Subject: IP-NAT problems...
To: Current Users <current-users@NetBSD.ORG>
From: Mason Loring Bliss <>
List: current-users
Date: 10/04/1997 11:39:12
Hi, all! I'm trying to get IP-NAT working without success.

>From what I can see, everything is set up properly, but evidently IP-NAT
isn't happening. I have an external modem, and I can watch the lights...
When a machine that should be mapped sends packets to the outside world,
the packets get routed out properly, but nothing comes back in, which leads
me to believe that the return address isn't being touched, or at least not
properly. I'm not sure how to sniff at the packets, but I think the Red
Book talks about this, so maybe I'll have more information before too long.
Specifically, I'll try to find out exactly what the return address being
sent out is.

My setup is as follows:

ppp0 is a part-time link to the outside world. sl0 is a fulltime link to my
Macintosh. I've set up the mapping as follows:

map ppp0 -> portmap tcp/udp 10000:65000
map ppp0 ->

where I manually fill in my current IP address before running ipnat. ipnat
-l tells me that everything is set up, after I've started things up.

The default route is through ppp0, and, as I mentioned before, I seem to be
working sufficiently well as a gateway, near as I can tell.

I've got the proper stuff in my kernel, I believe:

options         INET            # IP stack
options         GATEWAY         # IP packet forwarding
options         PFIL_HOOKS      # pfil(9) packet filter hooks.
pseudo-device   bpfilter        12
pseudo-device   ppp             2
pseudo-device   sl
pseudo-device   ipfilter

I've *very* recently installed the latest snapshot of -current, and my
kernel is quite new. I've got the following devices:

crw-------  1 root  wheel   35,   3 Sep 30 17:58 /dev/ipauth
crw-------  1 root  wheel   35,   0 Sep 30 17:58 /dev/ipl
crw-------  1 root  wheel   35,   1 Sep 30 17:58 /dev/ipnat
crw-------  1 root  wheel   35,   2 Sep 30 17:58 /dev/ipstate

Both pppd and slattach were run by root, so access shouldn't be a problem.
(I'm grasping at straws here. :)

In /etc/rc.conf:

ipfilter=YES                    # YES or NO.

I'm not sure why things aren't working... There seems to be something I've
missed. I don't know if ipf needs to be run before ipnat, and I didn't have
an /etc/ipf.conf file, but either way, here's something:

/etc# touch ipf.conf
/etc# ipf -E -Fa -f /etc/ipf.conf
SIOCFRENB: Device busy

I used the arguments present in /etc/netstart, FWIW.

Thanks in advance for the help! If theres any information I've left out
(excepting the actual return addresses being sent out, which I'll get as
soon as I figure out how) write me and I'll gladly supply it.

        Mason Loring Bliss    /\   /()\   awake ? sleep() : dream();
<barbaric>YAWP!</barbaric>  /    \  Squeak to me of love!