From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 05:15:58 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 38BFF29A; Sun, 30 Jun 2013 05:15:58 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) by mx1.freebsd.org (Postfix) with ESMTP id 03511123D; Sun, 30 Jun 2013 05:15:57 +0000 (UTC) Received: by mail-pa0-f52.google.com with SMTP id kq13so3806260pab.39 for ; Sat, 29 Jun 2013 22:15:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GkH9ErJ5UsPKoHUWuk+qRzf8cJlfo8wtNiKOMg8hkOY=; b=lN9axW5rtz7GLC0L4+iVVgaEemtetXHrIb9CaEmswRJ836t72lll5lkGfLdGTVo54z F+mi0RdcDDeKf2rlrm8qNELZWbG7iVe29maymX8hSwP04kGm2rMOCFXmQFNEZOP2jzDT 5etaQJpXpBgItlXtYOSeNThkxaD3llV0rPZj7vcje97DJgmG10nyz3T4FZN6ONdxD3TG LZZMUgVSc+mUIx8vqDLJ4mq6X6RnVkwE6iHncHXWI9hKwJZvxF4lExUEK1ytaxxGGwqG DqYwDw4y+BGeSLc95nbhNbbm2/KXmR497V5UHBCzbPTXZYc5MBr2koAZdAYrNESAYe3M +N7Q== MIME-Version: 1.0 X-Received: by 10.68.196.167 with SMTP id in7mr18266433pbc.170.1372569357658; Sat, 29 Jun 2013 22:15:57 -0700 (PDT) Received: by 10.70.96.139 with HTTP; Sat, 29 Jun 2013 22:15:57 -0700 (PDT) Received: by 10.70.96.139 with HTTP; Sat, 29 Jun 2013 22:15:57 -0700 (PDT) In-Reply-To: References: <20130629002959.GB20376@nat.myhome> Date: Sun, 30 Jun 2013 08:15:57 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: "Paul A. Procacci" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw , freebsd-net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 05:15:58 -0000 Any buyers? :) I need your kindly help on this... Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 29 =D7=91=D7=99=D7=95=D7=A0 2013 09:50= , =D7=9E=D7=90=D7=AA "Sami Halabi" : > I think I was misunderstood... > Here is the situation i want to handle: > My box is a router that handles several /24 behind. > One of my links (em0) is connected to a private network 192.168.0.1 is me= , > my neighbour is 192.168.0.2. > I want to make that any connection comes to 192.168.0.1 to go to ip > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > behind(192.168.1.xx/24). > > Hope that makes it clearer, and I appreciate any help. > > Sami > =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 29 =D7=91=D7=99=D7=95=D7=A0 2013 03:= 30, =D7=9E=D7=90=D7=AA "Paul A. Procacci" >: > >> > Hi, (sorry for sending again, the last email was with wrong subject) >> > I would like to perform a full dnat/snat as in iptbles in: >> > linux-ip.net/html/nat-dnat.html >> > How it can be done in fbsd, I use ipfw. >> > >> > I seeked natd man page but its translation, and thr proxy_rule is for >> > specefic port, not a whole transparancy. >> > >> >> Using in-kernel nat is probably a better choice IMHO. >> >> read `man ipfw(8)` >> >> The section labeled EXAMPLES has exactly what you need. >> Here is a snippet from the manpage to get you started: >> >> ------------------------------- >> >> >> Then to configure nat instance 123 to alias all the outgoing traffic wit= h >> ip 192.168.0.123, blocking all incoming connections, trying to keep same >> ports on both sides, clearing aliasing table on address change and keep- >> ing a log of traffic/link statistics: >> >> ipfw nat 123 config ip 192.168.0.123 log deny_in reset same_ports >> >> >> >> ipfw nat 123 config redirect_addr 10.0.0.1 10.0.0.66 >> redirect_port tcp 192.168.0.1:80 500 >> redirect_proto udp 192.168.1.43 192.168.1.1 >> redirect_addr 192.168.0.10,192.168.0.11 >> 10.0.0.100 # LSNAT >> redirect_port tcp 192.168.0.1:80, >> 192.168.0.10:22 >> 500 # LSNAT >> >> >> ------------------------------- >> >> >> ~Paul >> >> ________________________________ >> >> This message may contain confidential or privileged information. If you >> are not the intended recipient, please advise us immediately and delete >> this message. See http://www.datapipe.com/legal/email_disclaimer/ for >> further information on confidentiality and the risks of non-secure >> electronic communication. If you cannot access these links, please notif= y >> us by reply message and we will send the contents to you. >> > From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 09:16:02 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C88C05CA; Sun, 30 Jun 2013 09:16:02 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ04.datapipe-corp.net (exfesmq04.datapipe.com [64.27.120.68]) by mx1.freebsd.org (Postfix) with ESMTP id 77A7A189E; Sun, 30 Jun 2013 09:16:01 +0000 (UTC) Received: from nat.myhome (192.168.128.103) by EXFESMQ04.datapipe-corp.net (192.168.128.29) with Microsoft SMTP Server (TLS) id 14.2.318.4; Sun, 30 Jun 2013 05:14:50 -0400 Date: Sun, 30 Jun 2013 04:15:11 -0500 From: "Paul A. Procacci" To: Sami Halabi Subject: Re: DNAT in freebsd Message-ID: <20130630091511.GC20376@nat.myhome> References: <20130629002959.GB20376@nat.myhome> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Originating-IP: [192.168.128.103] Content-Transfer-Encoding: quoted-printable Cc: freebsd-net@freebsd.org, freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 09:16:02 -0000 On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote: > I think I was misunderstood... > Here is the situation i want to handle: > My box is a router that handles several /24 behind. > One of my links (em0) is connected to a private network 192.168.0.1 is me= , > my neighbour is 192.168.0.2. > I want to make that any connection comes to 192.168.0.1 to go to ip > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > behind(192.168.1.xx/24). > > Hope that makes it clearer, and I appreciate any help. > > Sami > ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" : The answer I provided you does exactly what you want it to do. Not to ment= ion the man page goes over other things as well if the answer I provided you wasn't accurate. Here is my config that I use for my home setup. The config: - binds a nat instance on the primary interface - denies all inbound syn's among other things - Forward packets originating on the internal network interface through nat - and returns packets (ack's) back to the original sender. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! #!/bin/sh ###################### Start of IPFW Configuration #################### # Set rules command prefix :: Rule numbering cannot exceed 900 cmd=3D"/sbin/ipfw -q" pif=3D"de0" # Public NIC iif=3D"bridge0" # Internal NIC ############################################## # Flush current rules and do config. $cmd -f flush $cmd enable one_pass ############################################## ${cmd} add 00001 allow all from any to any via lo0 ${cmd} add 00002 deny all from any to 127.0.0.0/8 ${cmd} add 00003 deny ip from 127.0.0.0/8 to any ${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports ${cmd} add 00020 nat 1 all from any to any via ${pif} ${cmd} add 00050 allow all from any to any via ${iif} ${cmd} add 65534 deny log all from any to any !