Kernel NAT ?

N

name2014

Hello! IPFW NAT(Kernel NAT)works partially. If to make ping freebsd.com by the users workstation that of the answer won't be, but in tcpdump - re1 I see that NAT works, but packages don't come back...
If I do the rule nat 123 ip from any to any that the users workstation receives the answer, and can establish connection with remote services.
Code: 
uname -a
FreeBSD BGW 9.0-RELEASE FreeBSD 9.0-RELEASE #1: Thu Aug  9 17:42:24 MSK 2012
re0 - inside Interface
re1 - Outside interface
Code: 
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ip from any to any via re0 in
00700 allow ip from any to any via re0 out
00800 nat 123 ip from 192.168.1.0 to any via re1 ----->>>> 
[color="Red"]00800 nat 123 ip from any to any via re1[/color]
65535 allow ip from any to any
Code: 
cat /etc/rc.conf
hostname="BGW"
ifconfig_re0=" inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_re1=" inet x.x.x.227 netmask 255.255.255.248"
defaultrouter="x.x.x.225"
sshd_enable="YES"
dumpdev="NO"
gateway_enable="YES"
firewall_enable="YES"
firewall_type="simple"
firewall_nat_enable="YES"
firewall_nat_interface="re1"
dummynet_enable="YES"
why it is impossible?
 
You need to be more specific. In fact, the more specific your rules, the better, as you know exactly what the rule does, and what traffic will match it.

For many:1 NAT:
Code: 
ipfw nat 123 config same_ports ip $pubIP

ipfw add allow ip from $mysubnet to any in recv re0
ipfw add nat 123 ip from $mysubnet to any out xmit re1
ipfw add allow ip from $pubIP to any out xmit re1

ipfw add nat 123 ip from any to $pubIP in recv re1
ipfw add allow ip from any to $mysubnet in recv re1
ipfw add allow ip from any to $mysubnet out xmit re0
 
Спасибо огромное! Недостающей части fw Вы подсказали! Все получилось!

Thank you very much! Missing part of the fw you suggested! Everything turned out!
 
phoenix said:
You need to be more specific. In fact, the more specific your rules, the better, as you know exactly what the rule does, and what traffic will match it.

For many:1 NAT:
Code: 
ipfw nat 123 config same_ports ip $pubIP

ipfw add allow ip from $mysubnet to any in recv re0
ipfw add nat 123 ip from $mysubnet to any out xmit re1
ipfw add allow ip from $pubIP to any out xmit re1

ipfw add nat 123 ip from any to $pubIP in recv re1
ipfw add allow ip from any to $mysubnet in recv re1
ipfw add allow ip from any to $mysubnet out xmit re0
Click to expand...

Thanks a lot! You prompted to a missing part of FW! Everything turned out!
 
You must log in or register to reply here.
Back
Top