ipfw2 deep packet filtering

[Chris Bowman]

Quick answer would be, not in that scenario.  All frames from your NAT 
router to your FreeBSD machine are only going to have the SRC MAC of the 
NAT router itself, and the DST MAC of the FreeBSD machine if it's 
directly connected.  You might be able to  identify the hosts to a 
degree that are behind the router by using some type of passive OS 
identification. The easiest way to get what you want would be to replace 
the wireless NAT router with an access point which will allow you to 
bridge your wireless hosts directly to your wired network, and finally 
to your FreeBSD machine, use FreeBSD to do your NAT. 


Chris Bowman


Paul Bridger wrote:
> Hi
>
> I'm trying to solve a problem with ipfw2, so would be grateful for 
> help from anyone on the list with moving things forward.
>
> I would like to understand if it's possible to discover the real MAC 
> address of a packet that has been NAT'd by another device.  The 
> scenario for using this would be for hosts on a wireless LAN that 
> connect to a wireles router which NAT's their connection and then 
> routes the packets to another LAN (across a wire) where a FreeBSD 
> server performs firewall packet filtering via ipfw2.  As all the 
> connections from the hosts on the wireless LAN have had their MAC and 
> IP addresses NAT'd to that of the wireless router, it is difficult to 
> distinguish between hosts, unless some form of deep packet inspection 
> could be performed to discover the true MAC address.  Is this 
> something that would be possible with ipfw2?
>
> Thank you.
>
> -Paul
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>