Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 06 Jul 2013 18:29:22 -0700
From:      Darren Pilgrim <list_freebsd@bluerosetech.com>
To:        Sami Halabi <sodynet1@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: DNAT in freebsd
Message-ID:  <51D8C472.9050103@bluerosetech.com>
In-Reply-To: <CAEW%2BogY8A3javUR=g5pP5iqa3yYfEToHuRg0J-ihnV8EV2U9SA@mail.gmail.com>
References:  <CAEW%2BogYp61U2zjicksYekSdfmLLZh5g9QM3GUg4n16ZbudVZtg@mail.gmail.com> <20130629002959.GB20376@nat.myhome> <CAEW%2BogZ=a6LZavOtcb_egNWFQ8bJP0gzP6pc90tu1dcWC9K80A@mail.gmail.com> <51D006F6.6060809@grosbein.net> <CAEW%2Bogbx15KiayBHFJ7T1YVGQ2pwm1ArQaSrjUk6XUOBgVPggA@mail.gmail.com> <51D04FA8.8080900@grosbein.net> <CAEW%2BogZQ1bHOBNvxkLqnFRrR_b4=e%2BYx9wUjWC8YYr__QsBe3w@mail.gmail.com> <CAEW%2BogZmd4Rz7OgTKV-k=tnSLgG0Y0-4XO%2BxuELznsgVo0XZ%2BA@mail.gmail.com> <51D14930.1060502@grosbein.net> <CAEW%2BogYW9YWZr6TnzqZ%2BHv_e_fFo-MKW1hTdWfw7w=qaCFw3Yg@mail.gmail.com> <51D15D06.9030300@grosbein.net> <CAEW%2BogZB9m%2B5FLyB2NXFbp=uSpvCq6fn4SPVZe2W58yQ-S_z4w@mail.gmail.com> <CAEW%2BogYef6esFDkxRefht1z==zdr5bsYv6S-FPgTyZ36GPR_Mg@mail.gmail.com> <51D390CA.5020803@freebsd.org> <51D3A1A0.8090904@freebsd.org> <51D3A35C.8070305@freebsd.org> <CAEW%2BogY8A3javUR=g5pP5iqa3yYfEToHuRg0J-ihnV8EV2U9SA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 7/3/2013 4:06 AM, Sami Halabi wrote:
> Hi Julian,
>
> I appreciate your willing to help me.
>
> My Situation in short is:
>
> ----------- [a]     ------------------------- [b] -------------
> internet B |---BGP---|84.xx.yy.1  192.168.0.1|-----|192.168.0.2/24
> 193.xx.yy.2|         |Aem1   Cem3      D  em0|  |  | neighbour
> -----------         -------------------------   | --------------
>      |                         |                 |
>     [Q]                        |                 |
>                          your networks        private network
>
> I Have control only over the middle machine, so i cant establish a tunnel.
> So I want it to act as MAN IN THE MIDDLE/ proxy.
> every packet comes from private network to 192.168.0.1 ie:
> packet hdr: src: 192.168.0.2 dst 192.168.0.1
> should be translated as:
> packet hdr: src: 84.xx.yy.1 dst 193.xx.yy.2
> ports and data untouched.
>
> and every packet from 193.xx.yy.2 (incoming/setup...) as:
> packet hdr: src: 193.xx.yy.2 dst: 84.xx.yy.1
> to be translated as:
> packet hdr: src: 192.168.0.1 dst 192.168.0.2
>
> btw: any other packet from src other than 193.xx.yy.2  to dst 84.xx.yy.1
> should be dropped.

I believe this will work:

binat on em1 from 193.xx.yy.2 to 84.xx.yy.1 -> 192.168.0.1 \
   static-port tag netA
binat on em0 from 192.168.0.2 to 192.168.0.1 -> 84.xx.yy.1 \
   static-port tag netB

redir from any to 84.xx.yy.1 -> 192.168.0.2 tagged netA
redir from any to 192.168.0.1 -> 193.xx.yy.2 tagged netB

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51D8C472.9050103>