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Again, this information is found in `man ipfw(8)` and does what you are asking. ~Paul ________________________________ This message may contain confidential or privileged information. If you are= not the intended recipient, please advise us immediately and delete this m= essage. See http://www.datapipe.com/legal/email_disclaimer/ for further inf= ormation on confidentiality and the risks of non-secure electronic communic= ation. If you cannot access these links, please notify us by reply message = and we will send the contents to you. From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 10:23:06 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 128D3BD2; Sun, 30 Jun 2013 10:23:06 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id 74D2519FB; Sun, 30 Jun 2013 10:23:04 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r5UAMpt1034873; Sun, 30 Jun 2013 17:22:51 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <51D006F6.6060809@grosbein.net> Date: Sun, 30 Jun 2013 17:22:46 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 10:23:06 -0000 On 29.06.2013 13:50, Sami Halabi wrote: > I think I was misunderstood... > Here is the situation i want to handle: > My box is a router that handles several /24 behind. > One of my links (em0) is connected to a private network 192.168.0.1 is me, > my neighbour is 192.168.0.2. > I want to make that any connection comes to 192.168.0.1 to go to ip > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > behind(192.168.1.xx/24). > > Hope that makes it clearer, and I appreciate any help. You need to setup 2 ipfw nat instanses, one to translate source IPs, another to translate destination IPs (this one needs "reverse" mode). From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 11:46:46 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id B432AAC6; Sun, 30 Jun 2013 11:46:46 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) by mx1.freebsd.org (Postfix) with ESMTP id 8B8581C48; Sun, 30 Jun 2013 11:46:46 +0000 (UTC) Received: by mail-pa0-f54.google.com with SMTP id kx10so4030379pab.41 for ; Sun, 30 Jun 2013 04:46:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3+Q2jqoAPE/gsorsYHFd720AqEFldXQd4kD8wuo0k54=; b=omqnpoAxNVwdpjRsr2i8SjeokfYdn16iF8MjeAiPf7D3GsPQzgwFYKMW7ZQwUpfsLX kg1DlZbY2Z0tNpottHu/QNzwHNKjqmFv1018qfAP9wODL5VF/J3LdQapHaOzojmNbBcc g5YHoE7LkZ+C7cIHgY+E0oF7zmg1OqP7+gbMKNh6gCFueFH5BfLZO2mmbpbe+6JTIvTa lEkbW2iOe+oDXDLxNgl2eLrRlKfMEBn1472fi6MyKpwd8oC+JCpxK81hXopR3gNXFpFN DZUQz9ALpooQthwRqZ8/SXBilJ8aVla2z9Fh2ZG/gVFjFau+zCa3HVLuitCm8z46HCdj q7SA== MIME-Version: 1.0 X-Received: by 10.67.3.99 with SMTP id bv3mr19245949pad.140.1372592806166; Sun, 30 Jun 2013 04:46:46 -0700 (PDT) Received: by 10.70.96.139 with HTTP; Sun, 30 Jun 2013 04:46:46 -0700 (PDT) In-Reply-To: <20130630091511.GC20376@nat.myhome> References: <20130629002959.GB20376@nat.myhome> <20130630091511.GC20376@nat.myhome> Date: Sun, 30 Jun 2013 14:46:46 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: "Paul A. Procacci" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 11:46:46 -0000 Hi, Thanks for your time. What this configuration does is normal NAT configuration (SNAT). what I'm seeking is combination of SNAT & DNAT to act as a transparent proxy as: 192.168.0.2 connects to me (192.168.0.1) it'll talk actually with 193.xx.yy.1 whithout knowing it using my special public ip 194.xx.yy.1, and when 193.xx.yy.1 wants to open connection with 192.168.0.2 it will connect to 194.xx.yy.1 and 192.168.0.2 will think 192.168.0.1 is talking with it... Any ideas??? Sami On Sun, Jun 30, 2013 at 12:15 PM, Paul A. Procacci wrote: > > On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote: > > I think I was misunderstood... > > Here is the situation i want to handle: > > My box is a router that handles several /24 behind. > > One of my links (em0) is connected to a private network 192.168.0.1 is > me, > > my neighbour is 192.168.0.2. > > I want to make that any connection comes to 192.168.0.1 to go to ip > > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > > behind(192.168.1.xx/24). > > > > Hope that makes it clearer, and I appreciate any help. > > > > Sami > > ???????????? 29 ???????? 2013 03:30, ?????? "Paul A. Procacci" < > pprocacci@datapipe.com>: > > The answer I provided you does exactly what you want it to do. Not to > mention > the man page goes over other things as well if the answer I provided you > wasn't accurate. Here is my config that I use for my home setup. > > The config: > > - binds a nat instance on the primary interface > - denies all inbound syn's among other things > - Forward packets originating on the internal network interface through nat > - and returns packets (ack's) back to the original sender. > > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > #!/bin/sh > ###################### Start of IPFW Configuration #################### > # Set rules command prefix :: Rule numbering cannot exceed 900 > > cmd="/sbin/ipfw -q" > pif="de0" # Public NIC > iif="bridge0" # Internal NIC > > ############################################## > # Flush current rules and do config. > $cmd -f flush > $cmd enable one_pass > ############################################## > > ${cmd} add 00001 allow all from any to any via lo0 > ${cmd} add 00002 deny all from any to 127.0.0.0/8 > ${cmd} add 00003 deny ip from 127.0.0.0/8 to any > > ${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports > ${cmd} add 00020 nat 1 all from any to any via ${pif} > > ${cmd} add 00050 allow all from any to any via ${iif} > > ${cmd} add 65534 deny log all from any to any > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > Again, this information is found in `man ipfw(8)` and does what you are > asking. > > ~Paul > > ________________________________ > > This message may contain confidential or privileged information. If you > are not the intended recipient, please advise us immediately and delete > this message. See http://www.datapipe.com/legal/email_disclaimer/ for > further information on confidentiality and the risks of non-secure > electronic communication. If you cannot access these links, please notify > us by reply message and we will send the contents to you. > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 11:48:34 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 8DC1AB9E; Sun, 30 Jun 2013 11:48:34 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) by mx1.freebsd.org (Postfix) with ESMTP id 666A91C5E; Sun, 30 Jun 2013 11:48:34 +0000 (UTC) Received: by mail-pd0-f169.google.com with SMTP id y10so1933791pdj.14 for ; Sun, 30 Jun 2013 04:48:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VnHWADKg64yNnvTVWEdGGb5hS2iAcVtiqsojmlhdSi8=; b=vzfxykxM/hTf7wzLAtm+ur+6qS6pmJArkaTsw/o1lAiaElwUruGhRH8NkVeiBT9iAC eLZKGMvMhYLmp4I4lMV89s2GTMGFiWJXz3am2TATVvFtNd3RP20PMOBM67rNzZTZi0Of eDWkvtmgOSH84z3DlTIoSsWjnGBtPQQ9iUic1myvcWsXAWNF4q0R6L1qsjYP1jc4UIp7 04dh6vEr+4aGjdt+jUT8wSiRZi6NRDD8UEHZAzB7V8ZUwz1w0JDfVvO/1tVWr/lMjWe9 bdXe7c64gXFyz5PzhNkV/DYaR1AW1iPfYAnDKag2G8lIwXKRKtpo8K2eIL5EVc6f21aE 2YwQ== MIME-Version: 1.0 X-Received: by 10.68.50.69 with SMTP id a5mr19343086pbo.122.1372592914141; Sun, 30 Jun 2013 04:48:34 -0700 (PDT) Received: by 10.70.96.139 with HTTP; Sun, 30 Jun 2013 04:48:34 -0700 (PDT) In-Reply-To: <51D006F6.6060809@grosbein.net> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> Date: Sun, 30 Jun 2013 14:48:34 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 11:48:34 -0000 Hi, I don't understand how reverse mode works exactly, and didn't find a good example. can you try and help on the configuration? Thanks in advance, Sami On Sun, Jun 30, 2013 at 1:22 PM, Eugene Grosbein wrote: > On 29.06.2013 13:50, Sami Halabi wrote: > > I think I was misunderstood... > > Here is the situation i want to handle: > > My box is a router that handles several /24 behind. > > One of my links (em0) is connected to a private network 192.168.0.1 is > me, > > my neighbour is 192.168.0.2. > > I want to make that any connection comes to 192.168.0.1 to go to ip > > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > > And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came > > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > > behind(192.168.1.xx/24). > > > > Hope that makes it clearer, and I appreciate any help. > > You need to setup 2 ipfw nat instanses, one to translate source IPs, > another to translate destination IPs (this one needs "reverse" mode). > > > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 15:33:19 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id AA520193; Sun, 30 Jun 2013 15:33:19 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id 0B236119C; Sun, 30 Jun 2013 15:33:18 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r5UFX1ri036097; Sun, 30 Jun 2013 22:33:01 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <51D04FA8.8080900@grosbein.net> Date: Sun, 30 Jun 2013 22:32:56 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 15:33:19 -0000 On 30.06.2013 18:48, Sami Halabi wrote: > Hi, > I don't understand how reverse mode works exactly, and