix) with ESMTP id 0AA7113C428 for ; Thu, 22 Feb 2007 17:22:41 +0000 (UTC) (envelope-from ml.diespammer@netfence.it) Received: from soth.ventu (adsl-ull-235-229.51-151.net24.it [151.51.229.235]) (authenticated bits=128) by parrot.aev.net (8.13.8/8.13.8) with ESMTP id l1MHTT23010559 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Feb 2007 18:29:35 +0100 (CET) (envelope-from ml.diespammer@netfence.it) Received: from [10.1.2.18] (alamar.ventu [10.1.2.18]) by soth.ventu (8.14.0/8.13.8) with ESMTP id l1MHNZAt066220; Thu, 22 Feb 2007 18:23:35 +0100 (CET) (envelope-from ml.diespammer@netfence.it) Message-ID: <45DDD156.3020805@netfence.it> Date: Thu, 22 Feb 2007 18:22:30 +0100 From: Andrea Venturoli User-Agent: Thunderbird 1.5.0.9 (X11/20070119) MIME-Version: 1.0 To: "Bruce A. Mah" References: <45DDABA6.60407@netfence.it> <45DDC9CD.1020207@freebsd.org> In-Reply-To: <45DDC9CD.1020207@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.57 on 212.31.247.179 Cc: freebsd-net@freebsd.org Subject: Re: Bridge and NAT problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-net@freebsd.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Feb 2007 17:22:42 -0000 Bruce A. Mah wrote: > You didn't say which bridging driver or version of FreeBSD you're using, > but it sounds to me like you're using bridge(4), right? Yes. > This is a > fairly well known problem, which I wrote a little bit about here: > > http://lists.freebsd.org/pipermail/freebsd-net/2004-December/006075.html > > (This message describes a scenario with ipf, but it applies equally well > I think to ipfw.) Read that. So I guess my analysis was wrong in that I thought natd was not reconverting packets; from what you say I understand the problem is that this packets are not diverted to natd, right? The details are right now beyond my understanding... > If you can, try switching to using if_bridge(4). I cannot right now, since I have to wait to be physically at this box, but I could try in the future. Do you see any drawback? > You (probably) want to > assign the public NAT address to the bridge0 interface, and leave the > physical interfaces making up the bridges (xl0 and rl1 in your case) > unnumbered. I've had good experiences with this type of configuration. Ok. So I would only need to create the bridge0 interface as per man page sysctl net.link.bridge.ipfw=1 sysctl net.link.bridge.pfil_onlyip=0 change every reference to rl1 in my ipfw ruleset to bridge0 Anything else? Would everything work the same as now (apart from this "feature" which is causing me troubles)? bye & Thanks a lot av.