Hi, all. I have machine that works like bridge for external routing ip addresses and NAT for range of rfc1918 addresses.
# uname -a FreeBSD bignat.isp.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Sep 28 11:52:21 UTC 2007 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BIG_NAT amd64 # ifconfig lo1 lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 80.0.68.12 netmask 0xfffffffc inet 80.0.68.13 netmask 0xfffffffc inet 80.0.68.14 netmask 0xfffffffc inet 80.0.68.15 netmask 0xfffffffc inet 80.0.70.130 netmask 0xffffffff # ifconfig bridge0 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 4e:33:45:7b:a9:74 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: msk0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> # ifconfig em0 em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=48<VLAN_MTU,POLLING> ether 00:0e:0c:a4:3a:cd media: Ethernet autoselect (1000baseTX <full-duplex>) status: active # ifconfig msk0 msk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=18<VLAN_MTU,VLAN_HWTAGGING> inet 80.0.68.20 netmask 0xfffffff8 broadcast 80.0.68.23 ether 00:0e:0c:a4:3a:cc media: Ethernet autoselect (1000baseTX <full-duplex,flag0>) status: active # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 80.0.68.17 UGS 0 576233 msk0 10 lo0 URS 0 10 lo0 80.0.68.12 80.0.68.12 UH 0 0 lo1 80.0.68.13 80.0.68.13 UH 0 0 lo1 80.0.68.14 80.0.68.14 UH 0 0 lo1 80.0.68.15 80.0.68.15 UH 0 0 lo1 80.0.68.16/29 link#1 UC 0 0 msk0 80.0.68.17 00:11:bb:a6:15:80 UHLW 2 0 msk0 1199 80.0.68.18 00:11:93:0c:44:1b UHLW 5 0 msk0 467 80.0.68.20 00:0e:0c:a4:3a:cc UHLW 1 164 lo0 80.0.70.130 80.0.70.130 UH 0 0 lo1 127.0.0.1 127.0.0.1 UH 0 786 lo0 127.0.0.2 127.0.0.2 UH 0 5 lo0 127.0.0.3 127.0.0.3 UH 0 0 lo0 127.0.0.4 127.0.0.4 UH 0 0 lo0 172.16/12 lo0 URS 0 0 lo0 192.168.0/16 lo0 URS 0 2 lo0 192.168.128/19 80.0.68.18 UGS 0 16282333 msk0 192.168.160/19 80.0.68.18 UGS 0 159008 msk0 int_if="em0" ext_if="msk0" bridge_if="bridge0" # NAT nat-anchor "ftp-proxy/*" nat on $ext_if inet from <nat_main> to !(self) -> 80.0.68.12/30 bitmask nat on $ext_if inet from <nat_unlim> to !(self) -> 80.0.70.130 #... # # bridge # pass in on $int_if inet from { <isp> <nat_main> <nat_unlim> } to any pass out on $int_if inet from any to { <isp> <nat_main> <nat_unlim> } queue(q_ext q_eacks) pass out on $int_if inet from <isp> to { <isp> <nat_main> <nat_unlim> } queue(q_int q_iacks) pass out on $int_if inet from <peers> to { <isp> <nat_main> <nat_unlim> } tos 0x20 queue(q_peers) pass on $ext_if inet all #.... # pfctl -vv -sr .. @8 pass in on em0 inet from <isp:5> to any [ Evaluations: 31962419 Packets: 9822781 Bytes: 3723656443 States: 0 ] @9 pass in on em0 inet from <nat_main:1> to any [ Evaluations: 22606139 Packets: 12632981 Bytes: 4251228990 States: 0 ] @10 pass in on em0 inet from <nat_unlim:1> to any [ Evaluations: 22606139 Packets: 114847 Bytes: 27950859 States: 0 ] @11 pass out on em0 inet from any to <isp:5> queue(q_ext, q_eacks) [ Evaluations: 55912371 Packets: 6342607 Bytes: 1937428659 States: 0 ] @12 pass out on em0 inet from any to <nat_main:1> queue(q_ext, q_eacks) [ Evaluations: 8999665 Packets: 0 Bytes: 0 States: 0 ] @13 pass out on em0 inet from any to <nat_unlim:1> queue(q_ext, q_eacks) [ Evaluations: 8999665 Packets: 0 Bytes: 0 States: 0 ] @14 pass out on em0 inet from <isp:5> to <isp:5> queue(q_int, q_iacks) [ Evaluations: 8999665 Packets: 722131 Bytes: 129079550 States: 0 ] @15 pass out on em0 inet from <isp:5> to <nat_main:1> queue(q_int, q_iacks) [ Evaluations: 722131 Packets: 0 Bytes: 0 States: 0 ] @16 pass out on em0 inet from <isp:5> to <nat_unlim:1> queue(q_int, q_iacks) [ Evaluations: 722131 Packets: 0 Bytes: 0 States: 0 ] @17 pass out on em0 inet from <peers:6> to <isp:5> tos 0x20 queue q_peers [ Evaluations: 8999665 Packets: 1934927 Bytes: 1063519866 States: 0 ] @18 pass out on em0 inet from <peers:6> to <nat_main:1> tos 0x20 queue q_peers [ Evaluations: 3185036 Packets: 0 Bytes: 0 States: 0 ] @19 pass out on em0 inet from <peers:6> to <nat_unlim:1> tos 0x20 queue q_peers [ Evaluations: 3185036 Packets: 0 Bytes: 0 States: 0 ] .. As you can see only bridged ip flows are queued via ALTQ, but not NATed, I can not understand where is a problem. When it was router ALTQ works properly. -- Give your very best today. Heaven knows it's little enough.