didn't find a good example. > > > can you try and help on the configuration? Well, that's pretty simple. Generally, NAT translates source IP address of the packet keeping destination IP intact. You need both of source and destination addresses get translated. Reverse NAT translates does, well, reverse thing: it translates destination IP keeping source IP intact. So, you just need setup two ipfw nat instances, one "general" and one "reverse" and pass your packets through both instances. Eugene Grosbein From owner-freebsd-ipfw@FreeBSD.ORG Sun Jun 30 20:27:02 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 98A81BC1; Sun, 30 Jun 2013 20:27:02 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-x231.google.com (mail-pd0-x231.google.com [IPv6:2607:f8b0:400e:c02::231]) by mx1.freebsd.org (Postfix) with ESMTP id 704C11AB1; Sun, 30 Jun 2013 20:27:02 +0000 (UTC) Received: by mail-pd0-f177.google.com with SMTP id p10so2089017pdj.22 for ; Sun, 30 Jun 2013 13:27:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TfDgrVxJL97/2ej+sxQZasnhfjjOL9gNarzZM+NA4n8=; b=jW/dN86WSgISpahtrkT8TKVqJSQcTVj+vnK7BMKE3rkUqCA6X0zXFaFVYaAWeH5+zY lN73zJlGVji1Ai4vygaolf3lNkzD/3vR9/vFzvW1OM7oArTTYXt+wQnZmTaaYDspz/7u c2dPbE8jXqwP/dvqoGGPEGeh6tCNir4HuSzceyWgXHpvfInVAtMtnxsOX6nkE2gU7640 6Eo/xFhpJHD9f5dtAbCipoaGhVh0PSP0/PVLpGS97LONQ5nOYo5pfnLGQtIgZpMBiGEN q5J7mCgpLDow606GkiYjcHRlAiSXQIh9+J7ZD4fBhAu6jTuLHxJsHwFlP2YkAeQrVaZL 7ycw== MIME-Version: 1.0 X-Received: by 10.66.179.78 with SMTP id de14mr20399981pac.18.1372624022285; Sun, 30 Jun 2013 13:27:02 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Sun, 30 Jun 2013 13:27:02 -0700 (PDT) In-Reply-To: <51D04FA8.8080900@grosbein.net> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> Date: Sun, 30 Jun 2013 23:27:02 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Jun 2013 20:27:02 -0000 Hi Eugene, It simply doesn't work for me, the reverse option doesn't work properly for me.... it keeps translating the source instead of the destination... On Sun, Jun 30, 2013 at 6:32 PM, Eugene Grosbein wrote: > On 30.06.2013 18:48, Sami Halabi wrote: > > Hi, > > I don't understand how reverse mode works exactly, and didn't find a > good example. > > > > > > can you try and help on the configuration? > > Well, that's pretty simple. Generally, NAT translates source IP address of > the packet > keeping destination IP intact. You need both of source and > destination addresses get translated. Reverse NAT translates does, > well, reverse thing: it translates destination IP keeping source IP intact. > So, you just need setup two ipfw nat instances, one "general" and one > "reverse" > and pass your packets through both instances. > > Eugene Grosbein > > > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 07:30:19 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6240BE68; Mon, 1 Jul 2013 07:30:19 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pb0-x230.google.com (mail-pb0-x230.google.com [IPv6:2607:f8b0:400e:c01::230]) by mx1.freebsd.org (Postfix) with ESMTP id 396BE12AB; Mon, 1 Jul 2013 07:30:19 +0000 (UTC) Received: by mail-pb0-f48.google.com with SMTP id ma3so4478470pbc.21 for ; Mon, 01 Jul 2013 00:30:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cLigPQSbNHcbGbeLgUFZmy/FWIiMryDw8Rb0O29PLc8=; b=Ypa1Ffj5L3AoL51y/BKMDv0o6hZpHigRVZanxcUW2CGFyOBwO54NzWYGggJsT/JGSg LpVnAng/okt9FwIa7cRofyZJS4UWFdrJD7U6zAsBPQO8UjodFM7PJ2yDPpXJiu7RXzem tmD34Qmb5SsfDH+tcPFVdueGEE15L1yh0wpZDXzZYr/+KaE3MShoTtEPMOptXK6haTpJ qF24xkKKQ0EgA2Y96sD/2M5zuKNX3SxhVuPPuys24HX1GLo2d0sqmsJswjh0A0c6WVZY v9zqPkatFK9F6gpsuSx7KhsN13E30TSolcIx7VLlQOWzX+8nbyDGEtzvYuAYJJ64quxw OuZw== MIME-Version: 1.0 X-Received: by 10.68.35.131 with SMTP id h3mr22567607pbj.140.1372663818975; Mon, 01 Jul 2013 00:30:18 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Mon, 1 Jul 2013 00:30:18 -0700 (PDT) In-Reply-To: References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> Date: Mon, 1 Jul 2013 10:30:18 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 07:30:19 -0000 Hi, I've tried the following: em1 - ip 10.0.1.1/24 em2 - ip 11.0.3.1/24 route add 11.0.4.0/24 11.0.3.2 ipfw flush ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 what i see in tcpdump and logs is that the rule 1000 converts the ip correctly 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 while the 2000 rule does nothing... Thanks in advance, Sami On Sun, Jun 30, 2013 at 11:27 PM, Sami Halabi wrote: > Hi Eugene, > > It simply doesn't work for me, the reverse option doesn't work properly > for me.... it keeps translating the source instead of the destination... > > > On Sun, Jun 30, 2013 at 6:32 PM, Eugene Grosbein wrote: > >> On 30.06.2013 18:48, Sami Halabi wrote: >> > Hi, >> > I don't understand how reverse mode works exactly, and didn't find a >> good example. >> > >> > >> > can you try and help on the configuration? >> >> Well, that's pretty simple. Generally, NAT translates source IP address >> of the packet >> keeping destination IP intact. You need both of source and >> destination addresses get translated. Reverse NAT translates does, >> well, reverse thing: it translates destination IP keeping source IP >> intact. >> So, you just need setup two ipfw nat instances, one "general" and one >> "reverse" >> and pass your packets through both instances. >> >> Eugene Grosbein >> >> >> > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 09:17:52 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A3436A86; Mon, 1 Jul 2013 09:17:52 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id EE4E91BC2; Mon, 1 Jul 2013 09:17:51 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r619HfGT044150; Mon, 1 Jul 2013 16:17:41 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <51D14930.1060502@grosbein.net> Date: Mon, 01 Jul 2013 16:17:36 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 09:17:52 -0000 On 01.07.2013 14:30, Sami Halabi wrote: > Hi, > > I've tried the following: > > em1 - ip 10.0.1.1/24 > em2 - ip 11.0.3.1/24 > route add 11.0.4.0/24 11.0.3.2 > > ipfw flush > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 > > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 > > what i see in tcpdump and logs is that the rule 1000 converts the ip correctly > 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 > while the 2000 rule does nothing... man ipfw says: To let the packet continue after being (de)aliased, set the sysctl vari- able net.inet.ip.fw.one_pass to 0. By default, rule 1000 "consumes" aliased packets and they do not hit rule 2000 at all. So, you need to set sysctl net.inet.ip.fw.one_pass=0 From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 10:05:26 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 51A7CAB8; Mon, 1 Jul 2013 10:05:26 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pa0-x229.google.com (mail-pa0-x229.google.com [IPv6:2607:f8b0:400e:c03::229]) by mx1.freebsd.org (Postfix) with ESMTP id 27A8E1E2F; Mon, 1 Jul 2013 10:05:26 +0000 (UTC) Received: by mail-pa0-f41.google.com with SMTP id bj3so4856496pad.14 for ; Mon, 01 Jul 2013 03:05:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gUFcWIn+6Egf9Ma3ts4dElHxIs62/t4Ou0SvBAhgtXs=; b=A9nsDXcTk3SIvwpT7yqCQNdlvbqbyAnR0ZjHQ+nmklX5m2rjC9Ec4wL7MIozka1ut/ vZUuIMPE7WyC31vr5LojVTT+t0l05W3FTOK7WzLJdaKwVe8fXSTY4VioqEexh/fmFd22 +puuWRBHX35BjGu7ifwIlg2UNu9vbPgHCIpiRtRItUHQK628WcbUtwhbLZTp82KmQuAv gVSs+0gqmlKlaOA5teERr/ArRdwJzcdoBbzMI9zOW40XN8uoYi9rtYqGaNVGD/+8iibS Gtr7rXEKsoFSoKU0gefQi2YmECOXNx53dRRr0UMa6OQFcvrSQPDh/4WpUzOrnYxaykr+ GgCw== MIME-Version: 1.0 X-Received: by 10.68.252.36 with SMTP id zp4mr23153576pbc.51.1372673125951; Mon, 01 Jul 2013 03:05:25 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Mon, 1 Jul 2013 03:05:25 -0700 (PDT) In-Reply-To: <51D14930.1060502@grosbein.net> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> Date: Mon, 1 Jul 2013 13:05:25 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , "Paul A. Procacci" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 