pf or ipfw for NAT

Frank Leonhardt freebsd-doc at
Sun Apr 11 18:21:26 UTC 2021

On 03/04/2021 09:20, Steve O'Hara-Smith wrote:

>> Thanks Steve. Any idea whether I need to enable the gateway when using

>> pf instead?


>> e.g. sysctl net.inet.ip.forwarding=1


>     I'm pretty sure you do - TBH I've never tried not setting it on

> anything that routes.

I think so too. I set it and it works perfectly. I'm really wondering why I've bothered with natd - just using pf works a treat.

For the sake of anyone reading this thread in the future, this script starts the whole thing off (xxx is the external address):

sysctl net.inet.ip.forwarding=1

ifconfig bge0 inet netmask 0xffffffff alias

ifconfig re0  inet netmask 0xffffffff alias

service dhcpd onestart

service pf onestart


This is what I'd put in rc.conf to make it permanent (but not a cut/paste job so may be errors):


ifconfig_bge0=" inet netmask 0xffffffff alias"

ifconfig re0="inet netmask"




/usr/local/etc/dhcpd.conf (important part):

subnet  netmask {


    option routers;




scrub in all
# NAT bit
nat pass on re0 from to any ->
# Pass port 25 to mail server on LAN
rdr pass on re0 proto tcp from any to port 25 ->

