On Sep 5, 2014, at 9:15 PM, John Case <c...@sdf.org> wrote: > For many years I would build FreeBSD firewalls and they would be very, very > simple - I just set gateway_enable="yes" in rc.conf and everything just > worked. > > However, these firewalls *always* had real, routable IPs no both sides. Both > interfaces had real, routable IPs. > > Now I have a firewall that has two non-routable IPs for its interfaces, and > is connected to a internet router with the real IP. When I try to builda > very simple firewall it does not work, and I am forced to use ipdivert and > natd. > > If I use ipdivert and natd, it works just fine. > > So, am I correct that I can create a simple gateway without natd/divert as > long as both interfaces are real IPs, but if both interfaces are non-routable > IPs, I am forced to use divert/natd ?
Just think about the 'routing' aspect. In your current scenario it sounds like the Internet-connected device is doing NAT. It knows about its public IP and its private subnet. It sounds like you have a second private subnet behind your FreeBSD machine about which the Internet-connected device knows nothing. For packets to get from the Internet-connected device to your second subnet one of two things needs to happen: 1) The Internet-connected device has a static route to the second subnet (so it knows to use your FreeBSD machine as the gateway), or 2) The FreeBSD machine performs NAT (a second time), so the Internet-connected device send traffic to it even though it knows nothing about the subnet behind it. I would prefer 1) as it's simpler and double-NAT isn't generally a good thing. However, if you don't have a way to add a route to the Internet-connected device then 2) isn't necessarily bad. In your previous all-routable-IPs setups something was presumably advertising the route for you. The new setup isn't much different in principle. JN PS: Using the in-kernel NAT with IPFW is simpler and more efficient than using natd... _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