10:05:26 -0000 Hi, forgot to mention that but this sysctl is already set to 0. i see in the logs packets pass 1000 rule. Sami On Mon, Jul 1, 2013 at 12:17 PM, Eugene Grosbein wrote: > On 01.07.2013 14:30, Sami Halabi wrote: > > Hi, > > > > I've tried the following: > > > > em1 - ip 10.0.1.1/24 > > em2 - ip 11.0.3.1/24 > > route add 11.0.4.0/24 11.0.3.2 > > > > ipfw flush > > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 > > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 > > > > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 > > > > what i see in tcpdump and logs is that the rule 1000 converts the ip > correctly > > 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 > > while the 2000 rule does nothing... > > man ipfw says: > > To let the packet continue after being (de)aliased, set the sysctl > vari- > able net.inet.ip.fw.one_pass to 0. > > By default, rule 1000 "consumes" aliased packets and they do not hit rule > 2000 at all. > So, you need to set sysctl net.inet.ip.fw.one_pass=0 > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 10:42:23 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6DE68225; Mon, 1 Jul 2013 10:42:23 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id C4A701F9E; Mon, 1 Jul 2013 10:42:22 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r61AgJiP045731; Mon, 1 Jul 2013 17:42:19 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <51D15D06.9030300@grosbein.net> Date: Mon, 01 Jul 2013 17:42:14 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 10:42:23 -0000 On 01.07.2013 17:05, Sami Halabi wrote: > Hi, > forgot to mention that but this sysctl is already set to 0. > i see in the logs packets pass 1000 rule. Use rules like 'ipfw add 1500 count log ip from any to any' to check intermediate results of translation. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 11:06:48 2013 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id DF593635 for ; Mon, 1 Jul 2013 11:06:48 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id D069D10DC for ; Mon, 1 Jul 2013 11:06:48 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id r61B6mbE085807 for ; Mon, 1 Jul 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id r61B6mPM085805 for freebsd-ipfw@FreeBSD.org; Mon, 1 Jul 2013 11:06:48 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 1 Jul 2013 11:06:48 GMT Message-Id: <201307011106.r61B6mPM085805@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 11:06:48 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/178482 ipfw [ipfw] logging problem from vnet jail o kern/178480 ipfw [ipfw] dynamically loaded ipfw with a vimage kernel do o kern/178317 ipfw [ipfw] ipfw options need to specifed in specific order o kern/177948 ipfw [ipfw] ipfw fails to parse port ranges (p1-p2) for udp o kern/176503 ipfw [ipfw] ipfw layer2 problem o kern/169206 ipfw [ipfw] ipfw does not flush entries in table o conf/167822 ipfw [ipfw] [patch] start script doesn't load firewall_type o kern/166406 ipfw [ipfw] ipfw does not set ALTQ identifier for ipv6 traf o kern/165939 ipfw [ipfw] bug: incomplete firewall rules loaded if tables o kern/165190 ipfw [ipfw] [lo] [patch] loopback interface is not marking o kern/158066 ipfw [ipfw] ipfw + netgraph + multicast = multicast packets o kern/157689 ipfw [ipfw] ipfw nat config does not accept nonexistent int f kern/155927 ipfw [ipfw] ipfw stops to check packets for compliance with o bin/153252 ipfw [ipfw][patch] ipfw lockdown system in subsequent call o kern/153161 ipfw [ipfw] does not support specifying rules with ICMP cod o kern/152113 ipfw [ipfw] page fault on 8.1-RELEASE caused by certain amo o kern/148827 ipfw [ipfw] divert broken with in-kernel ipfw o kern/148430 ipfw [ipfw] IPFW schedule delete broken. o kern/148091 ipfw [ipfw] ipfw ipv6 handling broken. f kern/143973 ipfw [ipfw] [panic] ipfw forward option causes kernel reboo o kern/143621 ipfw [ipfw] [dummynet] [patch] dummynet and vnet use result o kern/137346 ipfw [ipfw] ipfw nat redirect_proto is broken o kern/137232 ipfw [ipfw] parser troubles o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l f kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o bin/83046 ipfw [ipfw] ipfw2 error: "setup" is allowed for icmp, but s o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes s kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 43 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 1 11:16:01 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 7850C1F8; Mon, 1 Jul 2013 11:16:01 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pb0-x22b.google.com (mail-pb0-x22b.google.com [IPv6:2607:f8b0:400e:c01::22b]) by mx1.freebsd.org (Postfix) with ESMTP id 4E6651301; Mon, 1 Jul 2013 11:16:01 +0000 (UTC) Received: by mail-pb0-f43.google.com with SMTP id md12so4683061pbc.2 for ; Mon, 01 Jul 2013 04:16:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eE8qwYEdLDvMe4xO9nO4WyjcS4FfxcjdscMIXDFR5D8=; b=P2UYW+XXynEbvgDSKSe9wCi5Yk4FN8ZXMuYWW0IP94PGPI5AYNKGZQIeMAmH1QYHEP axVn0NE5npIsTajNS6IfOWpG+j4zZSjg1fgGj6WUgKu9H/XksT97WAbs5e+y7dxY1QA/ HR123HI2VLRr6aR0T/i+LXwedz3PHj9Zr4KybUXabeq3mYQ0Mmb5pzVMq6vS5pvGOlaJ zsLTYdCIADY+5yI8ta9uszg+1O+a5AOj5OnOqJMV08CpjG3WCnfp9wPqhPIJ+AKKIiJw fBXQCxpSJZf6EfPEbm1yWbTabdBSc94kqDzNxYmNCSoDKQFjGMQWfHS33pvu2sHW6UIz xxYw== MIME-Version: 1.0 X-Received: by 10.68.171.99 with SMTP id at3mr2318015pbc.64.1372677360659; Mon, 01 Jul 2013 04:16:00 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Mon, 1 Jul 2013 04:16:00 -0700 (PDT) In-Reply-To: <51D15D06.9030300@grosbein.net> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> Date: Mon, 1 Jul 2013 14:16:00 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-net@freebsd.org" , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jul 2013 11:16:01 -0000 Hi, I did ping 10.0.1.1 from 10.0.1.2, so packet is 10.0.1.2 ->10.0.1.1 > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 if I have 10.0.1.1 in em1 no translation is done! if I delete it (and add a static arp entry in 10.0.1.2 for mac of 10.0.1.1) rule 1000 translates well and I get packet from 11.0.3.1->10.0.1.1 > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 no translation is done at all! Sami > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 On Mon, Jul 1, 2013 at 1:42 PM, Eugene Grosbein wrote: > On 01.07.2013 17:05, Sami Halabi wrote: > > Hi, > > forgot to mention that but this sysctl is already set to 0. > > i see in the logs packets pass 1000 rule. > > Use rules like 'ipfw add 1500 count log ip from any to any' to check > intermediate results of translation. > > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 2 14:21:31 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A9339192; Tue, 2 Jul 2013 14:21:31 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-x233.google.com (mail-pd0-x233.google.com [IPv6:2607:f8b0:400e:c02::233]) by mx1.freebsd.org (Postfix) with ESMTP id 79DB71088; Tue, 2 Jul 2013 14:21:31 +0000 (UTC) Received: by mail-pd0-f179.google.com with SMTP id q10so3641836pdj.24 for ; Tue, 02 Jul 2013 07:21:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=v5sflUrLA93oBHu2bhJeXdy2nzU7cAxAowhdHU6CSf4=; b=Ghb4SdwsLleetJB7pnaZAbwIp9uzQ2lUFYLK7EOo25oeT76dE9rl+VTGb0IQDAL2TR jhRlyEf1SAwf7+BIxwh6HzfLEpo6Glj6VARfWHE9T+0p4p2ZpOTpNiNGUo49K17yuffa cacFCCUBAPPp1wAAwA2WCAYoxleKw3KgoI/57iNKYKCXd9CJqtxVuXCQ6SAWaYWpEfon fUKt8gJF0P2y+BJkQqz7eSjJX13qIpn3gwPX99yaNQ/rbDXBG7O8kIpGqaV1u9xZf5On oDHOpbUU8+cWv3GctMGrDjPA4CR8EFAGTTNNvKR+d9tJaBxCil1WoXSN2FxRuhNppdg0 eO4Q== MIME-Version: 1.0 X-Received: by 10.68.235.103 with SMTP id ul7mr29405855pbc.14.1372774891213; Tue, 02 Jul 2013 07:21:31 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Tue, 2 Jul 2013 07:21:30 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Tue, 2 Jul 2013 07:21:30 -0700 (PDT) In-Reply-To: References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> Date: Tue, 2 Jul 2013 17:21:30 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Eugene Grosbein Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw , freebsd-net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2013 14:21:31 -0000 Hi again, So far no solution.... Is there really no alternative in FreeBSD? Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 1 =D7=91=D7=99=D7=95=D7=9C 2013 14:16,= =D7=9E=D7=90=D7=AA "Sami Halabi" : > Hi, > I did ping 10.0.1.1 from 10.0.1.2, so packet is 10.0.1.2 ->10.0.1.1 > > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 > if I have 10.0.1.1 in em1 no translation is done! > if I delete it (and add a static arp entry in 10.0.1.2 for mac of > 10.0.1.1) > rule 1000 translates well and I get packet from 11.0.3.1->10.0.1.1 > > > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 > no translation is done at all! > > Sami > > > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 > > > > On Mon, Jul 1, 2013 at 1:42 PM, Eugene Grosbein wrote= : > >> On 01.07.2013 17:05, Sami Halabi wrote: >> > Hi, >> > forgot to mention that but this sysctl is already set to 0. >> > i see in the logs packets pass 1000 rule. >> >> Use rules like 'ipfw add 1500 count log ip from any to any' to check >> intermediate results of translation. >> >> > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 3 02:47:52 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 75F6C2A6; Wed, 3 Jul 2013 02:47:52 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 30A661654; Wed, 3 Jul 2013 02:47:51 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-226-51.lns20.per1.internode.on.net [121.45.226.51]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r632ljxK084463 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 2 Jul 2013 19:47:48 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <51D390CA.5020803@freebsd.org> Date: Wed, 03 Jul 2013 10:47:38 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw , Eugene Grosbein , freebsd-net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 02:47:52 -0000 On 7/2/13 10:21 PM, Sami Halabi wrote: > Hi again, > So far no solution.... > > Is there really no alternative in FreeBSD? oh I'm sure there are several solutions.. I looked at the original email but have since deleted it.. ah archives to the rescue.... ok so your request is a bit short on information.. > Here is the situation i want to handle: > My box is a router that handles several /24 behind. > One of my links (em0) is connected to a private network > 192.168.0.1 is me, my neighbour is 192.168.0.2. So you are supplying your neighbour with internet access? > I want to make that any connection comes to 192.168.0.1 to go to ip > 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 comes to 192.168.0.1 from where? from your neighbour? Do you want to intercept all his packets that arrive at that interface or just packets that are addressed to 192.168.0.1? Where is 193.xxx.yyy.2? On one of your networks, or out on the internet? IS it the interface marked "D" in the diagram below? or at [Q]? what is it? a proxy cache? Where is 84.xx.yy.1? Is it your interface "A" in the diagram below? (I assume so) By "using", do you mean that they arrive at 193.xxx.yyy.2 with a rewritten source address of 84.xx.yy.1 or that they think they are going TO 84.xx.yy.1? Where do you want the reply packets to go, and what should they look like? By "go to" do you mean a rewritten destination address of 193.xxx.yyy.2, or just routed to it with the original destination address untouched? > And packets coming to my public 84.xx.yy.1 ip to be trsnslated as came > from 192.168.0.1 and sent to 192.168.0.2/or ant other ips > behind(192.168.1.xx/24). ALL packets that arrive at 84.xx.yy.1 or just some? > > Hope that makes it clearer, and I appreciate any help. so let's draw a picture of what I think we know.. ----------- [a] ------------------------- [b] ------------- internet B|------|84.xx.yy.1 192.168.0.1|-----|192.168.0.2 | |A C D | | neighbour ----------- ------------------------- -------------- | | | [Q] | | your networks ? I think we know what normal packets at [a] and [b] look like but we still need to know what 'changed' packets want to look like. > > Sami > בתאריך 1 ביול 2013 14:16, מאת "Sami Halabi" : > >> Hi, >> I did ping 10.0.1.1 from 10.0.1.2, so packet is 10.0.1.2 ->10.0.1.1 >>> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 >> if I have 10.0.1.1 in em1 no translation is done! >> if I delete it (and add a static arp entry in 10.0.1.2 for mac of >> 10.0.1.1) >> rule 1000 translates well and I get packet from 11.0.3.1->10.0.1.1 >> >>> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 >> no translation is done at all! >> >> Sami >> >>> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 >>> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 >>> >>> >>> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 >>> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 >> >> >> On Mon, Jul 1, 2013 at 1:42 PM, Eugene Grosbein wrote: >> >>> On 01.07.2013 17:05, Sami Halabi wrote: >>>> Hi, >>>> forgot to mention that but this sysctl is already set to 0. >>>> i see in the logs packets pass 1000 rule. >>> Use rules like 'ipfw add 1500 count log ip from any to any' to check >>> intermediate results of translation. >>> >>> >> >> -- >> Sami Halabi >> Information Systems Engineer >> NMS Projects Expert >> FreeBSD SysAdmin Expert >> > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 3 03:59:48 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ECEF5FA1; Wed, 3 Jul 2013 03:59:48 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 9BA6A19E1; Wed, 3 Jul 2013 03:59:48 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-226-51.lns20.per1.internode.on.net [121.45.226.51]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r633xZB2084693 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 2 Jul 2013 20:59:37 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <51D3A1A0.8090904@freebsd.org> Date: Wed, 03 Jul 2013 11:59:28 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> In-Reply-To: <51D390CA.5020803@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw , Eugene Grosbein , freebsd-net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 03:59:49 -0000 On 7/3/13 10:47 AM, Julian Elischer wrote: > On 7/2/13 10:21 PM, Sami Halabi wrote: >> Hi again, >> So far no solution.... >> >> Is there really no alternative in FreeBSD? > > oh I'm sure there are several solutions.. > I looked at the original email but have since deleted it.. > > ah archives to the rescue.... > > ok so your request is a bit short on information.. thinking about your request I think what you want to do is to make it look as if you have a web server or something at 192.168.0.1 to your neighbour, but to in fact serve those requests from a machine at 193.xxx.yyy.2. In addition, you need the requests to appear to come from your external address, so that the responses can find their way back to you. my next question is: Do you control 193.xxx.yyy.2? (is it FreeBSD?) because there are several ways you could solve that problem if you do, and it is.. basically by making a tunnel directly between that machine and you. if you want to not use a tunnel there are several steps on the way. we need to think abut what packets look like at each step. at em0, incoming packet A from neighbour, on the wire: To: 192.168.0.1 port 80 From: 192.168.0.x port MMM0 we want to change this packet. packet B from neighbour, on the wire: To: www.google.com port 80 From: 192.168.0.x port MMM1 we want to leave this packet alone (for now) At this stage, (on the incoming packet A on em0) we need to change the DESTINATION address, so we need a regular NAT, acting as if it were accepting an incoming connection. (which it is). so from the natd man page, the NAT 'rule' is: redirect_address 193.xxx.yyy.2 192.168.0.1 This must only happen on incoming packets from the neighbour, *addressed to you* so ipfw has a rule: ipfw add xx ${NAT_ACTION} ip from ${NEIGHBOUR_NET} to ${MY_NIGHBOUR_ADDR} in