selective NAT/gateway

Nathan Vidican nathan at
Wed Oct 18 14:24:47 UTC 2006

Got a bit of an interesting question, wondering how others out there might 
have dealt with this:

we have a single machine acting as router/firewall/nat gateway via DSL. It 
routes a small (/29) subnet of static IP's to our servers, and routes 
between internal (non-public) subnets. Internet traffic is then routed via 
NAT translation over the PPPoE link. We then use a proxy server to cache 
most of our web traffic. Works well, and has been for several years now but, 
we need to be able to deny traffic through the NAT gateway based on IP 
addresses or ranges. Given the following example:

Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE -> + + +
(each of these private subnets is a physically different network, connected 
via an independant ethernet interface - multiport intel 'fxp' cards)

Internal machines -> -
Select Internal machines -> -

Want to allow through full use of the gateway 
(enabling internet access via NAT), but deny machines in the - range from using NAT - yet still allow them to use 'regular' 
routes, (given the example below, want to allow 192.168.0.X to connect 
to/from 192.168.3.X for instance).

So the long-question shortened, is how do I deny NAT traffic for specific IP 
addresses, without blocking those addresses from routing through 'normal' 
routes to other subnets. Essentially, I need an IPFW rule to block traffic 
from 192.168.0.X through via NAT, or don't I ?

Any ideas/comments/suggestions greatly appreciated, (note the above is an 
example, not actual addresses).

Nathan Vidican
nathan at

More information about the freebsd-questions mailing list