From owner-freebsd-net@FreeBSD.ORG Sun Jun 8 11:40:38 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 97297C96 for ; Sun, 8 Jun 2014 11:40:38 +0000 (UTC) Received: from mail-oa0-x235.google.com (mail-oa0-x235.google.com [IPv6:2607:f8b0:4003:c02::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5E4062D07 for ; Sun, 8 Jun 2014 11:40:38 +0000 (UTC) Received: by mail-oa0-f53.google.com with SMTP id m1so4767786oag.40 for ; Sun, 08 Jun 2014 04:40:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GuV0JqsdvxVWvmZ2QyB9vimP2Owt5drKe2Ae8Z066YQ=; b=gBLoSCmGkmS17rsDNA1EN+1TvUWor3U3V6f0xwIc8erXANjnofxjODDXfd2DSYTDUe d52wAoUfkgjAxFwVbJnvbaqb1KDiV5k2mgCzFzoSUiiDfckC4aTtb6eJiZWD6vgMavaU 1QLEKaKnRghon7FC2FG8SQSujqo9UJqwraFtQQ2lZ7O6Ta27etf8xz2Gpe7qiF7gR5pw iUHP+kkmjYMYFJTF/MjS6PnPUhwaDATfLWkiFRN+h8kkbQXcuZovIk/1RWIcxxuZt6ze PWodyyGiZEu0qHh/M4HAweGnIq0zgh/oonYgevmo6Nn5U3h9qSgPOSXI7Jy4tBDS0gJI UjNg== MIME-Version: 1.0 X-Received: by 10.60.73.129 with SMTP id l1mr1566865oev.2.1402227637663; Sun, 08 Jun 2014 04:40:37 -0700 (PDT) Received: by 10.76.170.39 with HTTP; Sun, 8 Jun 2014 04:40:37 -0700 (PDT) In-Reply-To: <20140608091226.3bb9fe60@X220.alogt.com> References: <1402122166.37214.YahooMailNeo@web162101.mail.bf1.yahoo.com> <20140607144043.3d4be435@X220.alogt.com> <1402159719.88183.YahooMailNeo@web162105.mail.bf1.yahoo.com> <20140608091226.3bb9fe60@X220.alogt.com> Date: Sun, 8 Jun 2014 13:40:37 +0200 Message-ID: Subject: Re: Can you create a FreeBSD gateway, with private IPs, without NAT/divert ? From: Andreas Nilsson To: Erich Dollansky Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: FreeBSD Net , None Secure X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jun 2014 11:40:38 -0000 On Sun, Jun 8, 2014 at 3:12 AM, Erich Dollansky wrote: > Hi, > > On Sat, 7 Jun 2014 09:48:39 -0700 (PDT) > None Secure via freebsd-net wrote: > > > Yes, but in this case BOTH IPs of the gateway - both the external and > > the internal interfaces - are non-routable IPs, and so is my ISP > > cable modem. > > > > 192.168.1.1 is the cable modem > > 192.168.1.2 is external interface of my FreeBSD > > 10.10.10.1 is internal interface of my FreeBSD > > > I have had before the reverse situation. 10.x.x.x was the external > address and 192.168.x.x the internal. There have been two interfaces in > the machine. I cannot remember that I have had any problems with this. > I have now an external router so I do not need to use FreeBSD for this. > > Erich > It's sad that they choose CGN in the first place :( But now that they have, couldn't you ask them to give you a /24 subnet of that rfc1918 block? Then you wouldn't really need a gateway at all, just a firewall (which should block arp and so on. And as stated by others: routing/forwarding table really has no notion about human "constraints" on IP addresses, kernel will happily forward traffic from one rfc1918 block to another. That being said, your ISP is running nat, from 192.168.1.1 to some public ip. If the ISP sees traffic from 10.10.10.0/24 ( just guessing about the /24), they will be confused, which is why you need to run nat to translate those internal addresses to your external IP. As for ipfw, could you show us the rules that get added? If it uses divert you definitely should be able to send to different natd processes, as divert sends the traffic to a specified port. If you want to use in-kernel nat it might be a bit trickier, but what if you the process in question in a jail? Then you could easily distinguish it in ipfw. Best regards Andreas