selective NAT/gateway

Ivan Levchenko levchenko.i at
Wed Oct 18 14:54:43 UTC 2006

I did the exact same thing using pf on freebsd:

I added all the allowed ip addresses to a table <allowed>
then in the nat rule:
nat on $ext_if from <allowed> to any -> $ext_if

(you can put the last $ext_if in parentheses if you use dchp for your
external address)

On 10/18/06, Nathan Vidican <nathan at> wrote:
> Got a bit of an interesting question, wondering how others out there might
> have dealt with this:
> we have a single machine acting as router/firewall/nat gateway via DSL. It
> routes a small (/29) subnet of static IP's to our servers, and routes
> between internal (non-public) subnets. Internet traffic is then routed via
> NAT translation over the PPPoE link. We then use a proxy server to cache
> most of our web traffic. Works well, and has been for several years now but,
> we need to be able to deny traffic through the NAT gateway based on IP
> addresses or ranges. Given the following example:
> Internet -> DSL+Subnet -> FreeBSD router + NAT/PPPoE ->
> + + +
> (each of these private subnets is a physically different network, connected
> via an independant ethernet interface - multiport intel 'fxp' cards)
> Internal machines -> -
> Select Internal machines -> -
> Want to allow through full use of the gateway
> (enabling internet access via NAT), but deny machines in the -
> range from using NAT - yet still allow them to use 'regular'
> routes, (given the example below, want to allow 192.168.0.X to connect
> to/from 192.168.3.X for instance).
> So the long-question shortened, is how do I deny NAT traffic for specific IP
> addresses, without blocking those addresses from routing through 'normal'
> routes to other subnets. Essentially, I need an IPFW rule to block traffic
> from 192.168.0.X through via NAT, or don't I ?
> Any ideas/comments/suggestions greatly appreciated, (note the above is an
> example, not actual addresses).
> --
> Nathan Vidican
> nathan at
> _______________________________________________
> freebsd-questions at mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at"

Best Regards,

Ivan Levchenko
levchenko.i at

More information about the freebsd-questions mailing list