From owner-freebsd-questions@FreeBSD.ORG Mon Nov 10 21:12:36 2014 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7DBF8792 for ; Mon, 10 Nov 2014 21:12:36 +0000 (UTC) Received: from mx1.blackfoot.net (mx1.blackfoot.net [216.14.232.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "spam.blackfoot.net", Issuer "GeoTrust DV SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C2B0CA1 for ; Mon, 10 Nov 2014 21:12:35 +0000 (UTC) Received: from blackfoot.vision.net ([216.220.3.42]) by mx1.blackfoot.net ({9cf3d135-7b6e-4041-a57b-61a932741f4e}) via TCP (outbound) with ESMTP id 20141110211235522; Mon, 10 Nov 2014 21:12:35 +0000 X-RC-FROM: Received: from webmail.blackfoot.net (unknown [10.40.25.30]) (Authenticated sender: vagabond) by blackfoot.vision.net (Postfix) with ESMTPA id 2EF007DF7; Mon, 10 Nov 2014 14:12:32 -0700 (MST) Received: from 66.109.141.62 (SquirrelMail authenticated user vagabond) by webmail.blackfoot.net with HTTP; Mon, 10 Nov 2014 14:12:32 -0700 Message-ID: Date: Mon, 10 Nov 2014 14:12:32 -0700 Subject: Re: natd not translating? From: "Gary Aitken" To: "Freebsd Questions" User-Agent: SquirrelMail/1.4.22 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-MAG-OUTBOUND: blackfoot.redcondor.net@216.220.3.42/32 Cc: kudzu@tenebras.com, smithi@nimnet.asn.au X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Nov 2014 21:12:36 -0000 Ian and Michael, thanks both of you for the clarification on using separate incoming and outgoing rules. The world is now good... > > I have a non-gateway ip addr reserved for use by natd, and currently have > > divert 8668 ip from any to any via ep0 > > Since I have a non-gateway addr reserved for the natd xlations, it seems like > > divert 8668 ip4 from not me to not me via ep0 > > should have identical behavior; but it doesn't. > > It seems like nothing came through to clients. > > Well, traffic coming back in from remote hosts IS 'to me' (ie, to any address configured on any interface on this box) before it's been translated by NAT to an inside host address Not necessarily. If I have specified redirect_address 192.168.1.12 alias_address then everything not destined for the gateway machine will not be "to me" By non-gateway-ip-addr I mean one of my assigned ip addrs, but not the one assigned by me to the outward-facing interface of the gateway box. (you knew that, I just wasn't clear earlier.) e.g. if my assigned ip addrs are a.b.c.16/29: gateway interface to the world: a.b.c.17 natd.conf specifies: redirect_address 192.168.1.12 a.b.c.21 alias_address a.b.c.22 I have reworked the ipfw rules starting with rc.firewall "simple" as a template and adding what little I needed. Thanks again for the hint. With those new rules, the above 05000 divert 8668 ip4 from not me to not me via ep0 seems to work as well as 05001 divert 8668 ip4 from 192.168.1.0/24 to any out recv xl0 xmit ep0 05002 divert 8668 ip4 from any to not me in recv ep0 Am I right that, given the natd.conf constraints on redirect addrs indicated above, the 5000 rule should work as well as 5001 + 5002, and natd won't be doing any extra work? > Strangely, there's no man page for ep nor if_ep on 8.x or 9.x? ugh. That will be interesting when my upgrade starts in a few days. Dang. man ep ep -- Ethernet driver for 3Com Etherlink III (3c5x9) interfaces