Bridge NAT ALTQ
Igor Popov
igorpopov at newmail.ru
Tue Oct 2 10:30:34 PDT 2007
Hi, all.
I have machine that works like bridge for external routing ip addresses and
NAT for range of rfc1918 addresses.
# uname -a
FreeBSD bignat.isp.ru 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Sep 28 11:52:21
UTC 2007 root at bignat.isp.ru:/usr/obj/usr/src/sys/BIG_NAT amd64
# ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 80.0.68.12 netmask 0xfffffffc
inet 80.0.68.13 netmask 0xfffffffc
inet 80.0.68.14 netmask 0xfffffffc
inet 80.0.68.15 netmask 0xfffffffc
inet 80.0.70.130 netmask 0xffffffff
# ifconfig bridge0
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 4e:33:45:7b:a9:74
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: msk0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: em0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=48<VLAN_MTU,POLLING>
ether 00:0e:0c:a4:3a:cd
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
# ifconfig msk0
msk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=18<VLAN_MTU,VLAN_HWTAGGING>
inet 80.0.68.20 netmask 0xfffffff8 broadcast 80.0.68.23
ether 00:0e:0c:a4:3a:cc
media: Ethernet autoselect (1000baseTX <full-duplex,flag0>)
status: active
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 80.0.68.17 UGS 0 576233 msk0
10 lo0 URS 0 10 lo0
80.0.68.12 80.0.68.12 UH 0 0 lo1
80.0.68.13 80.0.68.13 UH 0 0 lo1
80.0.68.14 80.0.68.14 UH 0 0 lo1
80.0.68.15 80.0.68.15 UH 0 0 lo1
80.0.68.16/29 link#1 UC 0 0 msk0
80.0.68.17 00:11:bb:a6:15:80 UHLW 2 0 msk0 1199
80.0.68.18 00:11:93:0c:44:1b UHLW 5 0 msk0 467
80.0.68.20 00:0e:0c:a4:3a:cc UHLW 1 164 lo0
80.0.70.130 80.0.70.130 UH 0 0 lo1
127.0.0.1 127.0.0.1 UH 0 786 lo0
127.0.0.2 127.0.0.2 UH 0 5 lo0
127.0.0.3 127.0.0.3 UH 0 0 lo0
127.0.0.4 127.0.0.4 UH 0 0 lo0
172.16/12 lo0 URS 0 0 lo0
192.168.0/16 lo0 URS 0 2 lo0
192.168.128/19 80.0.68.18 UGS 0 16282333 msk0
192.168.160/19 80.0.68.18 UGS 0 159008 msk0
int_if="em0"
ext_if="msk0"
bridge_if="bridge0"
# NAT
nat-anchor "ftp-proxy/*"
nat on $ext_if inet from <nat_main> to !(self) -> 80.0.68.12/30 bitmask
nat on $ext_if inet from <nat_unlim> to !(self) -> 80.0.70.130
#...
#
# bridge
#
pass in on $int_if inet from { <isp> <nat_main> <nat_unlim> } to any
pass out on $int_if inet from any to { <isp> <nat_main> <nat_unlim> }
queue(q_ext q_eacks)
pass out on $int_if inet from <isp> to { <isp> <nat_main> <nat_unlim> }
queue(q_int q_iacks)
pass out on $int_if inet from <peers> to { <isp> <nat_main> <nat_unlim> }
tos 0x20 queue(q_peers)
pass on $ext_if inet all
#....
# pfctl -vv -sr
...
@8 pass in on em0 inet from <isp:5> to any
[ Evaluations: 31962419 Packets: 9822781 Bytes: 3723656443 States:
0 ]
@9 pass in on em0 inet from <nat_main:1> to any
[ Evaluations: 22606139 Packets: 12632981 Bytes: 4251228990 States:
0 ]
@10 pass in on em0 inet from <nat_unlim:1> to any
[ Evaluations: 22606139 Packets: 114847 Bytes: 27950859 States:
0 ]
@11 pass out on em0 inet from any to <isp:5> queue(q_ext, q_eacks)
[ Evaluations: 55912371 Packets: 6342607 Bytes: 1937428659 States:
0 ]
@12 pass out on em0 inet from any to <nat_main:1> queue(q_ext, q_eacks)
[ Evaluations: 8999665 Packets: 0 Bytes: 0 States:
0 ]
@13 pass out on em0 inet from any to <nat_unlim:1> queue(q_ext, q_eacks)
[ Evaluations: 8999665 Packets: 0 Bytes: 0 States:
0 ]
@14 pass out on em0 inet from <isp:5> to <isp:5> queue(q_int, q_iacks)
[ Evaluations: 8999665 Packets: 722131 Bytes: 129079550 States:
0 ]
@15 pass out on em0 inet from <isp:5> to <nat_main:1> queue(q_int, q_iacks)
[ Evaluations: 722131 Packets: 0 Bytes: 0 States:
0 ]
@16 pass out on em0 inet from <isp:5> to <nat_unlim:1> queue(q_int, q_iacks)
[ Evaluations: 722131 Packets: 0 Bytes: 0 States:
0 ]
@17 pass out on em0 inet from <peers:6> to <isp:5> tos 0x20 queue q_peers
[ Evaluations: 8999665 Packets: 1934927 Bytes: 1063519866 States:
0 ]
@18 pass out on em0 inet from <peers:6> to <nat_main:1> tos 0x20 queue q_peers
[ Evaluations: 3185036 Packets: 0 Bytes: 0 States:
0 ]
@19 pass out on em0 inet from <peers:6> to <nat_unlim:1> tos 0x20 queue
q_peers
[ Evaluations: 3185036 Packets: 0 Bytes: 0 States:
0 ]
...
As you can see only bridged ip flows are queued via ALTQ, but not NATed, I can
not understand where is a problem. When it was router ALTQ works properly.
--
Give your very best today. Heaven knows it's little enough.
More information about the freebsd-ipfw
mailing list