Solved Subnet on ExtIF and ipfw nat not working

[goshanecr]

Good day!

Please, help me understand, how setup FreeBSD 11-STABLE amd64 router with several ip addresses on external interface.
I have:
Provider give me subnet

1.1.1.2/24 gw 1.1.1.1

/etc/rc.conf

# Assigned external IP addresses
ifconfig_rl0="inet 1.1.1.2/24"
ifconfig_rl0_alias0="inet 1.1.1.3/24"
ifconfig_rl0_alias0="inet 1.1.1.4/24"
ifconfig_rl0_alias0="inet 1.1.1.5/24"
defaultrouter="1.1.1.1"

# Internal
ifconfig_re0="inet 192.168.0.0/24"

# Loopback for Jails
cloned_interfaces="lo1"

ifconfig_lo1="inet 10.1.1.1/32" # Jail1
ifconfig_lo1_alias0="inet 10.1.1.2/32" # Jail2

/etc/rc.firewall

${FW} nat 1 config log if ${extIF} unreg_only reset same_ports \
        redirect_port   tcp     10.1.1.2:25 25
 
${FW} add nat 1 ip from any to any via ${extIF}

And with that setup I try to connect from outside to that router's 25 port.
telnet 1.1.1.2 25

Trying 1.1.1.2...
Connected to site.admin.
Escape character is '^]'.
220 domain.org ESMTP Postfix

telnet 1.1.1.3 25

Trying 1.1.1.3...
telnet: connect to address 1.1.1.3: Connection refused
telnet: Unable to connect to remote host

netstat -an | grep LISTEN

tcp4       0      0 10.1.1.2.25            *.*                    LISTEN
tcp4       0      0 *.22                   *.*                    LISTEN

So nated service works only on first assigned external ip address.
But ssh access working on all assigned ip's.

What I'm do wrong?

 

[obsigna]

The if parameter in the nat directive does not exactly do what people might expect from its name. It does not assign the translator to the specified interface but it does determine the IPv4 address of the given interface and links the nat to that IP address, see: ipfw(8) - NAT. Most probably, the NAT engine simply is not aware of the additional alias IP addresses of that interface.

You might want to try to add additional NAT instances, assigned to each of the other IP addresses, using the ip parameter instead of the if parameter.

Another problem might arise from your choice of the subnets of the alias addresses. ifconfig(8) states:

... If the address is on the same subnet as the first network address for this interface, a non-conflicting netmask must be given. Usually 0xffffffff is most appropriate. ...

Besides the netmasks, you're doing nothing wrong, but your expectation seems to be wrong.

 

[goshanecr]

Thanks obsigna for your comments. I understand note about several IP's on interface and it's mask.
I found a very good explanation of ipfw nat, but it in Russian language http://birdofluck.livejournal.com/8778.html
So working solution are:
sysctl net.inet.ip.fw.one_pass=0

#!/bin/sh

FW="/sbin/ipfw -q"

extIF=rl0
intIF=re0

IP_GW=1.1.1.1
IP_1=1.1.1.3
IP_2=1.1.1.4
IP_3=1.1.1.5
IP_4=1.1.1.6
IP_5=1.1.1.7

# Opened ports on each IP
TCP_1=22,25,80,443,465
TCP_2=22,25,465
TCP_3=22
TCP_4=22
TCP_5=22

PRX_PORTS=80,443

# Clear all previous data
${FW} flush
${FW} table all flush

# Table with NAT'ed LANS
${FW} table 1 add 192.168.1.0/24
${FW} table 1 add 192.168.2.0/24
${FW} table 1 add 192.168.3.0/24
${FW} table 1 add 192.168.4.0/24
${FW} table 1 add 192.168.5.0/24
${FW} table 1 add 192.168.6.0/24
${FW} table 1 add 10.0.0.1/32
${FW} table 1 add 10.1.1.0/24
${FW} table 1 add 10.1.2.0/24

# Used forward DNS Servers
${FW} table 2 add 8.8.8.8/32
${FW} table 2 add 8.8.4.4/32

# Table with assigned nat to subnets
${FW} table 3 add 192.168.0.0/27 1
${FW} table 3 add 10.0.0.1/32 1
${FW} table 3 add 10.1.1.2/32 2
${FW} table 3 add 10.1.1.4/32 2
${FW} table 3 add 10.1.1.0/24 1
${FW} table 3 add 10.1.2.0/24 1

${FW} add allow all from any to me 22
${FW} add allow all from me 22 to any

${FW} add check-state

${FW} add allow all from any to any via lo0
${FW} add allow all from any to any via lo1
${FW} add allow all from any to any via lo2
${FW} add deny log all from any to 127.0.0.0/8
${FW} add deny log all from 127.0.0.0/8 to any
${FW} add deny icmp from any to any frag
${FW} add deny icmp from any to 255.255.255.255 in via ${extIF}
${FW} add deny icmp from any to 255.255.255.255 out via ${extIF}
${FW} add deny all from any to me 53 in via ${extIF}
${FW} add deny tcp from any to ${IP_1} not ${TCP_1} in via ${extIF} setup
${FW} add deny tcp from any to ${IP_2} not ${TCP_2} in via ${extIF} setup
${FW} add deny tcp from any to ${IP_3} not ${TCP_3} in via ${extIF} setup
${FW} add deny tcp from any to ${IP_4} not ${TCP_4} in via ${extIF} setup
${FW} add deny tcp from any to ${IP_5} not ${TCP_5} in via ${extIF} setup

# Nat config
${FW} nat 1 config ip ${IP_1}
${FW} nat 2 config ip ${IP_2}
${FW} nat 3 config ip ${IP_3}

${FW} nat 10 config \
        redirect_port tcp 10.1.1.2:25 ${IP_1}:25 \
        redirect_port tcp 10.1.1.2:25 ${IP_2}:25 \
        redirect_port tcp 10.1.1.4:80 ${IP_1}:80 \
        redirect_port tcp 10.1.1.4:443 ${IP_1}:443 \
        redirect_port tcp 10.1.1.2:465 ${IP_1}:465 \
        redirect_port tcp 10.1.1.2:465 ${IP_2}:465

${FW} add skipto 5000 all from any to any out

# Incoming packets section
${FW} add nat 10 all from any to ${IP_1} recv ${extIF}
${FW} add nat 10 all from any to ${IP_2} recv ${extIF}
${FW} add nat 1 all from any to ${IP_1} recv ${extIF}
${FW} add nat 2 all from any to ${IP_2} recv ${extIF}

# outgoing packets section
${FW} add 5000 nat global all from table\(1\) to not me
${FW} add nat tablearg all from 'table(3)' to not me

${FW} add fwd ${IP_GW} all from ${IP_1} to any
${FW} add fwd ${IP_GW} all from ${IP_2} to any

${FW} add allow all from any to any