question on NAT for multiple subnets

Greg Barniskis gregb at
Tue Feb 21 07:26:25 PST 2006

Ted Mittelstaedt wrote:
>> -----Original Message-----
>> From: Greg Barniskis [mailto:gregb at]
>> Sent: Friday, February 17, 2006 10:14 AM
>> To: Ted Mittelstaedt
>> Cc: freebsd-questions
>> Subject: Re: question on NAT for multiple subnets
>> Ted Mittelstaedt wrote:
>>> I've never done it but I think you can run multiple nat instances
>>> and multiple divert sockets, you will have to specify them in the
>>> config file to natd, though.  
>> Excellent. That's what I was hoping for. So instead of one "divert 
>> natd" rule in ipfw, I simply need "divert N", "divert N+1", "divert 
>> N+2", etc. where N is a port number where I bound my first natd, N+1 
>> the next natd instance, etc. I think I can manage that.
> I looked at the man page for natd and they specify the divert port
> with -port, and alias address with -alias_address
> Your going to have a bit of trial and error to work this config
> out but it shouldn't be that bad.  I would love to see it posted
> here once you get it working.

I will share anything I get working, when I do (ipfw, pf or 
otherwise). Might be a while though. My immediate need was only to 
answer the question of whether any significant lab time on it was 
even worthwhile. A yes answer means the topic's tabled for a couple 
of weeks at least.

> PS:  A firewall with a shell that you can actually initiate a telnet
> session from knocks a PIX into a cocked hat.  And I just love 
> dealing with a PIX on a network that has multiple gateways on it.
> Nothing like the lack of icmp redirects to get you swearing.

Wouldn't be asking if the subject hadn't been discussed by staff in 
terms of "Can't we do this outside the [grumble|mumble|curse] PIX?". 
Not to knock it too hard; it does what it does pretty well, pretty 
fast, it's just that the things it doesn't do well are too many.

Greg Barniskis, Computer Systems Integrator
South Central Library System (SCLS)
Library Interchange Network (LINK)
<gregb at>, (608) 266-6348

More information about the freebsd-questions mailing list