On 27.02.2011 17:08, Eugene Grosbein wrote: [skip]
> For performance reasons, I need to create similar setup using in-kernel "ipfw > nat" > what does not have such "multiple instances" feature but has its own > "keep-state" mechanics: To correct myself: of course, ipfw nat has multiple instances... It does not offer something like natd's "globalport" feature to check all NAT instances for entry before creation of new one. > nat config if $if0 unreg_only > nat config if $if1 unreg_only > nat 123 ip from any to any via $if0 keep-state # For incoming packets create > dynamic rule. > nat 124 ip from any to any via $if1 keep-state # For outgoing packet use > corresponding NAT instance. > fwd $if0_gate ip from $if0_ip to any out xmit $if1 # Force packet go out > right interface. > fwd $if1_gate ip from $if1_ip to any out xmit $if0 > > This works just fine if we do not try to use ipfw nat's port forwarding. > Here it breaks because "keep-state" creates dynamic rule for incoming > connections > before translation's done, so it records external IP of the box as > destination IP. > Hence, replies will be translated using wrong NAT instance when routing table > chooses wrong outgoing interface - replies won't match ipfw's dynamic rules. > > I think this is a bug in 8.2-STABLE. Am I right? > Or, perhaps, there is another way to setup ipfw nat for dual-homed LAN? _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[email protected]"
