From owner-freebsd-questions@FreeBSD.ORG Mon Apr 27 20:20:55 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 942C255F for ; Mon, 27 Apr 2015 20:20:55 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "bs1.fjl.org.uk", Issuer "bs1.fjl.org.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 42CB41781 for ; Mon, 27 Apr 2015 20:20:54 +0000 (UTC) Received: from [192.168.1.35] (host86-132-232-69.range86-132.btcentralplus.com [86.132.232.69]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id t3RK2uAQ071385 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO) for ; Mon, 27 Apr 2015 21:03:00 +0100 (BST) (envelope-from frank2@fjl.co.uk) Message-ID: <553E95EF.8050002@fjl.co.uk> Date: Mon, 27 Apr 2015 21:02:55 +0100 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: "freebsd-questions@freebsd.org" Subject: ipfw, natd and a server on a second WAN address Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Apr 2015 20:20:55 -0000 I hope someone will *know* how to do this. I can guess, but if I guess wrong there'll be consequences... The situation I have is that there's a LAN using a FreeBSD box as a router, doing asymmetric NAT between two Ethernet interfaces. There's a /29 on the WAN, but only one IP was being used. On the LAN there's a server with a few ports forwarded from the WAN IP. For various reasons I won't bore you with, I really need to make this server appear on a different IP address on the WAN. How do I achieve this? Okay, on the NATting machine we have a config like: eht0: inet 192.168.1.210 netmask 0xffffff00 broadcast 192.168.1.255 eth1: inet .210 netmask 0xfffffff8 broadcast .215 inet .211 netmask 0xffffffff broadcast .211 On ipfw we have: divert natd all from any to any via eth1 add pass all from any to any And for natd there are options like: interface eth1 redirect_port tcp 192.168.1.212:25 25 This will happily NAT most things, but anything coming in on .210 goes to port 25 on LAN machine 192.168.1.212. This is great. Anything coming in on .211 doesn't get natted at all. I thought it might, but it doesn't. Does anyone know the runes needed to make .211 port 25 pass through to 192.168.1.212? (Incidentally, this would be easy to fix if I could change some cables around, but I can't). I'm thinking that all I need to do is put in a static route manually. But when I try to figure out what exactly it would be, I get a headache. BTW, I'm specifically using natd here. If anyone knows, it'd save me a lot of stress, or a day's driving, and probably both! Thanks, Frank.