Hi, forgot to mention that but this sysctl is already set to 0. i see in the logs packets pass 1000 rule.
Sami On Mon, Jul 1, 2013 at 12:17 PM, Eugene Grosbein <eu...@grosbein.net> wrote: > On 01.07.2013 14:30, Sami Halabi wrote: > > Hi, > > > > I've tried the following: > > > > em1 - ip 10.0.1.1/24 <http://10.0.1.1/24> > > em2 - ip 11.0.3.1/24 <http://11.0.3.1/24> > > route add 11.0.4.0/24 <http://11.0.4.0/24> 11.0.3.2 > > > > ipfw flush > > ipfw add 1000 nat 1 all from 10.0.1.2 to 10.0.1.1 > > ipfw add 2000 nat 2 all from 11.0.3.1 to 10.0.1.1 > > > > ipfw add 3000 nat 2 all from 11.0.4.2 to 11.0.3.1 > > ipfw add 4000 nat 1 all from 10.0.1.1 to 11.0.3.1 > > > > > > ipfw nat 1 config same_ports ureg_only ip 11.0.3.1 > > ipfw nat 1 config reverse same_ports ureg_only ip 11.0.4.2 > > > > what i see in tcpdump and logs is that the rule 1000 converts the ip > correctly > > 10.0.1.2->10.0.1.1 ==> 11.0.3.1->10.0.1.1 > > while the 2000 rule does nothing... > > man ipfw says: > > To let the packet continue after being (de)aliased, set the sysctl > vari- > able net.inet.ip.fw.one_pass to 0. > > By default, rule 1000 "consumes" aliased packets and they do not hit rule > 2000 at all. > So, you need to set sysctl net.inet.ip.fw.one_pass=0 > -- Sami Halabi Information Systems Engineer NMS Projects Expert FreeBSD SysAdmin Expert _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