recv ${MY_NEIGHBOUR_IFACE} NAT_ACTION is either "nat 1" or "divert ${INTERNAL_DIVER_PORT} MY_NEIGHBOUR_ADDR="192.168.0.0/24" MY_NEIGHBOUR_IFACE="em0" now you need a rule to match this one for retranslation of return packets so on output you have: ipfw add yy ${NAT_ACTION} ip from 193.xxx.yyy.zzz to ${NEIGHBOUR_NET} out xmit ${MY_NEIGHBOUR_IFACE} and the nat must be set up to leave unmapped packets alone. so deny_incoming must NOT be set in the NAT configuration. so theoretically this is the destination address taken care of (in outgoing packets, source address on incoming packets). So then you need to take care of the source address of the outgoing packets. this takes place on the INTERNET facing interface, and really, it should all be taken care of already if you have NAT enabled and you can ping the internet from the neighbour's net. hope this helps.... Julian > >> Here is the situation i want to handle: >> My box is a router that handles several /24 behind. >> One of my links (em0) is connected to a private network >> 192.168.0.1 is me, my neighbour is 192.168.0.2. > > So you are supplying your neighbour with internet access? > >> I want to make that any connection comes to 192.168.0.1 to go to ip >> 193.xxx.yyy.2 using specific public ip 84.xx.yy.1 > > comes to 192.168.0.1 from where? from your neighbour? > Do you want to intercept all his packets that arrive at > that interface or just packets that are addressed to 192.168.0.1? > > Where is 193.xxx.yyy.2? On one of your networks, or out on the > internet? > IS it the interface marked "D" in the diagram below? or at [Q]? > what is it? a proxy cache? > > Where is 84.xx.yy.1? Is it your interface "A" in the diagram below? > (I assume so) > By "using", do you mean that they > arrive at 193.xxx.yyy.2 with a rewritten source address of 84.xx.yy.1 > or that they think they are going TO 84.xx.yy.1? Where do you want the > reply packets to go, and what should they look like? > > By "go to" do you mean a rewritten destination address of > 193.xxx.yyy.2, > or just routed to it with the original destination address untouched? > >> And packets coming to my public 84.xx.yy.1 ip to be trsnslated as came >> from 192.168.0.1 and sent to 192.168.0.2/or ant other ips >> behind(192.168.1.xx/24). > > ALL packets that arrive at 84.xx.yy.1 or just some? > >> >> Hope that makes it clearer, and I appreciate any help. > > so let's draw a picture of what I think we know.. > > ----------- [a] ------------------------- [b] ------------- > internet B|------|84.xx.yy.1 192.168.0.1|-----|192.168.0.2 > | |A C D | | neighbour > ----------- ------------------------- -------------- > | | | > [Q] | | > your networks ? > > I think we know what normal packets at [a] and [b] look like > but we still need to know what 'changed' packets want to look like. > > >> >> Sami >> בתאריך 1 ביול 2013 14:16, מאת "Sami Halabi" : >> >>> Hi, >>> I did ping 10.0.1.1 from 10.0.1.2, so packet is 10.0.1.2 ->10.0.1.1 >>>> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 >>> if I have 10.0.1.1 in em1 no translation is done! >>> if I delete it (and add a static arp entry in 10.0.1.2 for mac of >>> 10.0.1.1) >>> rule 1000 translates well and I get packet from 11.0.3.1->10.0.1.1 >>> >>>> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 >>> no translation is done at all! >>> >>> Sami >>> >>>> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 >>>> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 >>>> >>>> >>>> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 >>>> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 >>> >>> >>> On Mon, Jul 1, 2013 at 1:42 PM, Eugene Grosbein >>> wrote: >>> >>>> On 01.07.2013 17:05, Sami Halabi wrote: >>>>> Hi, >>>>> forgot to mention that but this sysctl is already set to 0. >>>>> i see in the logs packets pass 1000 rule. >>>> Use rules like 'ipfw add 1500 count log ip from any to any' to check >>>> intermediate results of translation. >>>> >>>> >>> >>> -- >>> Sami Halabi >>> Information Systems Engineer >>> NMS Projects Expert >>> FreeBSD SysAdmin Expert >>> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to >> "freebsd-ipfw-unsubscribe@freebsd.org" >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 3 04:07:03 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D60DB254; Wed, 3 Jul 2013 04:07:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4301A2D; Wed, 3 Jul 2013 04:07:03 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-226-51.lns20.per1.internode.on.net [121.45.226.51]) (authenticated bits=0) by vps1.elischer.org (8.14.5/8.14.5) with ESMTP id r6346wPI084737 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Tue, 2 Jul 2013 21:07:01 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <51D3A35C.8070305@freebsd.org> Date: Wed, 03 Jul 2013 12:06:52 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> In-Reply-To: <51D3A1A0.8090904@freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw , Eugene Grosbein , freebsd-net@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 04:07:03 -0000 On 7/3/13 11:59 AM, Julian Elischer wrote: > On 7/3/13 10:47 AM, Julian Elischer wrote: >> On 7/2/13 10:21 PM, Sami Halabi wrote: >>> Hi again, >>> So far no solution.... >>> >>> Is there really no alternative in FreeBSD? >> >> oh I'm sure there are several solutions.. >> I looked at the original email but have since deleted it.. >> >> ah archives to the rescue.... >> >> ok so your request is a bit short on information.. > > thinking about your request I think what you want to do is to make > it look as if you have a web server or something at 192.168.0.1 to > your neighbour, but to in fact serve those requests from a machine > at 193.xxx.yyy.2. In addition, you need the requests to appear to > come from your external address, so that the responses can find > their way back to you. > > my next question is: Do you control 193.xxx.yyy.2? (is it FreeBSD?) > because there are several ways you could solve that problem if you > do, and it is.. > basically by making a tunnel directly between that machine and you. > > if you want to not use a tunnel there are several steps on the way. > we need to think abut what packets look like at each step. > > at em0, incoming > > packet A from neighbour, on the wire: > To: 192.168.0.1 port 80 > From: 192.168.0.x port MMM0 > we want to change this packet. > > packet B from neighbour, on the wire: > To: www.google.com port 80 > From: 192.168.0.x port MMM1 > we want to leave this packet alone (for now) > > At this stage, (on the incoming packet A on em0) > we need to change the DESTINATION address, > so we need a regular NAT, acting as if it were accepting an incoming > connection. > (which it is). > > so from the natd man page, the NAT 'rule' is: > redirect_address 193.xxx.yyy.2 192.168.0.1 > > This must only happen on incoming packets from the neighbour, > *addressed to you* so > ipfw has a rule: > ipfw add xx ${NAT_ACTION} ip from ${NEIGHBOUR_NET} to > ${MY_NIGHBOUR_ADDR} in recv ${MY_NEIGHBOUR_IFACE} > > NAT_ACTION is either "nat 1" or "divert ${INTERNAL_DIVER_PORT} > MY_NEIGHBOUR_ADDR="192.168.0.0/24" > MY_NEIGHBOUR_IFACE="em0" > > now you need a rule to match this one for retranslation of return > packets > so on output you have: > ipfw add yy ${NAT_ACTION} ip from 193.xxx.yyy.zzz to > ${NEIGHBOUR_NET} out xmit ${MY_NEIGHBOUR_IFACE} > > and the nat must be set up to leave unmapped packets alone. > so deny_incoming must NOT be set in the NAT configuration. I am talking all theoretically here as I don't have such a setup at the moment, and I can't remember if the packet direction is given to natd/ipfw-nat if so then you MAY need the 'reverse' setting, but I don't guarantee it. If you use natd you will need a separae instance, or natd. If you use ipfw internal nat then you must use a separate nat instance there too. > > > > so theoretically this is the destination address taken care of (in > outgoing packets, source address on incoming