I'm working on a router that acts as a captive portal and transparent
http proxy for unregistered or disabled hosts that plug in to our

The router has a public administrative interface on em0, The router has a physically seperate interface, on vlan200 using em1, for the NAT clients. The router
also has the interface vlan100 on em1 with the address
The "captured" machines are assigned addresses on the 10.100/16 subnet.
The router's firewall allows certain http traffic through the NAT, such
as windows updates. All other http requests are forwarded through an
instance of squid to an apache instance.

The system's default route is configured on the administrative
interface, via My firewall includes the rule:
  $cmd 0013 divert natd ip from not me to any via vlan200

The NAT does not work. From a "captured" machine, I am able to ping both and the gateway, but nothing off-subnet. We
suspect the packets leaving the NAT, tagged with source-address are being routed via the system's default route at The router is dropping these packets on the floor,
because the source address doesn't match the subnet it's routing.

Is it possible to tell the system to use a different default route based
on the source address of the packet? We want to keep the administrative
interface on a separate subnet from the client traffic.

I tried using an ipfw fwd rule:
  $cmd 0014 fwd ip from to not \

But this had no effect. Any suggestions would be greatly appreciated.


Chris Cowart
Unix Systems Administrator
Residential Computing, UC Berkeley
"May all your pushes be popped"

Attachment: signature.asc
Description: Digital signature

Reply via email to