Re: Bridge and NAT problems

If memory serves me right, Andrea Venturoli wrote:
Hello.
I've got the following problem...
My host is configured like this:

fxp0: internal interface, requires NAT
rl1: public interface, with static IP
xl0: bridged to rl1, with some public IP behind

ipfw diverts any traffic through rl1 to natd, i.e. I have in ipfw
50 divert 8668 ip from any to any via rl1


Internal <-> Internet works, as Internet <-> Bridged does.
Internal <-> Bridged does not work.

Let's suppose I'm pinging from the inside to a bridged machine: the ICMP
packet comes in through fxp0 and is allowed, gets NATted going out by
rule 50 and reaches the target hosts (I guess bridging is also happening
to send it out via xl0 instead of rl1).
The target answers to the public IP of this box and the packet comes in
via xl0, so it's not back-NATted and gets lost.

I then tought of diverting to natd every packet through xl0 (i.e. 60
divert 8668 ip from any to any via xl0), but this doesn't work either.
The packet gets to natd by means of rule 60, but natd does not recognize
it as an answer to a previously examined packet.
From man pages I understood that natd does not take interface into
account, but only source and destination IP:port. Then, what's wrong?

Any suggestion?

You didn't say which bridging driver or version of FreeBSD you're using,
but it sounds to me like you're using bridge(4), right? This is a
fairly well known problem, which I wrote a little bit about here:

http://lists.freebsd.org/pipermail/freebsd-net/2004-December/006075.html

(This message describes a scenario with ipf, but it applies equally well
I think to ipfw.)

If you can, try switching to using if_bridge(4). You (probably) want to
assign the public NAT address to the bridge0 interface, and leave the
physical interfaces making up the bridges (xl0 and rl1 in your case)
unnumbered. I've had good experiences with this type of configuration.

Bruce.

Attachment: signature.asc
Description: OpenPGP digital signature

Relevant Pages

  • Assign IP address to which interface when using if_bridge(4)?
    ... I have an ethernet device xl0 and want to create a if_bridgeto tap: ... ifconfig bridge0 addm xl0 addm tap0 up ... Assign the IP address to child interface and use this also for routing setup. ...
    (freebsd-net)
  • Bridge and NAT problems
    ... rl1: ... Let's suppose I'm pinging from the inside to a bridged machine: the ICMP packet comes in through fxp0 and is allowed, gets NATted going out by rule 50 and reaches the target hosts (I guess bridging is also happening to send it out via xl0 instead of rl1). ... I then tought of diverting to natd every packet through xl0, ...
    (freebsd-net)
  • Re: limiting bandwidth
    ... pass out from $bandwidth_hogger to any keep state queue limited_pipe ... Interface rl1 is connected to a cable modem, interface rl0 is just for LAN ...
    (comp.unix.bsd.openbsd.misc)
  • gif interface listener problem?
    ... First of them is used for common internet access and the second is ... dedicated for a tunnel between offices. ... rl1 - tunnel interface ... add allow ipencap from any to any via rl1 ...
    (freebsd-net)
  • default route
    ... is on rl1, default router is set to 10.0.0.1 on /etc/rc.conf as ... When I ping some box from 10.0.0.0 network, it responds, when some box ... pings me my box does not response, propably packets are coming IN by ... interface: rl1 ...
    (freebsd-net)