# Ipfw + nat + forwarding + check-state



## Susling (Jan 15, 2010)

Hi! My problem is how to combine NAT + real address forwarding + ipfw dynamic rules table (check-state...). Please, can you give me some examples?


----------



## Alt (Jan 15, 2010)

Maybe im wrong but i think you cant check-state and nat in same time. For nat in ipfw you must 'nat' or 'divert' and checkstate is another story.. At least im interested how it can be done, if it can.


----------



## phoenix (Jan 15, 2010)

Combining check-state with natd (ipfw divert rules) is very complex and prone to errors.

Combining check-state with ipfw nat rules should work, though.

For best/easiest stateful filtering and NAT, PF would be better.


----------



## Susling (Jan 20, 2010)

Ok, thanks. So i have 1 WAN interface with address 85.*.*.* for Internet and 1 LAN interface with address 192.168.*.* for users. But i also have a subnet of real address' routed to me by my ISP. (195.*.*.*). My question is: Can i NAT (with NATD option "-a") 192.168.*.*  to one of these 195.*.*.* address'? (No one of them is assigned to WAN interface).
Or like this:
rl0 (WAN) 85.x.x.x
vr0 (LAN) 192.168.x.x
So can i do like this in /etc/rc.conf?:
natd_enable="YES"
natd_flags="-a 195.x.x.x"


----------

