IPFW / if_bridge / NAT
Jay L. T. Cornwall
jay at jcornwall.me.uk
Fri Mar 28 14:27:29 PDT 2008
Freddie Cash wrote:
>> This seemed to NAT packets outbound correctly, but the replies were
>> never NAT'd back to the private IPs. I believe the presence of the
>> bridge affects ipfw's ability to divert the appropriate packets. This
>> configuration partly works:
>> divert natd any from 192.168.1.0/24 to any
>> divert natd any from any to <public IP>
> Have you tried restricting your rules to only the vr1 interfaces, with
> <public IP> configured directly on vr1:
>
> divert natd ip from 192.168.1.0/24 to any out xmit vr1
> divert natd ip from any to <public IP> in recv vr1
Ah, there are recv/xmit semantics as well as in/out. I need to read the
man page more thoroughly!
However, this doesn't seem to work. It has the same symptoms as a single
'any to any via vr1' diversion: outbound packets are rewritten correctly
(verified at the destination) but the replies are never rewritten.
00601 3 180 divert 8668 ip from 192.168.1.0/24 to any out xmit vr1
00602 0 0 divert 8668 ip from any to <public ip> in recv vr1
Nothing ever reaches the second rule. I think the bridge changes ipfw
filtering properties, because the simple 'any to any via vr1' is
mentioned a lot in the literature. It just doesn't work here?
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
More information about the freebsd-ipfw
mailing list