ipfw nat and dual-homed box
Eugene Grosbein
egrosbein at rdtc.ru
Sun Feb 27 11:29:47 UTC 2011
On 27.02.2011 17:08, Eugene Grosbein wrote:
[skip]
> For performance reasons, I need to create similar setup using in-kernel "ipfw nat"
> what does not have such "multiple instances" feature but has its own "keep-state" mechanics:
To correct myself: of course, ipfw nat has multiple instances... It does not offer
something like natd's "globalport" feature to check all NAT instances for entry
before creation of new one.
> nat config if $if0 unreg_only
> nat config if $if1 unreg_only
> nat 123 ip from any to any via $if0 keep-state # For incoming packets create dynamic rule.
> nat 124 ip from any to any via $if1 keep-state # For outgoing packet use corresponding NAT instance.
> fwd $if0_gate ip from $if0_ip to any out xmit $if1 # Force packet go out right interface.
> fwd $if1_gate ip from $if1_ip to any out xmit $if0
>
> This works just fine if we do not try to use ipfw nat's port forwarding.
> Here it breaks because "keep-state" creates dynamic rule for incoming connections
> before translation's done, so it records external IP of the box as destination IP.
> Hence, replies will be translated using wrong NAT instance when routing table
> chooses wrong outgoing interface - replies won't match ipfw's dynamic rules.
>
> I think this is a bug in 8.2-STABLE. Am I right?
> Or, perhaps, there is another way to setup ipfw nat for dual-homed LAN?
More information about the freebsd-net
mailing list