Re: DNAT in freebsd

Eugene Grosbein Mon, 01 Jul 2013 02:18:11 -0700

On 01.07.2013 14:30, Sami Halabi wrote:
> Hi,
> 
> I've tried the following:
> 
> em1 - ip 10.0.1.1/24 <http://10.0.1.1/24>
> em2 - ip 11.0.3.1/24 <http://11.0.3.1/24>
> route add 11.0.4.0/24 <http://11.0.4.0/24> 11.0.3.2
> 
> ipfw flush
> ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> 
> ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> 
> 
> ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> 
> what i see in tcpdump and logs is that the rule 1000 converts the ip correctly
> 10.0.1.2->10.0.1.1  ==>  11.0.3.1->10.0.1.1
> while the 2000 rule does nothing...


man ipfw says:

     To let the packet continue after being (de)aliased, set the sysctl vari-
     able net.inet.ip.fw.one_pass to 0.

By default, rule 1000 "consumes" aliased packets and they do not hit rule 2000 
at all.
So, you need to set sysctl net.inet.ip.fw.one_pass=0
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: DNAT in freebsd

Reply via email to