ipfw nat and dual-homed box

Eugene Grosbein egrosbein at rdtc.ru
Mon Feb 28 16:53:59 UTC 2011 

On 28.02.2011 22:44, Julian Elischer wrote:
> On 2/27/11 3:29 AM, Eugene Grosbein wrote:
>> On 27.02.2011 17:08, Eugene Grosbein wrote:
>>
>> [skip]
>>
>>> For performance reasons, I need to create similar setup using in-kernel "ipfw nat"
>>> what does not have such "multiple instances" feature but has its own "keep-state" mechanics:
>> To correct myself: of course, ipfw nat has multiple instances... It does not offer
>> something like natd's "globalport" feature to check all NAT instances for entry
>> before creation of new one.
>>
>>> nat config if $if0 unreg_only
>>> nat config if $if1 unreg_only
>>> nat 123 ip from any to any via $if0 keep-state # For incoming packets create dynamic rule.
>>> nat 124 ip from any to any via $if1 keep-state # For outgoing packet use corresponding NAT instance.
>>> fwd $if0_gate ip from $if0_ip to any out xmit $if1 # Force packet go out right interface.
>>> fwd $if1_gate ip from $if1_ip to any out xmit $if0
>>>
>>> This works just fine if we do not try to use ipfw nat's port forwarding.
>>> Here it breaks because "keep-state" creates dynamic rule for incoming connections
>>> before translation's done, so it records external IP of the box as destination IP.
>>> Hence, replies will be translated using wrong NAT instance when routing table
>>> chooses wrong outgoing interface - replies won't match ipfw's dynamic rules.
>>>
>>> I think this is a bug in 8.2-STABLE. Am I right?
>>> Or, perhaps, there is another way to setup ipfw nat for dual-homed LAN?
> Eventually
> one answer (which you may or may not like) is to run your NAT daemons in
> separate VIMAGE jails so that there are effectively separate machines 
> on each
> outgoing interface.  eac can have its own firewalls etc then.
> Unfortunately I can't tell you if the ipfw NAT will work in this set up
> as I have not tested it.

As I've already noted, the task can be solved without separate VIMAGE
using just one running natd. And I've presented working natd config for that.

I want to run ipfw nat for better performance. Note again,
the task is to NOT separate NAT instances but to the contrary,
I need to use BOTH translation tables combined for outgoing packets.
And I've presented configuration using ipfw nat that's supposed to work too,
but there I've found misfeature or a bug I want to discuss :-)

Eugene Grosbein

More information about the freebsd-net mailing list