# all traffic to go through only some natted.



## meleehunt (Sep 18, 2010)

First time user of FreeBSD.

This is what I would like to do:

1.  I have an internet switch connected to a cisco firewall.
2.  I want to put BSD between the two and set some ips to be natted - though not all.
3.  This is due to some strange rules inside the cisco that I cannot change.
4.  How do I (and what do I use) set all traffic to go through except 1 class b network must be natted to a new class b or ip before going through to its dmz.
5.  Basic reason is there are two ways this class b could approach the firewall, one from inside(lan) and one from outside (internet) both reach the dmz that is also off the firewall.  I need to change the outside traffic in that class b to new ips so it will not try to go down the lan interface once leaving the dmz ( the stupid rule ).  Just want traffic from the internet interface to go back out to the internet.
6.  The cisco in the middle has interfaces to the internet, lan, and dmz.

Examples.


```
(ideal)
Internet ---> cisco ------> dmz --------> cisco --------> Internet
Lan      ---> cisco ------> dmz --------> cisco --------> Lan

(actual)
[all but class B]
Internet ---> cisco ------> dmz --------> cisco --------> Internet
[class B]
Internet ---> cisco ------> dmz --------> cisco --------> Lan
[all]
Lan      ---> cisco ------> dmz --------> cisco --------> Lan

(desired)
[all but class B]
Internet ---> BSD      ---> cisco ---> dmz ---> cisco --> BSD     ---> Internet
[class B]
Internet ---> BSD NAT  ---> cisco ---> dmz ---> cisco --> BSD NAT ---> Internet
[all] [no net change]
Lan      ---> cisco ------> dmz --------> cisco --------> Lan
```
Any suggestions or can BSD do this?


----------



## meleehunt (Sep 18, 2010)

*follow on*

I dont expect a complete howto.

Just not sure where to start.

Since I need the Ips to stay the same (except for the specific class B) there must be a transparent proxy in here somewhere. I have used a squid variant in another project (SME Server) and it does its job well.  Though tough to reconfigure that environment for exceptions.

(fakey IPs)

[Internet side - this works]

Source (anything but 100.100.0.0/16)   destination (200.100.100.222) on
Internet class C 200.100.100.0/24                                 

---> cisco - nats (for one server example)

destination becomes (15.15.15.2) on 15.15.15.0/32 subnet (dmz)

webserver returns traffic in its 15.15.15.2 traffic to cisco and its natted back to original ip  (we are all happy)


[Internet side - this fails]

Source (100.100.0.0/16)   destination (200.100.100.222) on  
Internet class c 200.100.100.0/24                                 

---> cisco - nats (same server example)

destination becomes (15.15.15.2) on 15.15.15.0/32 subnet (dmz)

webserver returns traffic in its 15.15.15.2 traffic to cisco and its natted back to *internal lan  *(we are all sad) destination 100.100.0.0/16

Note the internal lan has same ip range as external lan range.

So the rule I cant change on the inside of cisco is - if it comes from either the internet interface or lan interface and is on the 100.100.0.0/16 network it must return to the lan interface as 100.100.0.0/16.  I want to change the ips on the internet interface for that class B only and transparently so it will go back the correct route out the correct interface...  everyone else works fine except one class b.


----------



## meleehunt (Sep 18, 2010)

Making the question much simpler per the faq.

Can FreeBSD do a transparent proxy that will nat a class b to one ip?

If so what are the pieces i need to get it going - ipfilter, natd, squid?

Thank you for your suggestions or just tell me I'm not doing something realistic.


----------



## quintessence (Sep 21, 2010)

Hello,



> [Internet side - this fails]
> 
> Source (100.100.0.0/16) destination (200.100.100.222) on
> Internet class c 200.100.100.0/24
> ...



you can try some combination of NAT with RDR ,I couldn't understand which network what represents , please post rc.conf 


```
webserver="15.15.15.2"
lan_nets="100.100.0.0/16"

int_if="fxp0" # your internal interface
ext_if="fxp1" # your external interface

pass in on $int_if proto tcp from $lan_nets to $ext_if port 80 \
   rdr-to $webserver
pass out on $int_if proto tcp to $webserver port 80 \
   received-on $int_if nat-to $int_if
```

This is an example with new PF syntax 



> This will cause the initial packet from the client to be translated again when it's forwarded back through the internal interface, replacing the client's source address with the firewall's internal address. The internal server will reply back to the firewall, which can reverse both NAT and RDR translations when forwarding to the local client. This construct is rather complex as it creates two separate states for each reflected connection. Care must be taken to prevent the NAT rule from applying to other traffic, for instance connections originating from external hosts (through other redirections) or the firewall itself. Note that the rdr-to rule above will cause the TCP/IP stack to see packets arriving on the internal interface with a destination address inside the internal network.


----------

