# ipfw nat with 2 out interfaces problem



## slonick (Aug 1, 2012)

Hi!

It's been a while since I'm trying to get my FreeBSD router working as expected but without a success.

I have a FreeBSD 9.0 box connected to Internet through re0. It has also re1 - re4 interfaces that look into my home LAN. My Internet provider has an internal LAN which I directly connect to via re0. But in order to reach Internet I have to establish a VPN connection.

Here is a problem: I have 2 out connections - re0 and ng0 and I need to route internal LAN to proper interface depending on the destination IP.

I have a working re0 interface, I also connect VPN trough ng0 and it works Ok. What I need is to set up a NAT service. I tried IPFW with kernel NAT:

```
sysctl net.inet.ip.fw.one_pass=1

//allow all trough internal interfaces
...

ipfw nat 1 config if re0 reset same_ports deny_in
ipfw add 10130 nat 1 ip from any to any via re0
ipfw nat 2 config if ng0 reset same_ports deny_in
ipfw add 10140 nat 2 ip from any to any via ng0

ipfw add 65534 deny all from any to any
```

with this setup everything pings OK - DNS servers, google, ...

But, when I try to browse _some_ sites doesn't load. So almost all of simple sites loads ok but google.com not. Chrome indicates 'loading' for a very long time but then times out with a blank screen. Deny all rule doesn't indicate denied packets while I try to load google.com

I am sure there is a simple mistake that I made but I can't find it and don't know how to investigate.


----------



## SirDice (Aug 1, 2012)

I'm assuming ng0 is the VPN interface. Only NAT on that interface, not on the others. Make sure your default gateway is pointing to the VPN tunnel end-point.


----------



## ecazamir (Aug 8, 2012)

I had a similar problem with a PPPoE WAN connection. It is very likely that your internal clients to use MTU 1500 (default), while the VPN connection uses a lower MTU. I've put pf to perform tcp fragment reassembling, with a rule like "scrub in all max-mss 1440", if I remember correctly. You can also reduce MTU to the LAN clients to ~1450 bytes, but this may have some impact on maximum bandwidth and CPU usage while transferring data from LAN to LAN.


----------