packets). > > So then you need to take care of the source address of the outgoing > packets. > this takes place on the INTERNET facing interface, and really, it > should all be taken care of already if you have NAT enabled and you > can ping the internet from the neighbour's net. > > > hope this helps.... > > Julian > > > > From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 3 11:06:33 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 22937482; Wed, 3 Jul 2013 11:06:33 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-x22e.google.com (mail-pd0-x22e.google.com [IPv6:2607:f8b0:400e:c02::22e]) by mx1.freebsd.org (Postfix) with ESMTP id E18091DE2; Wed, 3 Jul 2013 11:06:32 +0000 (UTC) Received: by mail-pd0-f174.google.com with SMTP id 10so4541251pdc.33 for ; Wed, 03 Jul 2013 04:06:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8NAoVxZicruPIWNq47O7qvhtyQTDBA3c+i5Hnl7aP/Y=; b=vClhI67/novkjRPrieIre61mqK3BzLbwfv7EukBV/c1lRL4C+ZDxa23uDPqmbwFyz5 iTFEidLzC6ECb0r2IlXAJytux6AXRurRq/CqMe+3UbuJAh6S6QccWJSNpgiMpK5uNrD6 Ls27Ex7Eug47JqQK4kWO8A7JYJ5Eni7E1DfUCaccTgAIOHwMP+mu52CJz0ERrvY2KgoJ dqi6bNJY7FC9AbV6FxA2WvheyxwbDLVhaL8tWtJDUG6MveY1nUEKp+DKL8tz5iNEhaEs mJu/vqNJYxox/bkZy2rMP6j6ySs8rIGrOmqArqwpZwjMTyv5xNlY9NXdG1TwQ5q5i1qG cFtA== MIME-Version: 1.0 X-Received: by 10.68.171.99 with SMTP id at3mr369438pbc.64.1372849592649; Wed, 03 Jul 2013 04:06:32 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Wed, 3 Jul 2013 04:06:32 -0700 (PDT) In-Reply-To: <51D3A35C.8070305@freebsd.org> References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> Date: Wed, 3 Jul 2013 14:06:32 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-ipfw , Eugene Grosbein , "freebsd-net@freebsd.org" X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Jul 2013 11:06:33 -0000 Hi Julian, I appreciate your willing to help me. My Situation in short is: ----------- [a] ------------------------- [b] ------------- internet B |---BGP---|84.xx.yy.1 192.168.0.1|-----|192.168.0.2/24 193.xx.yy.2| |Aem1 Cem3 D em0| | | neighbour ----------- ------------------------- | -------------- | | | [Q] | | your networks private network I Have control only over the middle machine, so i cant establish a tunnel. So I want it to act as MAN IN THE MIDDLE/ proxy. every packet comes from private network to 192.168.0.1 ie: packet hdr: src: 192.168.0.2 dst 192.168.0.1 should be translated as: packet hdr: src: 84.xx.yy.1 dst 193.xx.yy.2 ports and data untouched. and every packet from 193.xx.yy.2 (incoming/setup...) as: packet hdr: src: 193.xx.yy.2 dst: 84.xx.yy.1 to be translated as: packet hdr: src: 192.168.0.1 dst 192.168.0.2 btw: any other packet from src other than 193.xx.yy.2 to dst 84.xx.yy.1 should be dropped. Again thanks for you help, I hope I supplied all the info needed to help me. Sami On Wed, Jul 3, 2013 at 7:06 AM, Julian Elischer wrote: > On 7/3/13 11:59 AM, Julian Elischer wrote: > >> On 7/3/13 10:47 AM, Julian Elischer wrote: >> >>> On 7/2/13 10:21 PM, Sami Halabi wrote: >>> >>>> Hi again, >>>> So far no solution.... >>>> >>>> Is there really no alternative in FreeBSD? >>>> >>> >>> oh I'm sure there are several solutions.. >>> I looked at the original email but have since deleted it.. >>> >>> ah archives to the rescue.... >>> >>> ok so your request is a bit short on information.. >>> >> >> thinking about your request I think what you want to do is to make it >> look as if you have a web server or something at 192.168.0.1 to your >> neighbour, but to in fact serve those requests from a machine at >> 193.xxx.yyy.2. In addition, you need the requests to appear to come from >> your external address, so that the responses can find their way back to you. >> >> my next question is: Do you control 193.xxx.yyy.2? (is it FreeBSD?) >> because there are several ways you could solve that problem if you do, >> and it is.. >> basically by making a tunnel directly between that machine and you. >> >> if you want to not use a tunnel there are several steps on the way. >> we need to think abut what packets look like at each step. >> >> at em0, incoming >> >> packet A from neighbour, on the wire: >> To: 192.168.0.1 port 80 >> From: 192.168.0.x port MMM0 >> we want to change this packet. >> >> packet B from neighbour, on the wire: >> To: www.google.com port 80 >> From: 192.168.0.x port MMM1 >> we want to leave this packet alone (for now) >> >> At this stage, (on the incoming packet A on em0) >> we need to change the DESTINATION address, >> so we need a regular NAT, acting as if it were accepting an incoming >> connection. >> (which it is). >> >> so from the natd man page, the NAT 'rule' is: >> redirect_address 193.xxx.yyy.2 192.168.0.1 >> >> This must only happen on incoming packets from the neighbour, *addressed >> to you* so >> >> ipfw has a rule: >> ipfw add xx ${NAT_ACTION} ip from ${NEIGHBOUR_NET} to ${MY_NIGHBOUR_ADDR} >> in recv ${MY_NEIGHBOUR_IFACE} >> >> NAT_ACTION is either "nat 1" or "divert ${INTERNAL_DIVER_PORT} >> MY_NEIGHBOUR_ADDR="192.168.0.**0/24 " >> MY_NEIGHBOUR_IFACE="em0" >> >> now you need a rule to match this one for retranslation of return packets >> so on output you have: >> ipfw add yy ${NAT_ACTION} ip from 193.xxx.yyy.zzz to ${NEIGHBOUR_NET} out >> xmit ${MY_NEIGHBOUR_IFACE} >> >> and the nat must be set up to leave unmapped packets alone. >> so deny_incoming must NOT be set in the NAT configuration. >> > > I am talking all theoretically here as I don't have such a setup at the > moment, > and I can't remember if the packet direction is given to natd/ipfw-nat > if so then you MAY need the 'reverse' setting, but I don't guarantee it. > > If you use natd you will need a separae instance, or natd. If you use > ipfw internal nat > then you must use a separate nat instance there too. > > >> >> >> so theoretically this is the destination address taken care of (in >> outgoing packets, source address on incoming packets). >> >> So then you need to take care of the source address of the outgoing >> packets. >> this takes place on the INTERNET facing interface, and really, it should >> all be taken care of already if you have NAT enabled and you can ping the >> internet from the neighbour's net. >> >> >> hope this helps.... >> >> Julian >> >> >> >> >> > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 6 07:47:34 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 5056991D; Sat, 6 Jul 2013 07:47:34 +0000 (UTC) (envelope-from sodynet1@gmail.com) Received: from mail-pd0-x22a.google.com (mail-pd0-x22a.google.com [IPv6:2607:f8b0:400e:c02::22a]) by mx1.freebsd.org (Postfix) with ESMTP id 1B1C31C56; Sat, 6 Jul 2013 07:47:34 +0000 (UTC) Received: by mail-pd0-f170.google.com with SMTP id x11so2592678pdj.15 for ; Sat, 06 Jul 2013 00:47:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RI6yuqpvL3VTKhUkJaBcVu5ksaTSNsg8meWPuD3YTpg=; b=MIMXednR4oXN3d4qKFDe5aMdDDfsMEQusruaOfXa+wpC02soDPbF7shMcOF0jfY8zx 6X7YobpLCq/HZGHjrvCynlQAGGACaClbJtljgndYbXcGHCK9J4AhuFsi09qXi0RkcPIH Uvph1CrkWMWk3EHlYIsm2rcV4WdbLDHmVj6dM7lID9jKxWjc403i6OBHfTEurNPz2OZ3 cjfG2dPXvCdIraOZTuOssgI0McxYp/Edyhuq94cjScnE9SqoUIDcQhfMHFrm4wNjFH1b lMr4p50CQY4NpmDWZ5okB5oxQd9tr3oeB0+fMDbqkrBYdTI7OgluSjdWYQ4wd/GWaaN9 lBIg== MIME-Version: 1.0 X-Received: by 10.68.169.97 with SMTP id ad1mr12582108pbc.84.1373096853465; Sat, 06 Jul 2013 00:47:33 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Sat, 6 Jul 2013 00:47:33 -0700 (PDT) Received: by 10.70.71.7 with HTTP; Sat, 6 Jul 2013 00:47:33 -0700 (PDT) In-Reply-To: References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> Date: Sat, 6 Jul 2013 10:47:33 +0300 Message-ID: Subject: Re: DNAT in freebsd From: Sami Halabi To: Julian Elischer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-net@freebsd.org, Eugene Grosbein , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jul 2013 07:47:34 -0000 Hi, Any hope? Thanks in advance, Sami =D7=91=D7=AA=D7=90=D7=A8=D7=99=D7=9A 3 =D7=91=D7=99=D7=95=D7=9C 2013 14:06,= =D7=9E=D7=90=D7=AA "Sami Halabi" : > Hi