DNAT in freebsd
Sami Halabi
sodynet1 at gmail.com
Mon Jul 1 10:05:26 UTC 2013
Hi,
forgot to mention that but this sysctl is already set to 0.
i see in the logs packets pass 1000 rule.
Sami
On Mon, Jul 1, 2013 at 12:17 PM, Eugene Grosbein <eugen at grosbein.net> wrote:
> On 01.07.2013 14:30, Sami Halabi wrote:
> > Hi,
> >
> > I've tried the following:
> >
> > em1 - ip 10.0.1.1/24 <http://10.0.1.1/24>
> > em2 - ip 11.0.3.1/24 <http://11.0.3.1/24>
> > route add 11.0.4.0/24 <http://11.0.4.0/24> 11.0.3.2
> >
> > ipfw flush
> > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1
> > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1
> >
> > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1
> > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1
> >
> >
> > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1
> > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2
> >
> > what i see in tcpdump and logs is that the rule 1000 converts the ip
> correctly
> > 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1
> > while the 2000 rule does nothing...
>
> man ipfw says:
>
> To let the packet continue after being (de)aliased, set the sysctl
> vari-
> able net.inet.ip.fw.one_pass to 0.
>
> By default, rule 1000 "consumes" aliased packets and they do not hit rule
> 2000 at all.
> So, you need to set sysctl net.inet.ip.fw.one_pass=0
>
--
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
More information about the freebsd-net
mailing list