netbsd-help: Problems with IPF/NAT

Subject: Problems with IPF/NAT
To: None <netbsd-help@mail.netbsd.org>
From: Paul Newhouse <newhouse@rockhead.com>
List: netbsd-help
Date: 09/28/2000 21:39:47
Platform i386
NetBSD bigbox 1.4ZD NetBSD 1.4ZD (BIGBOX) #3: Thu Jun 22 17:34:38 PDT 2000     
   newhouse@pimin:/usr/src/sys/arch/i386/compile/BIGBOX i386


My configuration looks like:

#                                        Solaris 2.7
#  209.128.90.114 --- (ISP)             10.129.64.22
#         |                             +-----------+
#         |                             |pppd tunnel|
#         |                             |    ssh    |
#  209.128.90.113 (FP WAN side)         +-----------+
#   +-----------+                       10.129.64.23
#+--| FlowPoint |                             |
#|  +-----------+      rockhead.com           |              wan.vpn
#|                  (209.128.91.40/29)        |            (172.16/16)
#|  rtr                  newhouse             |              bigbox
#|  209.128.91.41 <-->  209.128.91.46 +-------+--------+  172.16.89.45
#+------------DSL connection----------|tlp1  ppp0  tlp0|------switch
#             (FP LAN side)           |                |       ||||
#                                     |                |       |||+----serial net
#                                     |     NetBSD     |   +---+|+---+
#       c484868-a.plstn1.sfba.home.com|    -current    |   |    |    |
#         +---------------------------|ne0             |   |    |    |
#         |              24.15.220.14 |                |   |    |    |
#         |                           |                |   |    |    |
#         |                           |                |   |    |   .44
#         |                           |      ppp1      |   |   .43  glorias-pc
#         |                           +-------+--------+  .42  w95
#         |                  +----------------|           pimin
#         |                  |                |
#     24.15.220.1       172.31.255.2     172.31.255.2
#    +----------+       +---------+     +-----------+
#    |  Cable   |       |Sportster|     |pppd tunnel|
#    |  Modem   |       |   Vi    |     |    ssh    |
#    +----------+       +---------+     +-----------+
#         |             172.31.255.1     172.31.255.1
#         |                  |                |
#                            +- NetBSD 1.4.1--+
#                                    |
#                                172.17/16
#

I have some rules that look like:

pass out log quick on tlp1 to ne0 from 24.15.220.14 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.40 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.41 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.42 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.43 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.44 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.45 to any
pass out log quick on ne0 to tlp1 proto tcp/udp from 209.128.91.46 to any

I ping 24.15.220.14 from a remote site.  I run tcpdump on ne0 & tlp1.  I can
see the pings coming in on ne0 (which is right) but they go out tlp1 (which
is wrong).  The outgoing packets on tlp1 have the 24.15.220.14 source address.
And the ipfstat output for the "on tlp1 to ne0" rule changes from:

   9261 pass out log quick on tlp1 to ne0 from 24.15.220.14/32 to any

to

   9275 pass out log quick on tlp1 to ne0 from 24.15.220.14/32 to any

Which is the right count for the number of ping packets.  

Can anybody give me some clues as to what I'm doing wrong?

TIA,
Paul
piminx@home.com
newhouse@rockhead.com