Julian, > > I appreciate your willing to help me. > > My Situation in short is: > > ----------- [a] ------------------------- [b] ------------- > internet B |---BGP---|84.xx.yy.1 192.168.0.1|-----|192.168.0.2/24 > 193.xx.yy.2| |Aem1 Cem3 D em0| | | neighbour > ----------- ------------------------- | -------------- > | | | > [Q] | | > your networks private network > > I Have control only over the middle machine, so i cant establish a tunnel= . > So I want it to act as MAN IN THE MIDDLE/ proxy. > every packet comes from private network to 192.168.0.1 ie: > packet hdr: src: 192.168.0.2 dst 192.168.0.1 > should be translated as: > packet hdr: src: 84.xx.yy.1 dst 193.xx.yy.2 > ports and data untouched. > > and every packet from 193.xx.yy.2 (incoming/setup...) as: > packet hdr: src: 193.xx.yy.2 dst: 84.xx.yy.1 > to be translated as: > packet hdr: src: 192.168.0.1 dst 192.168.0.2 > > btw: any other packet from src other than 193.xx.yy.2 to dst 84.xx.yy.1 > should be dropped. > > > Again thanks for you help, I hope I supplied all the info needed to help > me. > Sami > > > > On Wed, Jul 3, 2013 at 7:06 AM, Julian Elischer wrote= : > >> On 7/3/13 11:59 AM, Julian Elischer wrote: >> >>> On 7/3/13 10:47 AM, Julian Elischer wrote: >>> >>>> On 7/2/13 10:21 PM, Sami Halabi wrote: >>>> >>>>> Hi again, >>>>> So far no solution.... >>>>> >>>>> Is there really no alternative in FreeBSD? >>>>> >>>> >>>> oh I'm sure there are several solutions.. >>>> I looked at the original email but have since deleted it.. >>>> >>>> ah archives to the rescue.... >>>> >>>> ok so your request is a bit short on information.. >>>> >>> >>> thinking about your request I think what you want to do is to make it >>> look as if you have a web server or something at 192.168.0.1 to your >>> neighbour, but to in fact serve those requests from a machine at >>> 193.xxx.yyy.2. In addition, you need the requests to appear to come fro= m >>> your external address, so that the responses can find their way back to= you. >>> >>> my next question is: Do you control 193.xxx.yyy.2? (is it FreeBSD?) >>> because there are several ways you could solve that problem if you do, >>> and it is.. >>> basically by making a tunnel directly between that machine and you. >>> >>> if you want to not use a tunnel there are several steps on the way. >>> we need to think abut what packets look like at each step. >>> >>> at em0, incoming >>> >>> packet A from neighbour, on the wire: >>> To: 192.168.0.1 port 80 >>> From: 192.168.0.x port MMM0 >>> we want to change this packet. >>> >>> packet B from neighbour, on the wire: >>> To: www.google.com port 80 >>> From: 192.168.0.x port MMM1 >>> we want to leave this packet alone (for now) >>> >>> At this stage, (on the incoming packet A on em0) >>> we need to change the DESTINATION address, >>> so we need a regular NAT, acting as if it were accepting an incoming >>> connection. >>> (which it is). >>> >>> so from the natd man page, the NAT 'rule' is: >>> redirect_address 193.xxx.yyy.2 192.168.0.1 >>> >>> This must only happen on incoming packets from the neighbour, *addresse= d >>> to you* so >>> >>> ipfw has a rule: >>> ipfw add xx ${NAT_ACTION} ip from ${NEIGHBOUR_NET} to >>> ${MY_NIGHBOUR_ADDR} in recv ${MY_NEIGHBOUR_IFACE} >>> >>> NAT_ACTION is either "nat 1" or "divert ${INTERNAL_DIVER_PORT} >>> MY_NEIGHBOUR_ADDR=3D"192.168.0.**0/24 " >>> MY_NEIGHBOUR_IFACE=3D"em0" >>> >>> now you need a rule to match this one for retranslation of return packe= ts >>> so on output you have: >>> ipfw add yy ${NAT_ACTION} ip from 193.xxx.yyy.zzz to ${NEIGHBOUR_NET} >>> out xmit ${MY_NEIGHBOUR_IFACE} >>> >>> and the nat must be set up to leave unmapped packets alone. >>> so deny_incoming must NOT be set in the NAT configuration. >>> >> >> I am talking all theoretically here as I don't have such a setup at the >> moment, >> and I can't remember if the packet direction is given to natd/ipfw-nat >> if so then you MAY need the 'reverse' setting, but I don't guarantee it. >> >> If you use natd you will need a separae instance, or natd. If you use >> ipfw internal nat >> then you must use a separate nat instance there too. >> >> >>> >>> >>> so theoretically this is the destination address taken care of (in >>> outgoing packets, source address on incoming packets). >>> >>> So then you need to take care of the source address of the outgoing >>> packets. >>> this takes place on the INTERNET facing interface, and really, it shoul= d >>> all be taken care of already if you have NAT enabled and you can ping t= he >>> internet from the neighbour's net. >>> >>> >>> hope this helps.... >>> >>> Julian >>> >>> >>> >>> >>> >> > > > -- > Sami Halabi > Information Systems Engineer > NMS Projects Expert > FreeBSD SysAdmin Expert > From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 6 11:38:06 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 82C9BDDA; Sat, 6 Jul 2013 11:38:06 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id DEE5312E2; Sat, 6 Jul 2013 11:38:05 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.7/8.14.7) with ESMTP id r66Bc0SF091595; Sat, 6 Jul 2013 18:38:00 +0700 (NOVT) (envelope-from eugen@grosbein.net) Message-ID: <51D80193.5080401@grosbein.net> Date: Sat, 06 Jul 2013 18:37:55 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:17.0) Gecko/20130415 Thunderbird/17.0.5 MIME-Version: 1.0 To: Sami Halabi Subject: Re: DNAT in freebsd References: <20130629002959.GB20376@nat.myhome> <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> In-Reply-To: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Julian Elischer , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jul 2013 11:38:06 -0000 On 06.07.2013 14:47, Sami Halabi wrote: > Hi, > Any hope? Have you used intedmediate "ipfw count log" rules between "ipfw nat" rules I recommended? If yes, why have not you show that logs yet? Include tcpdump output from external and internal interfaces too. From owner-freebsd-ipfw@FreeBSD.ORG Sat Jul 6 13:02:47 2013 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 75C37F81; Sat, 6 Jul 2013 13:02:47 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) by mx1.freebsd.org (Postfix) with ESMTP id DA9BD1754; Sat, 6 Jul 2013 13:02:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id r66D2a4M027697; Sat, 6 Jul 2013 23:02:36 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 6 Jul 2013 23:02:36 +1000 (EST) From: Ian Smith To: Sami Halabi Subject: Re: DNAT in freebsd In-Reply-To: <51D80193.5080401@grosbein.net> Message-ID: <20130706224310.R26496@sola.nimnet.asn.au> References: <51D006F6.6060809@grosbein.net> <51D04FA8.8080900@grosbein.net> <51D14930.1060502@grosbein.net> <51D15D06.9030300@grosbein.net> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> <51D80193.5080401@grosbein.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-net@freebsd.org, Eugene Grosbein , freebsd-ipfw X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jul 2013 13:02:47 -0000 On Sat, 6 Jul 2013 18:37:55 +0700, Eugene Grosbein wrote: > On 06.07.2013 14:47, Sami Halabi wrote: > > Hi, > > Any hope? > > Have you used intedmediate "ipfw count log" rules between "ipfw nat" rules > I recommended? If yes, why have not you show that logs yet? > Include tcpdump output from external and internal interfaces too. Sami, this was very good advice. I'll go further and say add _lots_ of 'count log' rules before and after each nat rule, one each for packets you might expect from different sources of interest, and to different destinations expected from your nat mapping, and also the unexpected. Then run some test packets, afterwards running 'ipfw -t show' so you (and we) can clearly see which packets went which way and when. This may help debugging greatly; we need you to tell less, and show us more. Julian also put some time into a well detailed plan, based of course on assumptions reached with not a lot to go on; you should try using that, and feeding back some very specific results. cheers, Ian