kernel NAT is not working in ipfw

U

urello

Host 1 (client):
ifconfig
Code: 
[/dev/pts/1]termit@taz-x10:~> ifconfig bfe0
bfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80008<VLAN_MTU,LINKSTATE>
        ether 00:00:f0:82:b9:82
        inet 10.10.10.100 netmask 0xffffff00 broadcast 10.10.10.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
Default route:
Code: 
[/dev/pts/1]termit@taz-x10:~> netstat -rf inet
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            10.10.10.10        UGS         0       82   bfe0
10.10.10.0         link#7             U           0       31   bfe0
10.10.10.100       link#7             UHS         0        0    lo0
localhost          link#9             UH          0       18    lo0

Host2 (ipfw)
ifconfig
Code: 
[termit@freegtw ~]$ ifconfig 
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:1b:21:c1:e2:8d
        inet 62.244.1.1 netmask 0xffffff00 broadcast 62.244.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:15:f2:a8:cd:3f
        inet 10.10.10.10 netmask 0xffffff00 broadcast 10.10.10.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
rc.conf:
Code: 
[termit@freegtw ~]$ grep irew /etc/rc.conf 
firewall_enable="YES"            # Set to YES to enable firewall functionality
firewall_script="/etc/ipfw.conf" # Which script to run to set up the firewall
firewall_logging="YES"
firewall_nat_enable="YES"        # Enable kernel NAT (if firewall_enable == YES)
firewall_nat_interface="em0"
ipfw.conf
Code: 
[termit@freegtw ~]$ cat /etc/ipfw.conf 
ipfw -q flush
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any
ipfw nat 1 config if em0 log reset unreg_only
ipfw add nat 1 ip from 10.10.10.0/24 to any via em0
ipfw add nat 1 ip from any to 62.244.1.1 via em0
sysctl:
Code: 
[termit@freegtw ~]$ sysctl -a |grep one.pass
net.inet.ip.fw.one_pass: 1
Kernel:
Code: 
[termit@freegtw ~]$ uname -a
FreeBSD freegtw 9.1-RELEASE FreeBSD 9.1-RELEASE #1: Fri Jul 26 18:02:31 EEST 2013     root@freegtw:/usr/obj/usr/src/sys/freegtw  amd64
[termit@freegtw ~]$ tail -12 /sys/amd64/conf/freegtw 
options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #enable logging to syslogd(8)
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPFIREWALL_FORWARD      #packet destination changes
options         IPFIREWALL_NAT          #ipfw kernel nat support
options         IPSTEALTH
options         TCPDEBUG
options         LIBALIAS

options         SC_DISABLE_REBOOT
options         INCLUDE_CONFIG_FILE
So, NAT is not working. I launched ping from host1. But tcpdump on host2 shows ICMP packets only in internal interface. Values on ipfw NAT rule counters also don't increase.
 
Did you enable the gateway in /etc/rc.conf of your host2?
Code: 
...
gateway_enable="YES"
...
 
You must log in or register to reply here.
Back
Top