Three NICs and NAT (routing?) issue

Three NICs and NAT (routing?) issue

Hi list-

I'm running FreeBSD 7.0-STABLE with three network interfaces compiled with IP Filter support (v4.1.28 (404)).

The first interface is tl0 ( /, the second one is fxp0 ( / and the third one is fxp1 ( /

I would like to NAT 10.0.10 network through fxp0 interface and for some reason it doesn't work -- users are not able to pass through fxp0. Actually I don't see NAT working on fxp0 interface at all. If I do NAT through tl0 it works OK, but not with fxp0. I'm able however to ping all three interfaces from 10.0.10 network.

Here is more detailed information about my setup:

%dmesg | grep tl0
tl0: <Compaq Netelligent 10/100 Proliant> port 0x2c40-0x2c4f mem 0xc6cfccf0-0xc6cfccff irq 10 at device 7.0 on pci0
miibus0: <MII bus> on tl0
tl0: Ethernet address: 00:50:8b:50:f2:0e

%dmesg | grep fxp
fxp0: <Intel 82558 Pro/100 Ethernet> port 0x3000-0x301f mem 0xb7fff000-0xb7ffffff,0xc6e00000-0xc6efffff irq 15 at device 7.0 on pci1
fxp0: Ethernet address: 00:50:8b:6d:17:3d

fxp1: <Intel 82558 Pro/100 Ethernet> port 0x2c00-0x2c1f mem 0xb5fff000-0xb5ffffff,0xc6d00000-0xc6dfffff irq 11 at device 13.0 on pci0
fxp1: Ethernet address: 00:50:8b:01:24:bc

%cat /etc/rc.conf
ifconfig_tl0="inet netmask"
ifconfig_fxp0="inet netmask"
ifconfig_fxp1="inet netmask"

%cat /etc/ipnat.conf
map fxp0 -> 0/32 portmap tcp/udp 30000:60000
map fxp0 -> 0/32

%netstat -rn
Routing tables
Destination Gateway Flags Refs Use Netif Expire
default UGS 0 649736 tl0 link#3 UC 0 0 fxp1 link#1 UC 0 0 tl0 00:09:7c:61:93:30 UHLW 2 18057 tl0 1170 00:50:8b:50:f2:0e UHLW 1 564 lo0 ff:ff:ff:ff:ff:ff UHLWb 1 2 fxp0 => link#2 UC 0 0 fxp0 UH 0 31556 lo0

IP Filter is configured to allow all outgoing traffic for all three interfaces.

Does it look like a routing issue?

Any tips would be greatly appreciated!

Many thanks!
Yes, ip forwarding is there:

%sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1

The strange thing is that if I enable NAT on tl0 it works as it should.

I haven't tried NAT using PF though yet.
Thank you guys! The issue was solved by implementing policy routing with IP Filter. However, my initial question is still valid. Assuming I don't use any firewall. How would one route NATed traffic through the secondary interface while default gateway is from the same subnet where primary interface belongs to?

I also wish to divert my LAN traffic via another NIC/Public IP address, whilst keeping the server traffic on 1st and default NIC. I am using ipfilter to NAT the LAN to public IP. When I change the NIC from 1st to 2nd public facing interface no traffic gets through. I guess this is because it wants to use the default route. I thought I had to use route commands (routing) to solve my problem but your solution using ipfilter policy routing is now my default route (lol). Thanks for the direction. I also am curious how to achieve this with routing. Is there a way to NAT with routing as well?
How to direct NATed LAN to secondary public IP?

Forgot to ask in my last post; how did you manage to get it to work using ipfilter. Is it possible you could copy & paste you ipnat.conf and ipf.conf (ipf.rules) contents, just the relevent lines. Thanks in advance.