please help with NATing my jails

Michael mlmichael70 at gmail.com
Tue Jul 20 16:08:38 UTC 2010 

On 12/07/2010 13:47, Steve Bertrand wrote:
>
> ...do you need a second nat rule for the inbound traffic, or does nat
> handle that by itself? If you run tcpdump on the wlan interface, do you
> see the inbound traffic that relates to your request?
>

I don't know if I need that second rule but after adding rule
00035 nat 100 ip from not me to 127.127.127.1 via wlan0 keep-state
nothing changes, still the same problem.
While I'm trying to get "host freebsd.org" from the jailed system, 
tcpdump on wlan0 says:
ARP, Request who-has 192.168.1.254 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.111 tell 192.168.1.254, length 28
ARP, Reply 192.168.1.111 is-at 00:26:5e:e7:e8:78, length 28
ARP, Request who-has 192.168.1.94 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.95 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.96 tell 192.168.1.254, length 28
ARP, Request who-has 192.168.1.82 tell 192.168.1.254, length 28
IP 192.168.1.111.37766 > 208.67.222.222.53: 55415+ A? freebsd.org. (29)
IP 208.67.222.222.53 > 192.168.1.111.37766: 55415 1/0/0 A 69.147.83.40 (45)
IP 192.168.1.111 > 208.67.222.222: ICMP 192.168.1.111 udp port 37766 
unreachable, length 36
IP 192.168.1.111.45007 > 208.67.220.220.53: 55415+ A? freebsd.org. (29)
IP 208.67.220.220.53 > 192.168.1.111.45007: 55415 1/0/0 A 69.147.83.40 (45)
IP 192.168.1.111 > 208.67.220.220: ICMP 192.168.1.111 udp port 45007 
unreachable, length 36
IP 192.168.1.111.37766 > 208.67.222.222.53: 55415+ A? freebsd.org. (29)
IP 208.67.222.222.53 > 192.168.1.111.37766: 55415 1/0/0 A 69.147.83.40 (45)
IP 192.168.1.111 > 208.67.222.222: ICMP 192.168.1.111 udp port 37766 
unreachable, length 36
IP 192.168.1.111.45007 > 208.67.220.220.53: 55415+ A? freebsd.org. (29)
IP 208.67.220.220.53 > 192.168.1.111.45007: 55415 1/0/0 A 69.147.83.40 (45)
IP 192.168.1.111 > 208.67.220.220: ICMP 192.168.1.111 udp port 45007 
unreachable, length 36


So once again my rules are:
ipfw -q -f flush
ipfw add 00010 allow all from 127.0.0.1 to 127.0.0.1 via lo0
ipfw add 00020 check-state
ipfw add 00030 nat 100 ip from 127.127.127.1 to any via wlan0 keep-state
ipfw nat 100 config ip 192.168.1.111 log
ipfw add 00040 allow all from any to any

Any ideas please?

Michael

More information about the freebsd-ipfw mailing list