On 19.07.2017 12:27, Muenz, Michael wrote: > Am 19.07.2017 um 10:32 schrieb Andrey V. Elsukov: >> >> What about reverse NAT rule? You need to translate decrypted packets >> back to 10.26.2.0, otherwise they will still have 10.26.1.1 IP address >> as final destination and will not be forwarded to 10.26.2.0. >> > > Hi Andrey, > > I'm not really familiar with ipfw syntax, I'm more the linux guy and > there the state you be tracked. > How should I build the rules to do the reverse nat? I'm googling for 2 > days now but I only found port redirects for this.
Try to add the following rule: ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0 This rule will pass a decrypted packet to the NAT instance, that will check in the states table should a packet be translated back or not. You need to have enc0 interface in UP state and sysctl variable net.enc.in.ipsec_filter_mask should be set to 1 or 2. After translation on the enc0 a packet will be returned to the IPsec subsystem, that will queue it for further processing in the netisr. Since destination address become foreign, it will be forwarded by IP stack. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
