# Dynamic NAT from pool on FreeBSD



## hucker91 (Feb 27, 2019)

Good day,

I have a FreeBSD 8.1 server installed and connected to network. (See topology screenshot).






I need to masquarade the PC ip 192.168.1.2 on FreeBSD to 1.1.1.3, not to 1.1.1.2. On router the the source traffic must been from 1.1.1.3, not from 1.1.1.2. Is it possible?

I tried with assigning secondary ip 1.1.1.3 with alias on rc.conf, it didnt worked.


----------



## SirDice (Feb 27, 2019)

hucker91 said:


> I have a FreeBSD 8.1 server installed


FreeBSD 8.1 has been End-of-Life since July 2012 and is not supported any more. 

Topics about unsupported FreeBSD versions








						Unsupported FreeBSD Releases
					

FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.




					www.freebsd.org


----------



## hucker91 (Feb 27, 2019)

Is it not possible to do it with divert nat?


----------



## hucker91 (Feb 27, 2019)

Or is it possible to do on latest version of FreeBSD?


----------



## SirDice (Feb 27, 2019)

Why don't you simply change the IP address?


----------



## hucker91 (Feb 28, 2019)

Because, all client PCs reach the router through 1.1.1.2. And now i need to limit some client IPs on Router and it is necessary to divide them on freebsd by mapping them to 1.1.1.3. After i can limit only 1.1.1.3 on Router.


----------



## SirDice (Feb 28, 2019)

hucker91 said:


> Because, all client PCs reach the router through 1.1.1.2.


No, they go out through 192.168.1.1.


hucker91 said:


> And now i need to limit some client IPs on Router and it is necessary to divide them on freebsd by mapping them to 1.1.1.3.


Do the filtering on the FreeBSD machine, not the router.


----------



## hucker91 (Feb 28, 2019)

On FreeBSD they are masquerate to 1.1.1.2 on outside interface at moment. But some of clients i need to NAT to other IP from 1.1.1.0/24 Subnet (fro example, to 1.1.1.3).
Traffic is masquerading on both router (FreeBSD and Router).

The purpose is to masquerade on FreeBSD some of clients to 1.1.1.2, which is the interface IP, and some other clients i want to masquerade to 1.1.1.3 which one is not seted on interface as ip.

I assigned 1.1.1.3 as alias on freebsd interface, but i cant masquerade clients to this ip address. 

Default rules:

LanOut="vr1"
LanOutIP="1.1.1.2"
NetIn="192.168.1.0"
NetMask="24" 

${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetVpn}/${NetMask} to any out via ${LanOut}


----------



## SirDice (Feb 28, 2019)

Your solution is faulty from the start.


----------



## hucker91 (Mar 1, 2019)

Where is the faulty? This scheme is working, i need only some secrets of NAT on FreeBSD. If it was Cisco ASA, problem would solve myself.
Link to do it on Cisco ASA:


----------



## hucker91 (Mar 1, 2019)

Cisco ASA 8.4.2 с нуля. Часть 4. NAT | ciscomaster.ru
					






					ciscomaster.ru


----------



## VladiBG (Mar 1, 2019)

put the 1.1.1.3 as secondary ip address on your FreeBSD and then use 1:1 NAT


----------



## hucker91 (Mar 1, 2019)

VladiBG said:


> put the 1.1.1.3 as secondary ip address on your FreeBSD and then use 1:1 NAT


Do you think it will work?
As i mentioned above, i tried with secondary ip, it didnt worked...


----------



## VladiBG (Mar 1, 2019)

when you put it as alias (ifconfig em0 inet 1.1.1.3/24 alias) do you have ping from the router to 1.1.1.3/24?


----------



## hucker91 (Mar 1, 2019)

Yes, ping is going...
I add this rule on the top of default nat rule.
${FwCMD} add divert natd ip from 192.168.1.2 to any out via 1.1.1.3

The above rule is not working.

The traffic goes through the default nat rule:

${FwCMD} add divert natd ip from ${NetIn}/${NetMask} to any out via ${LanOut}
${FwCMD} add divert natd ip from ${NetVpn}/${NetMask} to any out via ${LanOut}


----------



## ezraimanuel (Mar 2, 2019)

I'm sorry for not replying for ipfw. But in PF you can do something like this:

```
nat on $LanOut inet from 192.1681.2 to any -> 1.1.1.3
nat on $LanOut inet from $RestOfYourNetwork to any -> 1.1.1.2
```
I always do this to seperate outgoing public IP addresses for multiple local IPs and/or LANs, works like a charm.


----------

