IPFW / if_bridge / NAT
Jay L. T. Cornwall
jay at jcornwall.me.uk
Fri Mar 28 10:51:21 PDT 2008
Hi,
I have a FreeBSD 7.0 machine bridging two segments of a network:
vr0 <---> bridge0 <---> vr1
bridge0 has both unregistered and public IP aliases. In addition to
bridging, I need the machine to perform NAT on packets originating from
an unregistered subnet (192.168.1.0/24) outbound on interface vr1 to a
public IP and back again. No NAT'ing should occur behind vr1.
I initially tried to set this up with ipfw diverting packets to natd
like this:
divert natd any from any to any via vr1
This seemed to NAT packets outbound correctly, but the replies were
never NAT'd back to the private IPs. I believe the presence of the
bridge affects ipfw's ability to divert the appropriate packets. This
configuration partly works:
divert natd any from 192.168.1.0/24 to any
divert natd any from any to <public IP>
However NAT'ing then predictably occurs behind interface vr1 which
causes internal routing problems. None of my attempts to NAT directly on
the bridge0 interface managed to perform any packet rewriting at all.
This may be a problem with my sysctl settings, many of which I'm unsure
about:
net.link.bridge.pfil_onlyip: 0
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_local_phys: 0
net.link.bridge.ipfw: 0
net.link.bridge.ipfw_arp: 0
net.inet.ip.fw.one_pass: 1
Is anyone able to suggest a IPFW/bridge/configuration that will NAT only
across the vr1 interface of the if_bridged network?
Thanks,
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
More information about the freebsd-ipfw
mailing list