# NAT: no NAT for local traffic



## mgp (Dec 7, 2008)

Hi,
I have small home network of 2 PCs and of course I've set up NAT 
that's how it looks like:


```
(internet) <====> (PC1 doing NAT) <====> (PC2)
```

both PCs are desktop workstations
my problem is that the traffic of PC1 is also NATed
this is the rule:

```
01000 divert 8668 ip from any to any via dc0
```
I was wondering if there is any way to NAT only the traffic for PC2
I've tried several rules but I always end up NATing all traffic
could you help me please ?

thank you


----------



## aragon (Dec 7, 2008)

It would be helpful if you provided ifconfig output.


----------



## Dr_Phoenix (Dec 7, 2008)

1) You have self white IP address or connecting to the internet through provider gateway?

2) What is the type of your Inet connection(adsl bridge, adsl router, direct link to provider)?

If I right understand your situation, try this rules:
Note: I use sample IP's, change it by yours.
(internet) <====> [dc0 193.44.44.44](PC1 doing NAT)[dc1 192.168.1.1/24] <====> [192.168.1.2/24](PC2)

01000 divert 8668 ip from 192.168.1.0:255.255.255.0 to any via dc0
01100 divert 8668 ip from any to 192.168.1.0:255.255.255.0 via dc0


----------



## mgp (Dec 8, 2008)

Hi,
I'm not sure I understand the first question
what is a self white IP address ?
my internet connection is direct i.e. I'm directly connected to my ISP's LAN network and I have public IP address
no DSL modems or PPP stuff
I think I've tried something like that
the problem is with the second rule
the incoming packets could not match because there is no way such a packet (with private destination IP) to come trough the external interface
the only way I could think of was to somehow allow the traffic for PC1 and let all the rest go to the NAT rule
but again how do I distinguish the packets incoming ?
they are all with the same destination IP address
maybe the answer is with stateful rules
but I don't know how exactly to do it


----------



## mgp (Dec 8, 2008)

ok I've tried like that:


```
00100 check-state
01000 divert 8668 ip from 192.168.10.0/24 to any in via rl0 keep-state
65000 allow ip from any to any keep-state
```
 where rl0 is connected to my local/private network (i.e. to PC2)

and many variations of that
but they all don't work...

I can't understand how to do it

that's from man ipfw, "recv | xmit | via" paragraph


> A packet may not have a receive or transmit interface: packets
> originating from the local host have no receive interface, while
> packets destined for the local host have no transmit interface.


I'm interested exactly in that, packets generated by or destined for the local host (i.e. PC1)
how do I test whether a packet has no receive or transmit interface ?


----------



## Dr_Phoenix (Dec 9, 2008)

If you write firewall rules from scratch without using FreeBSD templates in rc.firewall may be you forgot some rules or have some errors in script...

To pass local(localhost) traffic without diverting you must place this rule above diverting rule:
ipfw add allow ip from any to any via lo0

Post here output of the next commands to understand your problem more correctly:
1) ifconfig -a
2) ipfw -a list


----------



## mgp (Dec 9, 2008)

yes I write my rules from scratch
I don't use FreeBSD's scripts

I'm afraid you are wrong about this rule

```
ipfw add allow ip from any to any via lo0
```
because according to the manual page of ipfw


> packets
> originating from the local host have no receive interface, while
> packets destined for the local host have no transmit interface


I assume this rule would be useful when user applications communicate via ip/socket 

here's how my current setup looks like:

```
# ifconfig -a
dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:08:a1:27:88:1c
        inet 78.128.21.208 netmask 0xffffffc0 broadcast 78.128.21.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:19:e0:0e:a7:fa
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet 127.0.0.1 netmask 0xff000000
```


```
# ipfw -a list
00010     12       600 allow ip from any to any via lo0
00011      0         0 deny ip from any to any not antispoof in
00020      0         0 deny ip from any to 192.246.40.56
01000 151174  53604212 divert 8668 ip from any to any via dc0
65000 259836 103213567 allow ip from any to any
65535    697     58867 deny ip from any to any
```

but I don't like it like that because all possible traffic is NATed

btw thanks for looking into my problem


----------



## aragon (Dec 9, 2008)

I don't understand the problem.  PC1's traffic will only be natted when it exits dc0 destined for the internet.  Why is that a problem?

It sounds like you are trying to avoid traffic flowing through the nat daemon for some reason.  But that is impossible because you only have one public IP address.  You can't share a single public IP address without the NAT daemon being involved at all times, unless you start restricting the port ranges that PC1 and PC2 utilise.


----------

