netbsd-help: confused about IPNAT

Subject: confused about IPNAT
To: None <netbsd-help@netbsd.org>
From: theo borm <theo_nbsdhelp@borm.org>
List: netbsd-help
Date: 03/10/2006 17:29:41
Hi,

I'm trying to set up a really simple system connected through an IPNAT 
gateway to the internet, but somehow I can't get it to work anymore
(I /have/ set up NAT a long time ago, and it used to work fine for me)

The gateway has two ethernet cards, both statically configured:

vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         address: 00:11:2f:33:3e:1b
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet 192.168.41.254 netmask 0xffffff00 broadcast 192.168.41.255
         inet6 fe80::211:2fff:fe33:3e1b%vr0 prefixlen 64 scopeid 0x2

rtk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         address: 00:04:76:8b:fa:a7
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet 176.20.197.22 netmask 0xffffff00 broadcast 176.20.197.255
         inet6 fe80::204:76ff:fe8b:faa7%rtk0 prefixlen 64 scopeid 0x1

It has my providers' default gateway configured:

Internet:
Destination       Gateway            Flags
default           176.20.197.254     UG
localhost         127.0.0.1          UH
176.20.197.0/24   link#1             U
176.20.197.254    00:00:0c:07:ac:33  UH
192.168.41.0/24   link#2             U
192.168.41.1      00:11:2f:33:3e:34  UH

(plus some ip6 routes)


The gateway machine works perfectly; it has full internet connectivity,
can reach the outside world AND can be reached from the outside.


The gateway uses the stock GENERIC kernel, coming straight off the 
netbsd 3.0 install CD (it was a new install), and I enabled forwarding:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding = 1


subsequently I enabled ipf:
# ipf -E
(someone may want to update chapter 21.5.1 of the NetBSD guide; NAT 
won't work at all if you dont do this)


Just to be sure I did:
# ipf -F a


I have the following NAT setup:
# ipnat -l
List of active MAP/Redirect filters:
map vr0 192.168.41.0/24 -> 176.20.197.22/32  portmap tcp/udp 20000:60000
map vr0 192.168.41.0/24 -> 176.20.197.22/32

List of active sessions:





The "client" machine uses a stock NetBSD 2.0 GENERIC kernel (is due for
an upgrade as soon as I get internet working again)

It has one network card:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         address: 00:11:2f:33:3e:34
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet 192.168.41.1 netmask 0xffffff00 broadcast 192.168.41.255
         inet6 fe80::211:2fff:fe33:3e34%vr0 prefixlen 64 scopeid 0x2

It has my gateway configured as default route:

Internet:
Destination       Gateway            Flags
default           192.168.41.254     UG
localhost         127.0.0.1          UH
192.168.41.0/24   link#2             U
192.168.41.254    00:11:2f:33:3e:1b  UH

(plus some ip6 routes)


I can reach the gateway from the client and vice versa, but I can't
connect to the internet from the client. Somehow NAT seems to be 
nonfunctional.

If I try to
# telnet -N www.netbsd.org 80
from the client, it times out, and most peculiary, a tcpdump of the 
outside interface of the gateway produces:

16:21:49.827426 IP (tos 0x0, ttl  63, id 2082, offset 0, flags [DF], 
length: 64) 192.168.41.1.65485 > www.netbsd.org.http: S [tcp sum ok] 
3271990402:3271990402(0) win 32768 <mss 1460,nop,wscale 
0,sackOK,nop,nop,nop,nop,timestamp 0 0>
16:21:55.821649 IP (tos 0x0, ttl  63, id 2083, offset 0, flags [DF], 
length: 64) 192.168.41.1.65485 > www.netbsd.org.http: S [tcp sum ok] 
3271990402:3271990402(0) win 32768 <mss 1460,nop,wscale 
0,sackOK,nop,nop,nop,nop,timestamp 12 0>
16:22:07.821893 IP (tos 0x0, ttl  63, id 2084, offset 0, flags [DF], 
length: 64) 192.168.41.1.65485 > www.netbsd.org.http: S [tcp sum ok] 
3271990402:3271990402(0) win 32768 <mss 1460,nop,wscale 
0,sackOK,nop,nop,nop,nop,timestamp 36 0>
16:22:31.822337 IP (tos 0x0, ttl  63, id 2085, offset 0, flags [none], 
length: 64) 192.168.41.1.65485 > www.netbsd.org.http: S [tcp sum ok] 
3271990402:3271990402(0) win 32768 <mss 1460,nop,wscale 
0,sackOK,nop,nop,nop,nop,timestamp 84 0>

I'm not sure if the nonroutable (192.168.*.*) address of my client
should pop up here at all.


Any clues what might be my problem?


with kind regards,

Theo


p.s. I also experimented with redirects, with a system with three 
computers: server <-> gateway <-> client, with the gatway connected 
through a third interface (default gateway) to the internet. for both 
client and server the gateway was configured as default gateway, and 
both were on separate subnets. I set up a redirect of the telnet port on 
the gateway to the server. Trying to telnet from the client to the 
gateway (of course on the right interface) should result in this 
connection being forwarded to the server, which it did, but 
unfortunately it did not work as foreseen (by me) as the source IP 
address of the forwarded connection wasn't changed (so no NAT). I 
eventually managed to get it working by installing a route on the server 
back to the clients' subnet. Also I saw client-subnet-source-address 
packets on the server-subnet (on the other side of the gateway), so I'm 
pretty sure that NAT isn't working as I thought it [w|sh]ould.